LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 05-26-2010, 10:33 PM   #1
lhiggie
LQ Newbie
 
Registered: Feb 2006
Location: Louisville, KY, USA
Distribution: RHEL 3, RHEL 4, RHEL 5, RHEL6
Posts: 10

Rep: Reputation: 0
Unhappy Apache2 serving documents that are not for public access


Good day,

First off, I'm definitely a newbie when it comes to Apache and Tomcat, so I ask for forgiveness in the beginning.

We have a RHEL 3 server running httpd 2.0.46-77.ent and using tomcat5 that was set up before I came to this company 10 months ago. The former admin is not accessible or isn't willing to assist. We have documents that are proprietary documents and not to be viewed publicly. We also have other documents that are for public viewing.

Just recently, it has been found the proprietary documents are available with a simple google website search.

I need to lock those files down.

I have looked at the httpd.conf as well as the tomcat5.conf and have not seen any way to lock these directories and files down. I've seen a couple of other posts, but don't see how the suggested solutions would fit.

Any help would be greatly appreciated.

Here is the section 2 of the httpd.conf:
### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User apache
Group apache

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin user@co.com #I removed the real email address.

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName new.host.name:80
ServerName servername.com:80 #I removed our company name

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/web_root/ROOT"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options -Indexes +FollowSymLinks
AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/web_root/ROOT">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options -Indexes +FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all

</Directory>

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable

#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html

</IfModule>

#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options -Indexes MultiViews SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents. The MultiViews Option can be used for the
# same purpose, but it is much slower.
#
DirectoryIndex index.html index.jsp

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types

#
Here is our tomcat5.conf file:
# tomcat5 service configuration file

# you could also override JAVA_HOME here
# Where your java installation lives
#JAVA_HOME="/usr/lib/jvm/java"
#JAVA_HOME="/usr/java/j2sdk1.4.2_06"
JAVA_HOME="/usr/java/jdk1.6.0"


# You can pass some parameters to java
# here if you wish to
#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"

# Where your tomcat installation lives
# That change from previous RPM where TOMCAT_HOME
# used to be /var/tomcat.
# Now /var/tomcat will be the base for webapps only
CATALINA_HOME="/usr/share/tomcat5"
JASPER_HOME="/usr/share/tomcat5"
CATALINA_TMPDIR="/usr/share/tomcat5/temp"
JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed"

# What user should run tomcat
TOMCAT_USER="tomcat"

# You can change your tomcat locale here
#LANG=en_US

# Time to wait in seconds, before killing process
SHUTDOWN_WAIT=30

# Set the TOMCAT_PID location
CATALINA_PID=/var/run/tomcat5.pid

# If you wish to further customize your tomcat environment,
# put your own definitions here
# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
# Just do not forget to export them

What other information do you need? Please help. I'm at a loss and the java admins keep saying it is the apache setup.

Thanks in advance,
lhiggie
 
Old 05-26-2010, 11:00 PM   #2
lhiggie
LQ Newbie
 
Registered: Feb 2006
Location: Louisville, KY, USA
Distribution: RHEL 3, RHEL 4, RHEL 5, RHEL6
Posts: 10

Original Poster
Rep: Reputation: 0
Let me add a little more information. These files that are not for public viewing are located in a specific set of directories. Is there a way to restrict them to public access but still make them available to authenticated users?
 
Old 05-26-2010, 11:39 PM   #3
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
as a matter of fact there is
i forget the exact specifics but what you are looking to do is create a .htaccess and a .htpasswd file in each of the directories that essentially creates user accounts for accessing the contents of the folders (note this only applies to the root of each set of directories as children folders inherit the restrictions anyways)
 
1 members found this post helpful.
Old 05-27-2010, 08:35 AM   #4
lhiggie
LQ Newbie
 
Registered: Feb 2006
Location: Louisville, KY, USA
Distribution: RHEL 3, RHEL 4, RHEL 5, RHEL6
Posts: 10

Original Poster
Rep: Reputation: 0
Frieza,

Thanks for the quick reply. I've read there could be security issues with using .htaccess and .htpasswd files. Is that correct? We have to comply with PCI and soon with SOX, so I don't want to put my company at risk. Secondly, like I said, I've very new with Apache and Tomcat, the .htaccess and .htpasswd files, would contain user information I'm assuming from the database where the users are authenticated, yes? Or am I completely off base?

Sincerely,
lhiggie
 
  


Reply

Tags
apache2, rhel3, tomcat5


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need help stopping Apache2 from serving certain files RavenLX Linux - Server 9 11-11-2008 03:40 PM
apache2 serving <username>'s page radiodee1 Linux - Newbie 1 04-05-2007 05:10 PM
public nfs servers serving mandrake 10.0? evilchild Mandriva 0 10-31-2004 03:28 PM
Apache2 running but not serving any page Kerion Linux - Newbie 4 07-28-2004 06:16 PM
Serving files to the public Citizen Bleys Linux - Networking 1 01-25-2002 01:07 PM


All times are GMT -5. The time now is 02:47 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration