Webapps denying all outside access by default?

Adam Williamson awilliam at redhat.com
Sat Jul 20 20:59:13 UTC 2013 

On Sat, 2013-07-20 at 16:10 -0400, Nico Kadel-Garcia wrote:
> On Sat, Jul 20, 2013 at 3:53 PM, Adam Williamson <awilliam at redhat.com> wrote:
> > I'm not sure if I'm missing anything here, but is it intended that
> > webapps should not be accessible from anywhere but localhost by default?
> > This seems to be the case for at least wordpress - which is my kind of
> > 'gold standard' for webapp packaging on Fedora, I use it as a reference
> > - and roundcubemail. They both have this block in
> > their /etc/httpd/conf.d/name.conf file:
> >
> > <Directory /usr/share/name>
> >   AllowOverride Options
> >   <IfModule mod_authz_core.c>
> >     # Apache 2.4
> >     Require local
> >   </IfModule>
> >   <IfModule !mod_authz_core.c>
> >     # Apache 2.2
> >     Order Deny,Allow
> >     Deny from All
> >     Allow from 127.0.0.1
> >     Allow from ::1
> >  </IfModule>
> > </Directory>
> >
> > Which pretty clearly disallows access from anywhere but localhost. It
> > seems an odd default configuration, in that if you ever want to allow
> > anyone to actually access your webapp you're going to have to change it,
> > which will prevent it ever being automatically updated again (you'll
> > always get a .rpmnew file). I have to change the 'Require local' to
> > 'Require all granted' and restart httpd in order to actually let
> > anything but localhost access the site.
> 
> It's a vastly safer initial setup than leaving it wide open, by
> default. this applies to many tools such as Nagios and cacti, that may
> share information about your system that you really should review
> before exposing.
> 
> You should also be albe to use a reload, not necessarily a restart, to
> get it working. (Although I've not been trying this with systemd!)

'apachectl reload' didn't seem to do the job.

It's a 'safer' default in the same way that a computer that's turned off
is safer than one that's turned on, I guess...though I suppose lots of
webapps do have initial configuration that you want to make sure is not
run remotely, obviously. But it does leave the rpmnew problem.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net

More information about the devel mailing list