我正在关注 Apache 安全性的 CIS 文档(CIS Apache HTTP 安全) 并且不理解该指令的具体用途LimitExcept
。注意,我对 apache HTTP 服务器还很陌生。
我有一个带有 phpmyadmin 和 squirrelmail 的基本 LAMP(ubuntu 14.04,apache 2.4.7),并且有几个Directory
指令,例如在apache.conf
和所有启用的.conf
文件中:
/etc/apache2/conf-enabled/serve-cgi-bin.conf: <Directory "/usr/lib/cgi-bin">
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin>
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin/setup>
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin/libraries>
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin/setup/lib>
/etc/apache2/conf-enabled/localized-error-pages.conf:# <Directory "/usr/share/apache2/error">
/etc/apache2/conf-enabled/security.conf:#<Directory />
/etc/apache2/conf-enabled/security.conf:#<DirectoryMatch "/\.svn">
/etc/apache2/conf-enabled/javascript-common.conf:<Directory "/usr/share/javascript/">
/etc/apache2/mods-enabled/alias.conf: <Directory "/usr/share/apache2/icons">
/etc/apache2/mods-enabled/php5.conf: <Directory /home/*/public_html>
/etc/apache2/sites-enabled/squirrelmail.conf:<Directory /usr/share/squirrelmail>
我很困惑Directory
我需要哪些指令LimitExcept
,应该是每一个还是仅仅几个或者只有一个?
对 Apache 不太了解,我该如何选择相关的内容?
答案1
阅读CIS Apache HTTP 安全我发现它建议在除操作系统根目录之外的LimitExcept
所有指令中添加指令。<Directory>
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>
这限制除外指令限制不必要的HTTP请求方法,Web服务器只接受和处理GET,POST和OPTIONS HTTP请求方法。
根据目录手动的:
<Directory>
并</Directory>
用于括起一组仅适用于命名目录、该目录的子目录以及相应目录中的文件的指令。
因此,就你的情况而言,我猜你应该申请LimitExcept
:
/etc/apache2/conf-enabled/serve-cgi-bin.conf: <Directory "/usr/lib/cgi-bin">
/etc/apache2/conf-enabled/phpmyadmin.conf:<Directory /usr/share/phpmyadmin>
/etc/apache2/conf-enabled/localized-error-pages.conf:# <Directory "/usr/share/apache2/error">
/etc/apache2/conf-enabled/javascript-common.conf:<Directory "/usr/share/javascript/">
/etc/apache2/mods-enabled/alias.conf: <Directory "/usr/share/apache2/icons">
/etc/apache2/mods-enabled/php5.conf: <Directory /home/*/public_html>
/etc/apache2/sites-enabled/squirrelmail.conf:<Directory /usr/share/squirrelmail>