Webapps denying all outside access by default?
Nicolas Mailhot
nicolas.mailhot at laposte.net
Mon Jul 22 06:30:51 UTC 2013
Le Dim 21 juillet 2013 23:54, Richard W.M. Jones a écrit :
> On Sun, Jul 21, 2013 at 07:39:50PM +0200, drago01 wrote:
>> On Sun, Jul 21, 2013 at 6:47 PM, Jared K. Smith
>> <jsmith at fedoraproject.org> wrote:
>> > On Sat, Jul 20, 2013 at 12:53 PM, Adam Williamson
>> <awilliam at redhat.com>
>> > wrote:
>> >>
>> >> I'm not sure if I'm missing anything here, but is it intended that
>> >> webapps should not be accessible from anywhere but localhost by
>> default?
>> >
>> >
>> > That's my understanding, yes. It follows from the general
>> understanding
>> > that network-accessible daemons (with perhaps the exception of sshd)
>> should
>> > not be accessible from outside of localhost by default.
>> >
>> > Now I'm curious... do you have a particularly strong reason why web
>> apps
>> > should be different than any other network daemon?
>>
>> Because they aren't. The daemon in this case is httpd, not the webapps.
>
> I guess each web app increases the attack surface (versus just httpd
> serving only flat files).
>
> Returning to the .rpmnew point, isn't it possible to have the web
> service include an alternative configuration file which would override
> the defaults? That way the "pristine" configuration file from RPM
> would be unchanged, and therefore upgradable.
Another possibility would be to deploy the default confs in a separate
dir, with a symlink to the effective dir. Want to change the default conf,
break the symlink, rpm can continue to update the link target with no side
effects.
--
Nicolas Mailhot
More information about the devel
mailing list