Apache 和 limitexcept

Apache 和 limitexcept

我正在关注 Apache 安全性的 CIS 文档(CIS Apache HTTP 安全) 并且不理解该指令的具体用途LimitExcept。注意,我对 apache HTTP 服务器还很陌生。

我有一个带有 phpmyadmin 和 squirrelmail 的基本 LAMP(ubuntu 14.04,apache 2.4.7),并且有几个Directory指令,例如在apache.conf和所有启用的.conf文件中:

/etc/apache2/conf-enabled/serve-cgi-bin.conf:           <Directory "/usr/lib/cgi-bin">
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin>
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin/setup>
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin/libraries>
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin/setup/lib>
/etc/apache2/conf-enabled/localized-error-pages.conf:#                  <Directory "/usr/share/apache2/error">
/etc/apache2/conf-enabled/security.conf:#<Directory />
/etc/apache2/conf-enabled/security.conf:#<DirectoryMatch "/\.svn">
/etc/apache2/conf-enabled/javascript-common.conf:<Directory "/usr/share/javascript/">
/etc/apache2/mods-enabled/alias.conf:   <Directory "/usr/share/apache2/icons">
/etc/apache2/mods-enabled/php5.conf:    <Directory /home/*/public_html>
/etc/apache2/sites-enabled/squirrelmail.conf:<Directory /usr/share/squirrelmail>

我很困惑Directory我需要哪些指令LimitExcept,应该是每一个还是仅仅几个或者只有一个?

对 Apache 不太了解,我该如何选择相关的内容?

答案1

阅读CIS Apache HTTP 安全我发现它建议在除操作系统根目录之外的LimitExcept所有指令中添加指令。<Directory>

 <LimitExcept GET POST OPTIONS> 
    Require all denied 
 </LimitExcept>

限制除外指令限制不必要的HTTP请求方法,Web服务器只接受和处理GET,POST和OPTIONS HTTP请求方法。

根据目录手动的:

<Directory></Directory>用于括起一组仅适用于命名目录、该目录的子目录以及相应目录中的文件的指令。

因此,就你的情况而言,我猜你应该申请LimitExcept

/etc/apache2/conf-enabled/serve-cgi-bin.conf:           <Directory "/usr/lib/cgi-bin">
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin>
/etc/apache2/conf-enabled/localized-error-pages.conf:# <Directory "/usr/share/apache2/error">
/etc/apache2/conf-enabled/javascript-common.conf:<Directory "/usr/share/javascript/">
/etc/apache2/mods-enabled/alias.conf:   <Directory "/usr/share/apache2/icons">
/etc/apache2/mods-enabled/php5.conf:    <Directory /home/*/public_html>
/etc/apache2/sites-enabled/squirrelmail.conf:<Directory /usr/share/squirrelmail>

相关内容