Good day,

First off, I'm definitely a newbie when it comes to Apache and Tomcat, so I ask for forgiveness in the beginning.

We have a RHEL 3 server running httpd 2.0.46-77.ent and using tomcat5 that was set up before I came to this company 10 months ago. The former admin is not accessible or isn't willing to assist. We have documents that are proprietary documents and not to be viewed publicly. We also have other documents that are for public viewing.

Just recently, it has been found the proprietary documents are available with a simple google website search.

I need to lock those files down.

I have looked at the httpd.conf as well as the tomcat5.conf and have not seen any way to lock these directories and files down. I've seen a couple of other posts, but don't see how the suggested solutions would fit.

Any help would be greatly appreciated.

Here is the section 2 of the httpd.conf:

### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# . On SCO (ODT 3) use "User nouser" and "Group nogroup".
# . On HPUX you may not be able to use shared memory as nobody, and the
# suggested workaround is to create a user www and use that user.
# NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is above 60000;
# don't use Group #-1 on these systems!
#
User apache
Group apache

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin user@co.com #I removed the real email address.

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
#ServerName new.host.name:80
ServerName servername.com:80 #I removed our company name

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/web_root/ROOT"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options -Indexes +FollowSymLinks
AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/web_root/ROOT">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options -Indexes +FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all

</Directory>

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disable

#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
#UserDir public_html

</IfModule>

#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options -Indexes MultiViews SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
# The index.html.var file (a type-map) is used to deliver content-
# negotiated documents. The MultiViews Option can be used for the
# same purpose, but it is much slower.
#
DirectoryIndex index.html index.jsp

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>

#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types

#

Here is our tomcat5.conf file:

# tomcat5 service configuration file

# you could also override JAVA_HOME here
# Where your java installation lives
#JAVA_HOME="/usr/lib/jvm/java"
#JAVA_HOME="/usr/java/j2sdk1.4.2_06"
JAVA_HOME="/usr/java/jdk1.6.0"


# You can pass some parameters to java
# here if you wish to
#JAVA_OPTS="-Xminf0.1 -Xmaxf0.3"

# Where your tomcat installation lives
# That change from previous RPM where TOMCAT_HOME
# used to be /var/tomcat.
# Now /var/tomcat will be the base for webapps only
CATALINA_HOME="/usr/share/tomcat5"
JASPER_HOME="/usr/share/tomcat5"
CATALINA_TMPDIR="/usr/share/tomcat5/temp"
JAVA_ENDORSED_DIRS="/usr/share/tomcat5/common/endorsed"

# What user should run tomcat
TOMCAT_USER="tomcat"

# You can change your tomcat locale here
#LANG=en_US

# Time to wait in seconds, before killing process
SHUTDOWN_WAIT=30

# Set the TOMCAT_PID location
CATALINA_PID=/var/run/tomcat5.pid

# If you wish to further customize your tomcat environment,
# put your own definitions here
# (i.e. LD_LIBRARY_PATH for some jdbc drivers)
# Just do not forget to export them

What other information do you need? Please help. I'm at a loss and the java admins keep saying it is the apache setup.

Thanks in advance,
lhiggie

Let me add a little more information. These files that are not for public viewing are located in a specific set of directories. Is there a way to restrict them to public access but still make them available to authenticated users?

as a matter of fact there is
i forget the exact specifics but what you are looking to do is create a .htaccess and a .htpasswd file in each of the directories that essentially creates user accounts for accessing the contents of the folders (note this only applies to the root of each set of directories as children folders inherit the restrictions anyways)

1 members found this post helpful.

Frieza,

Thanks for the quick reply. I've read there could be security issues with using .htaccess and .htpasswd files. Is that correct? We have to comply with PCI and soon with SOX, so I don't want to put my company at risk. Secondly, like I said, I've very new with Apache and Tomcat, the .htaccess and .htpasswd files, would contain user information I'm assuming from the database where the users are authenticated, yes? Or am I completely off base?

Sincerely,
lhiggie