diff options
Diffstat (limited to '')
| -rw-r--r-- | docs/manual/misc/security_tips.html | 17 | ||||
| -rw-r--r-- | docs/manual/misc/security_tips.html.en | 492 | ||||
| -rw-r--r-- | docs/manual/misc/security_tips.html.fr.utf8 | 513 | ||||
| -rw-r--r-- | docs/manual/misc/security_tips.html.ko.euc-kr | 373 | ||||
| -rw-r--r-- | docs/manual/misc/security_tips.html.tr.utf8 | 486 |
5 files changed, 1881 insertions, 0 deletions
diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html new file mode 100644 index 0000000..bb9a427 --- /dev/null +++ b/docs/manual/misc/security_tips.html @@ -0,0 +1,17 @@ +# GENERATED FROM XML -- DO NOT EDIT + +URI: security_tips.html.en +Content-Language: en +Content-type: text/html; charset=ISO-8859-1 + +URI: security_tips.html.fr.utf8 +Content-Language: fr +Content-type: text/html; charset=UTF-8 + +URI: security_tips.html.ko.euc-kr +Content-Language: ko +Content-type: text/html; charset=EUC-KR + +URI: security_tips.html.tr.utf8 +Content-Language: tr +Content-type: text/html; charset=UTF-8 diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en new file mode 100644 index 0000000..2e473d0 --- /dev/null +++ b/docs/manual/misc/security_tips.html.en @@ -0,0 +1,492 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head> +<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" /> +<!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>Security Tips - Apache HTTP Server Version 2.4</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> +<script src="../style/scripts/prettify.min.js" type="text/javascript"> +</script> + +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p> +<p class="apache">Apache HTTP Server Version 2.4</p> +<img alt="" src="../images/feather.png" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1> +<div class="toplang"> +<p><span>Available Languages: </span><a href="../en/misc/security_tips.html" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div> + + <p>Some hints and tips on security issues in setting up a web server. + Some of the suggestions will be general, others specific to Apache.</p> + </div> +<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dos">Denial of Service (DoS) attacks</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dynamicsec">Dynamic content security</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#merging">Merging of configuration sections</a></li> +</ul><h3>See also</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="uptodate" id="uptodate">Keep up to Date</a></h2> + + <p>The Apache HTTP Server has a good record for security and a + developer community highly concerned about security issues. But + it is inevitable that some problems -- small or large -- will be + discovered in software after it is released. For this reason, it + is crucial to keep aware of updates to the software. If you have + obtained your version of the HTTP Server directly from Apache, we + highly recommend you subscribe to the <a href="http://httpd.apache.org/lists.html#http-announce">Apache + HTTP Server Announcements List</a> where you can keep informed of + new releases and security updates. Similar services are available + from most third-party distributors of Apache software.</p> + + <p>Of course, most times that a web server is compromised, it is + not because of problems in the HTTP Server code. Rather, it comes + from problems in add-on code, CGI scripts, or the underlying + Operating System. You must therefore stay aware of problems and + updates with all the software on your system.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dos" id="dos">Denial of Service (DoS) attacks</a></h2> + + + + <p>All network servers can be subject to denial of service attacks + that attempt to prevent responses to clients by tying up the + resources of the server. It is not possible to prevent such + attacks entirely, but you can do certain things to mitigate the + problems that they create.</p> + + <p>Often the most effective anti-DoS tool will be a firewall or + other operating-system configurations. For example, most + firewalls can be configured to restrict the number of simultaneous + connections from any individual IP address or network, thus + preventing a range of simple attacks. Of course this is no help + against Distributed Denial of Service attacks (DDoS).</p> + + <p>There are also certain Apache HTTP Server configuration + settings that can help mitigate problems:</p> + + <ul> + <li>The <code class="directive"><a href="../mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code> + directive allows to limit the time a client may take to send the + request.</li> + + <li>The <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> directive + should be lowered on sites that are subject to DoS attacks. + Setting this to as low as a few seconds may be appropriate. + As <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> is currently + used for several different operations, setting it to a low value + introduces problems with long running CGI scripts.</li> + + <li>The <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code> + directive may be also lowered on sites that are subject to DoS + attacks. Some sites even turn off the keepalives completely via + <code class="directive"><a href="../mod/core.html#keepalive">KeepAlive</a></code>, which has of course + other drawbacks on performance.</li> + + <li>The values of various timeout-related directives provided by + other modules should be checked.</li> + + <li>The directives + <code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code>, and + <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> + should be carefully configured to limit resource consumption + triggered by client input.</li> + + <li>On operating systems that support it, make sure that you use + the <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> directive + to offload part of the request processing to the operating + system. This is active by default in Apache httpd, but may + require reconfiguration of your kernel.</li> + + <li>Tune the <code class="directive"><a href="../mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> directive to allow + the server to handle the maximum number of simultaneous + connections without running out of resources. See also the <a href="perf-tuning.html">performance tuning + documentation</a>.</li> + + <li>The use of a threaded <a href="../mpm.html">mpm</a> may + allow you to handle more simultaneous connections, thereby + mitigating DoS attacks. Further, the + <code class="module"><a href="../mod/event.html">event</a></code> mpm + uses asynchronous processing to avoid devoting a thread to each + connection. Due to the nature of the OpenSSL library the + <code class="module"><a href="../mod/event.html">event</a></code> mpm is currently incompatible with + <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and other input filters. In these + cases it falls back to the behaviour of the + <code class="module"><a href="../mod/worker.html">worker</a></code> mpm.</li> + + <li>There are a number of third-party modules available through + <a href="http://modules.apache.org/">http://modules.apache.org/</a> + that can restrict certain client behaviors and thereby mitigate + DoS problems.</li> + + </ul> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2> + + + + <p>In typical operation, Apache is started by the root user, and it + switches to the user defined by the <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> directive to serve hits. As is the + case with any command that root executes, you must take care that it is + protected from modification by non-root users. Not only must the files + themselves be writeable only by root, but so must the directories, and + parents of all directories. For example, if you choose to place + ServerRoot in <code>/usr/local/apache</code> then it is suggested that + you create that directory as root, with commands like these:</p> + + <div class="example"><p><code> + mkdir /usr/local/apache <br /> + cd /usr/local/apache <br /> + mkdir bin conf logs <br /> + chown 0 . bin conf logs <br /> + chgrp 0 . bin conf logs <br /> + chmod 755 . bin conf logs + </code></p></div> + + <p>It is assumed that <code>/</code>, <code>/usr</code>, and + <code>/usr/local</code> are only modifiable by root. When you install the + <code class="program"><a href="../programs/httpd.html">httpd</a></code> executable, you should ensure that it is + similarly protected:</p> + + <div class="example"><p><code> + cp httpd /usr/local/apache/bin <br /> + chown 0 /usr/local/apache/bin/httpd <br /> + chgrp 0 /usr/local/apache/bin/httpd <br /> + chmod 511 /usr/local/apache/bin/httpd + </code></p></div> + + <p>You can create an htdocs subdirectory which is modifiable by other + users -- since root never executes any files out of there, and shouldn't + be creating files in there.</p> + + <p>If you allow non-root users to modify any files that root either + executes or writes on then you open your system to root compromises. + For example, someone could replace the <code class="program"><a href="../programs/httpd.html">httpd</a></code> binary so + that the next time you start it, it will execute some arbitrary code. If + the logs directory is writeable (by a non-root user), someone could replace + a log file with a symlink to some other system file, and then root + might overwrite that file with arbitrary data. If the log files + themselves are writeable (by a non-root user), then someone may be + able to overwrite the log itself with bogus data.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ssi" id="ssi">Server Side Includes</a></h2> + + + + <p>Server Side Includes (SSI) present a server administrator with + several potential security risks.</p> + + <p>The first risk is the increased load on the server. All + SSI-enabled files have to be parsed by Apache, whether or not + there are any SSI directives included within the files. While this + load increase is minor, in a shared server environment it can become + significant.</p> + + <p>SSI files also pose the same risks that are associated with CGI + scripts in general. Using the <code>exec cmd</code> element, SSI-enabled + files can execute any CGI script or program under the permissions of the + user and group Apache runs as, as configured in + <code>httpd.conf</code>.</p> + + <p>There are ways to enhance the security of SSI files while still + taking advantage of the benefits they provide.</p> + + <p>To isolate the damage a wayward SSI file can cause, a server + administrator can enable <a href="../suexec.html">suexec</a> as + described in the <a href="#cgi">CGI in General</a> section.</p> + + <p>Enabling SSI for files with <code>.html</code> or <code>.htm</code> + extensions can be dangerous. This is especially true in a shared, or high + traffic, server environment. SSI-enabled files should have a separate + extension, such as the conventional <code>.shtml</code>. This helps keep + server load at a minimum and allows for easier management of risk.</p> + + <p>Another solution is to disable the ability to run scripts and + programs from SSI pages. To do this replace <code>Includes</code> + with <code>IncludesNOEXEC</code> in the <code class="directive"><a href="../mod/core.html#options">Options</a></code> directive. Note that users may + still use <code><--#include virtual="..." --></code> to execute CGI + scripts if these scripts are in directories designated by a <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code> directive.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="cgi" id="cgi">CGI in General</a></h2> + + + + <p>First of all, you always have to remember that you must trust the + writers of the CGI scripts/programs or your ability to spot potential + security holes in CGI, whether they were deliberate or accidental. CGI + scripts can run essentially arbitrary commands on your system with the + permissions of the web server user and can therefore be extremely + dangerous if they are not carefully checked.</p> + + <p>All the CGI scripts will run as the same user, so they have potential + to conflict (accidentally or deliberately) with other scripts e.g. User + A hates User B, so he writes a script to trash User B's CGI database. One + program which can be used to allow scripts to run as different users is + <a href="../suexec.html">suEXEC</a> which is included with Apache as of + 1.2 and is called from special hooks in the Apache server code. Another + popular way of doing this is with + <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="nsaliasedcgi" id="nsaliasedcgi">Non Script Aliased CGI</a></h2> + + + + <p>Allowing users to execute CGI scripts in any directory should only be + considered if:</p> + + <ul> + <li>You trust your users not to write scripts which will deliberately + or accidentally expose your system to an attack.</li> + <li>You consider security at your site to be so feeble in other areas, + as to make one more potential hole irrelevant.</li> + <li>You have no users, and nobody ever visits your server.</li> + </ul> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="saliasedcgi" id="saliasedcgi">Script Aliased CGI</a></h2> + + + + <p>Limiting CGI to special directories gives the admin control over what + goes into those directories. This is inevitably more secure than non + script aliased CGI, but only if users with write access to the + directories are trusted or the admin is willing to test each + new CGI script/program for potential security holes.</p> + + <p>Most sites choose this option over the non script aliased CGI + approach.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dynamic" id="dynamic">Other sources of dynamic content</a></h2> + + + + <p>Embedded scripting options which run as part of the server itself, + such as <code>mod_php</code>, <code>mod_perl</code>, <code>mod_tcl</code>, + and <code>mod_python</code>, run under the identity of the server itself + (see the <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> directive), and + therefore scripts executed by these engines potentially can access anything + the server user can. Some scripting engines may provide restrictions, but + it is better to be safe and assume not.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dynamicsec" id="dynamicsec">Dynamic content security</a></h2> + + + + <p>When setting up dynamic content, such as <code>mod_php</code>, + <code>mod_perl</code> or <code>mod_python</code>, many security considerations + get out of the scope of <code>httpd</code> itself, and you need to consult + documentation from those modules. For example, PHP lets you setup <a href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Safe Mode</a>, + which is most usually disabled by default. Another example is <a href="http://www.hardened-php.net/suhosin/">Suhosin</a>, a PHP addon for more + security. For more information about those, consult each project + documentation.</p> + + <p>At the Apache level, a module named <a href="http://modsecurity.org/">mod_security</a> + can be seen as a HTTP firewall and, provided you configure it finely enough, + can help you enhance your dynamic content security.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="systemsettings" id="systemsettings">Protecting System Settings</a></h2> + + + + <p>To run a really tight ship, you'll want to stop users from setting + up <code>.htaccess</code> files which can override security features + you've configured. Here's one way to do it.</p> + + <p>In the server configuration file, put</p> + + <pre class="prettyprint lang-config"><Directory "/"> + AllowOverride None +</Directory></pre> + + + <p>This prevents the use of <code>.htaccess</code> files in all + directories apart from those specifically enabled.</p> + + <p>Note that this setting is the default since Apache 2.3.9.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="protectserverfiles" id="protectserverfiles">Protect Server Files by Default</a></h2> + + + + <p>One aspect of Apache which is occasionally misunderstood is the + feature of default access. That is, unless you take steps to change it, + if the server can find its way to a file through normal URL mapping + rules, it can serve it to clients.</p> + + <p>For instance, consider the following example:</p> + + <div class="example"><p><code> + # cd /; ln -s / public_html <br /> + Accessing <code>http://localhost/~root/</code> + </code></p></div> + + <p>This would allow clients to walk through the entire filesystem. To + work around this, add the following block to your server's + configuration:</p> + + <pre class="prettyprint lang-config"><Directory "/"> + Require all denied +</Directory></pre> + + + <p>This will forbid default access to filesystem locations. Add + appropriate <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> blocks to + allow access only in those areas you wish. For example,</p> + + <pre class="prettyprint lang-config"><Directory "/usr/users/*/public_html"> + Require all granted +</Directory> +<Directory "/usr/local/httpd"> + Require all granted +</Directory></pre> + + + <p>Pay particular attention to the interactions of <code class="directive"><a href="../mod/core.html#location">Location</a></code> and <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> directives; for instance, even + if <code><Directory "/"></code> denies access, a <code> + <Location "/"></code> directive might overturn it.</p> + + <p>Also be wary of playing games with the <code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> directive; setting it to + something like <code>./</code> would have the same effect, for root, as + the first example above. We strongly + recommend that you include the following line in your server + configuration files:</p> + + <pre class="prettyprint lang-config">UserDir disabled root</pre> + + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="watchyourlogs" id="watchyourlogs">Watching Your Logs</a></h2> + + + + <p>To keep up-to-date with what is actually going on against your server + you have to check the <a href="../logs.html">Log Files</a>. Even though + the log files only reports what has already happened, they will give you + some understanding of what attacks is thrown against the server and + allow you to check if the necessary level of security is present.</p> + + <p>A couple of examples:</p> + + <div class="example"><p><code> + grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br /> + grep "client denied" error_log | tail -n 10 + </code></p></div> + + <p>The first example will list the number of attacks trying to exploit the + <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat + Source.JSP Malformed Request Information Disclosure Vulnerability</a>, + the second example will list the ten last denied clients, for example:</p> + + <div class="example"><p><code> + [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied + by server configuration: /usr/local/apache/htdocs/.htpasswd + </code></p></div> + + <p>As you can see, the log files only report what already has happened, so + if the client had been able to access the <code>.htpasswd</code> file you + would have seen something similar to:</p> + + <div class="example"><p><code> + foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1" + </code></p></div> + + <p>in your <a href="../logs.html#accesslog">Access Log</a>. This means + you probably commented out the following in your server configuration + file:</p> + + <pre class="prettyprint lang-config"><Files ".ht*"> + Require all denied +</Files></pre> + + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="merging" id="merging">Merging of configuration sections</a></h2> + + + + <p> The merging of configuration sections is complicated and sometimes + directive specific. Always test your changes when creating dependencies + on how directives are merged.</p> + + <p> For modules that don't implement any merging logic, such as + <code class="directive">mod_access_compat</code>, the behavior in later sections + depends on whether the later section has any directives + from the module. The configuration is inherited until a change is made, + at which point the configuration is <em>replaced</em> and not merged.</p> + </div></div> +<div class="bottomlang"> +<p><span>Available Languages: </span><a href="../en/misc/security_tips.html" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +<script type="text/javascript"><!--//--><![CDATA[//><!-- +var comments_shortname = 'httpd'; +var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html'; +(function(w, d) { + if (w.location.hostname.toLowerCase() == "httpd.apache.org") { + d.write('<div id="comments_thread"><\/div>'); + var s = d.createElement('script'); + s.type = 'text/javascript'; + s.async = true; + s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; + (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); + } + else { + d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); + } +})(window, document); +//--><!]]></script></div><div id="footer"> +<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- +if (typeof(prettyPrint) !== 'undefined') { + prettyPrint(); +} +//--><!]]></script> +</body></html>
\ No newline at end of file diff --git a/docs/manual/misc/security_tips.html.fr.utf8 b/docs/manual/misc/security_tips.html.fr.utf8 new file mode 100644 index 0000000..67a8a8e --- /dev/null +++ b/docs/manual/misc/security_tips.html.fr.utf8 @@ -0,0 +1,513 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"><head> +<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /> +<!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>Conseils sur la sécurité - Serveur HTTP Apache Version 2.4</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> +<script src="../style/scripts/prettify.min.js" type="text/javascript"> +</script> + +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossaire</a> | <a href="../sitemap.html">Plan du site</a></p> +<p class="apache">Serveur HTTP Apache Version 2.4</p> +<img alt="" src="../images/feather.png" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">Serveur HTTP</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Documentations diverses</a></div><div id="page-content"><div id="preamble"><h1>Conseils sur la sécurité</h1> +<div class="toplang"> +<p><span>Langues Disponibles: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div> + + <p>Ce document propose quelques conseils et astuces concernant les + problèmes de sécurité liés + à l'installation d'un serveur web. Certaines suggestions seront à caractère + général, tandis que d'autres seront spécifiques à Apache.</p> + </div> +<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Maintenez votre serveur à jour</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dos">Attaques de type "Déni de service" + (Denial of Service - DoS)</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions sur les répertoires de la racine du serveur</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Inclusions côté serveur</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#cgi">Les CGI en général</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">CGI sans alias de script</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">CGI avec alias de script</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Autres sources de contenu dynamique</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protection de la configuration du système</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protection par défaut des fichiers du serveur</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Surveillez vos journaux</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#merging">Fusion des sections de configuration</a></li> +</ul><h3>Voir aussi</h3><ul class="seealso"><li><a href="#comments_section">Commentaires</a></li></ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="uptodate" id="uptodate">Maintenez votre serveur à jour</a></h2> + + <p>Le serveur HTTP Apache a une bonne réputation en matière de sécurité + et possède une communauté de développeurs très sensibilisés aux problèmes + de sécurité. Mais il est inévitable de trouver certains problèmes + -- petits ou grands -- une fois le logiciel mis à disposition. C'est pour + cette raison qu'il est crucial de se tenir informé des mises à jour. Si + vous avez obtenu votre version du serveur HTTP directement depuis Apache, + nous vous conseillons grandement de vous abonner à la <a href="http://httpd.apache.org/lists.html#http-announce">Liste de diffusion + des annonces du serveur HTTP</a> qui vous informera de + la parution des nouvelles versions et des mises à jour de sécurité. La + plupart des distributeurs tiers d'Apache fournissent des services + similaires.</p> + + <p>Gardez cependant à l'esprit que lorsqu'un serveur web est compromis, le + code du serveur HTTP n'est la plupart du temps pas en cause. Les problèmes + proviennent plutôt de code ajouté, de scripts CGI, ou du système + d'exploitation sous-jacent. Vous devez donc vous tenir informé des + problèmes et mises à jour concernant tous les logiciels présents sur + votre système.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dos" id="dos">Attaques de type "Déni de service" + (Denial of Service - DoS)</a></h2> + + + + <p>Tous les services réseau peuvent faire l'objet d'attaques de type + "Déni de service" qui tentent de les empêcher de répondre aux clients en + saturant leurs ressources. Il est impossible de se prémunir totalement + contre ce type d'attaques, mais vous pouvez accomplir certaines actions + afin de minimiser les problèmes qu'elles créent.</p> + + <p>Souvent, l'outil anti-DoS le plus efficace sera constitué par le + pare-feu ou certaines configurations du système d'exploitation. Par + exemple, la plupart des pare-feu peuvent être configurés de façon à + limiter le nombre de connexions simultanées depuis une adresse IP ou un + réseau, ce qui permet de prévenir toute une gamme d'attaques simples. + Bien sûr, ceci n'est d'aucun secours contre les attaques de type + "Déni de service" distribuées (DDoS).</p> + + <p>Certains réglages de la configuration d'Apache peuvent aussi + minimiser les problèmes :</p> + + <ul> + <li>La directive <code class="directive"><a href="../mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code> permet de + limiter le temps que met le client pour envoyer sa requête.</li> + + <li>La valeur de la directive + <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> doit être diminuée sur les + sites sujets aux attaques DoS. Une valeur de quelques secondes devrait + convenir. Cependant, comme <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> + est actuellement concerné par de nombreuses opérations différentes, lui + attribuer une valeur trop faible peut provoquer des problèmes avec les + scripts CGI qui présentent un long temps de réponse.</li> + + <li>La valeur de la directive + <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code> doit aussi être + diminuée sur les sites sujets aux attaques DoS. Certains sites + désactivent même complètement le "maintien en vie" (keepalives) + à l'aide de la directive + <code class="directive"><a href="../mod/core.html#keepalive">KeepAlive</a></code>, ce qui bien sûr + présente des inconvénients en matière de performances.</li> + + <li>Les valeurs des différentes directives fournies par d'autres modules + et en rapport avec des délais doivent aussi être vérifiées.</li> + + <li>Les directives + <code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code>, et + <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> doivent être + configurées avec prudence afin de limiter la consommation de ressources + induite par les demandes des clients. + </li> + + <li>Sur les systèmes d'exploitation qui le supportent, assurez-vous que + la directive <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> est + activée afin de déléguer une partie du traitement des requêtes au + système d'exploitation. Elle est activée par défaut dans le démon httpd + d'Apache, mais peut nécessiter une reconfiguration de votre noyau.</li> + + <li>Optimisez la directive <code class="directive"><a href="../mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> de façon à définir le nombre + maximum de connexions simultanées au dessus duquel les ressources + s'épuisent. Voir aussi la <a href="perf-tuning.html">documentation sur l'optimisation des + performances</a>.</li> + + <li>L'utilisation d'un <a href="../mpm.html">module mpm</a> threadé + vous permet de traiter d'avantage de connexions simultanées, ce qui + minimise l'effet des attaques DoS. Dans le futur, le module mpm + <code class="module"><a href="../mod/event.html">event</a></code> utilisera un traitement asynchrone afin de ne pas + dédier un thread à chaque connexion. De par la + nature de la bibliothèque OpenSSL, le module mpm <code class="module"><a href="../mod/event.html">event</a></code> est actuellement incompatible + avec le module <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ainsi que d'autres filtres + en entrée. Dans ces cas, son comportement se ramène à celui + du module mpm <code class="module"><a href="../mod/worker.html">worker</a></code>.</li> + + <li>Il existe de nombreux modules tiers disponibles à <a href="http://modules.apache.org/">http://modules.apache.org/</a> qui + peuvent retreindre les comportements de certains clients et ainsi + minimiser les problèmes de DoS.</li> + + </ul> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="serverroot" id="serverroot">Permissions sur les répertoires de la racine du serveur</a></h2> + + + + <p>Typiquement, Apache est démarré par l'utilisateur root, puis il devient + la propriété de l'utilisateur défini par la directive <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> afin de répondre aux demandes. Comme + pour toutes les commandes exécutées par root, vous devez vous assurer + qu'elle n'est pas modifiable par les utilisateurs autres que root. Les + fichiers eux-mêmes, mais aussi les répertoires ainsi que leurs parents ne + doivent être modifiables que par root. Par exemple, si vous avez choisi de + placer la racine du serveur dans <code>/usr/local/apache</code>, il est conseillé de + créer le répertoire en tant que root, avec des commandes du style :</p> + + <div class="example"><p><code> + mkdir /usr/local/apache <br /> + cd /usr/local/apache <br /> + mkdir bin conf logs <br /> + chown 0 . bin conf logs <br /> + chgrp 0 . bin conf logs <br /> + chmod 755 . bin conf logs + </code></p></div> + + <p>Nous supposerons que <code>/</code>, <code>/usr</code> et + <code>/usr/local</code> ne sont modifiables que par + root. Quand vous installez l'exécutable <code class="program"><a href="../programs/httpd.html">httpd</a></code>, vous + devez vous assurer qu'il possède des protections similaires :</p> + + <div class="example"><p><code> + cp httpd /usr/local/apache/bin <br /> + chown 0 /usr/local/apache/bin/httpd <br /> + chgrp 0 /usr/local/apache/bin/httpd <br /> + chmod 511 /usr/local/apache/bin/httpd + </code></p></div> + + <p>Vous pouvez créer un sous-répertoire htdocs modifiable par d'autres + utilisateurs -- car root ne crée ni exécute aucun fichier dans ce + sous-répertoire.</p> + + <p>Si vous permettez à des utilisateurs non root de modifier des fichiers + que root écrit ou exécute, vous exposez votre système à une compromission + de l'utilisateur root. Par exemple, quelqu'un pourrait remplacer le binaire + <code class="program"><a href="../programs/httpd.html">httpd</a></code> de façon à ce que la prochaine fois que vous le + redémarrerez, il exécutera un code arbitraire. Si le répertoire des + journaux a les droits en écriture (pour un utilisateur non root), quelqu'un + pourrait remplacer un fichier journal par un lien symbolique vers un autre + fichier système, et root pourrait alors écraser ce fichier avec des données + arbitraires. Si les fichiers journaux eux-mêmes ont des droits en + écriture (pour un utilisateur non root), quelqu'un pourrait + modifier les journaux eux-mêmes avec des données fausses.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ssi" id="ssi">Inclusions côté serveur</a></h2> + + + + <p>Les inclusions côté serveur (Server Side Includes - SSI) exposent + l'administrateur du serveur à de nombreux risques potentiels en matière de + sécurité.</p> + + <p>Le premier risque est l'augmentation de la charge du serveur. Tous les + fichiers où SSI est activé doivent être analysés par Apache, qu'ils + contiennent des directives SSI ou non. L'augmentation de la charge induite + est minime, mais peut devenir significative dans le contexte d'un + serveur partagé.</p> + + <p>Les fichiers SSI présentent les mêmes risques que les scripts CGI en + général. Les fichiers où SSI est activé peuvent exécuter tout script CGI + ou autre programme à l'aide de la commande <code>"exec cmd"</code> avec les permissions + des utilisateur et groupe sous lesquels Apache s'exécute, comme défini + dans <code>httpd.conf</code>.</p> + + <p>Des méthodes existent pour améliorer la sécurité des fichiers SSI, tout + en tirant parti des bénéfices qu'ils apportent.</p> + + <p>Pour limiter les dommages qu'un fichier SSI agressif pourrait causer, + l'administrateur du serveur peut activer<a href="../suexec.html">suexec</a> + comme décrit dans la section <a href="#cgi">Les CGI en général</a>.</p> + + <p>L'activation des SSI pour des fichiers possédant des extensions + <code>.html</code> ou + <code>.htm</code> peut s'avérer dangereux. Ceci est particulièrement vrai dans un + environnement de serveur partagé ou étant le siège d'un traffic élevé. Les + fichiers où SSI est activé doivent posséder une extension spécifique, telle + que la conventionnelle <code>.shtml</code>. Ceci permet de limiter la charge du serveur + à un niveau minimum et de simplifier la gestion des risques.</p> + + <p>Une autre solution consiste à interdire l'exécution de scripts et + programmes à partir de pages SSI. Pour ce faire, remplacez + <code>Includes</code> par <code>IncludesNOEXEC</code> dans la directive + <code class="directive"><a href="../mod/core.html#options">Options</a></code>. Notez que les utilisateurs + pourront encore utiliser <code><--#include virtual="..." --></code> pour exécuter + des scripts CGI si ces scripts sont situés dans des répertoires spécifiés + par une directive + <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code>.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="cgi" id="cgi">Les CGI en général</a></h2> + + + + <p>Tout d'abord, vous devez toujours garder à l'esprit que vous devez + faire confiance aux développeurs de scripts ou programmes CGI ainsi qu'à + vos compétences pour déceler les trous de sécurité potentiels dans les + CGI, que ceux-ci soient délibérés ou accidentels. Les scripts CGI peuvent + essentiellement exécuter des commandes arbitraires sur votre système avec + les droits de l'utilisateur du serveur web, et peuvent par conséquent être + extrèmement dangereux s'ils ne sont pas vérifiés avec soin.</p> + + <p>Tous les scripts CGI s'exécutent sous le même utilisateur, il peuvent + donc entrer en conflit (accidentellement ou délibérément) avec d'autres + scripts. Par exemple, l'utilisateur A hait l'utilisateur B, il écrit donc + un script qui efface la base de données CGI de l'utilisateur B. Vous pouvez + utiliser le programme <a href="../suexec.html">suEXEC</a> pour faire en + sorte que les scripts s'exécutent sous des utilisateurs différents. Ce + programme est inclus dans la distribution d'Apache depuis la version 1.2 + et est appelé à partir de certaines portions de code du serveur Apache. Une + autre méthode plus connue est l'utilisation de + <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="nsaliasedcgi" id="nsaliasedcgi">CGI sans alias de script</a></h2> + + + + <p>Vous ne devez permettre aux utilisateurs d'exécuter des scripts CGI + depuis n'importe quel répertoire que dans l'éventualité où :</p> + + <ul> + <li>Vous faites confiance à vos utilisateurs pour ne pas écrire de + scripts qui vont délibérément ou accidentellement exposer votre + système à une attaque.</li> + <li>Vous estimez que le niveau de sécurité dans les autres parties de + votre site est si faible qu'un trou de sécurité de plus ou de moins + n'est pas très important.</li> + <li>Votre système ne comporte aucun utilisateur, et personne ne visite + jamais votre site.</li> + </ul> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="saliasedcgi" id="saliasedcgi">CGI avec alias de script</a></h2> + + + + <p>Le confinement des CGI dans des répertoires spécifiques permet à + l'administrateur de contrôler ce que l'on met dans ces répertoires. Ceci + est bien entendu mieux sécurisé que les CGI sans alias de script, mais + seulement à condition que les utilisateurs avec les droits en écriture sur + les répertoires soient dignes de confiance, et que l'administrateur ait la + volonté de tester chaque programme ou script CGI à la recherche d'éventuels + trous de sécurité.</p> + + <p>La plupart des sites choisissent cette approche au détriment des CGI + sans alias de script.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dynamic" id="dynamic">Autres sources de contenu dynamique</a></h2> + + + + <p> + Les options de scripting intégrées qui s'exécutent en tant que partie du + serveur lui-même, comme <code>mod_php</code>, <code>mod_perl</code>, + <code>mod_tcl</code>, et <code>mod_python</code>, + s'exécutent sous le même utilisateur que le serveur (voir la directive + <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code>), et par conséquent, + les scripts que ces moteurs exécutent peuvent accéder aux mêmes ressources + que le serveur. Certains moteurs de scripting peuvent proposer des + restrictions, mais pour plus de sûreté, il vaut mieux partir du principe + que ce n'est pas le cas.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="systemsettings" id="systemsettings">Protection de la configuration du système</a></h2> + + + + <p>Pour contrôler étroitement votre serveur, vous pouvez interdire + l'utilisation des fichiers <code>.htaccess</code> qui permettent de + passer outre les fonctionnalités de sécurité que vous avez configurées. + Voici un moyen pour y parvenir :</p> + + <p>Ajoutez dans le fichier de configuration du serveur</p> + + <pre class="prettyprint lang-config"><Directory "/"> + AllowOverride None +</Directory></pre> + + + <p>Ceci interdit l'utilisation des fichiers <code>.htaccess</code> dans + tous les répertoires, sauf ceux pour lesquels c'est explicitement + autorisé.</p> + + <p>Notez que c'est la configuration par défaut depuis Apache 2.3.9.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="protectserverfiles" id="protectserverfiles">Protection par défaut des fichiers du serveur</a></h2> + + + + <p>Le concept d'accès par défaut est un aspect d'Apache qui est parfois mal + compris. C'est à dire que, à moins que vous ne changiez explicitement ce + comportement, si le serveur trouve son chemin vers un fichier en suivant + les règles normales de correspondance URL - fichier, il peut le retourner + aux clients.</p> + + <p>Considérons l'exemple suivant :</p> + + <div class="example"><p><code> + # cd /; ln -s / public_html <br /> + puis accès à <code>http://localhost/~root/</code> + </code></p></div> + + <p>Ceci permettrait aux clients de parcourir l'ensemble du système de + fichiers. Pour l'éviter, ajoutez le bloc suivant à la configuration + de votre serveur :</p> + + <pre class="prettyprint lang-config"><Directory "/"> + Require all denied +</Directory></pre> + + + <p>ceci va interdire l'accès par défaut à tous les fichiers du système de + fichiers. Vous devrez ensuite ajouter les blocs + <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> appropriés correspondant + aux répertoires auxquels vous voulez autorisez l'accès. Par exemple,</p> + + <pre class="prettyprint lang-config"><Directory "/usr/users/*/public_html"> + Require all granted +</Directory> +<Directory "/usr/local/httpd"> + Require all granted +</Directory></pre> + + + <p>Portez une attention particulière aux interactions entre les directives + <code class="directive"><a href="../mod/core.html#location">Location</a></code> et + <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> ; par exemple, si une + directive <code><Directory ""/></code> interdit un accès, une + directive <code><Location "/"></code> pourra passer outre.</p> + + <p>De même, soyez méfiant en jouant avec la directive + <code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> ; la positionner à + <code>"./"</code> aurait le même effet, pour root, que le premier exemple plus haut. + Nous vous conseillons + fortement d'inclure la ligne suivante dans le fichier de configuration de + votre serveur :</p> + + <pre class="prettyprint lang-config">UserDir disabled root</pre> + + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="watchyourlogs" id="watchyourlogs">Surveillez vos journaux</a></h2> + + + + <p>Pour vous tenir informé de ce qui se passe réellement dans votre + serveur, vous devez consulter vos + <a href="../logs.html">fichiers journaux</a>. Même si les fichiers journaux + ne consignent que des évènements qui se sont déjà produits, ils vous + informeront sur la nature des attaques qui sont lancées contre le serveur + et vous permettront de vérifier si le niveau de sécurité nécessaire est + atteint.</p> + + <p>Quelques exemples :</p> + + <div class="example"><p><code> + grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br /> + grep "client denied" error_log | tail -n 10 + </code></p></div> + + <p>Le premier exemple listera les attaques essayant d'exploiter la + <a href="http://online.securityfocus.com/bid/4876/info/">vulnérabilité + d'Apache Tomcat pouvant provoquer la divulgation d'informations par des + requêtes Source.JSP mal formées</a>, le second donnera la liste des dix + dernières interdictions client ; par exemple :</p> + + <div class="example"><p><code> + [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied + by server configuration: /usr/local/apache/htdocs/.htpasswd + </code></p></div> + + <p>Comme vous le voyez, les fichiers journaux ne consignent que ce qui + s'est déjà produit ; ainsi, si le client a pu accéder au fichier + <code>.htpasswd</code>, vous devriez avoir quelque chose du style :</p> + + <div class="example"><p><code> + foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1" + </code></p></div> + + <p>dans votre <a href="../logs.html#accesslog">journal des accès</a> ; ce + qui signifie que vous avez probablement mis en commentaire ce qui suit dans + le fichier de configuration de votre serveur :</p> + + <pre class="prettyprint lang-config"><Files ".ht*"> + Require all denied +</Files></pre> + + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="merging" id="merging">Fusion des sections de configuration</a></h2> + + + + <p>La fusion des sections de configuration est complexe et dépend + souvent des directives utilisées. Vous devez systématiquement tester + vos modifications pour vérifier la manière dont les directives sont + fusionnées.</p> + + <p>Concernant les modules qui n'implémentent aucune logique de + fusion, comme <code class="directive">mod_access_compat</code>, le + comportement des sections suivantes est tributaire de la présence + dans ces dernières de directives appartenant à ces modules. La + configuration est héritée jusqu'à ce qu'une modification soit + effectuée ; à ce moment, la configuration est <em>remplacée</em> et + non fusionnée.</p> + </div></div> +<div class="bottomlang"> +<p><span>Langues Disponibles: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Commentaires</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +<script type="text/javascript"><!--//--><![CDATA[//><!-- +var comments_shortname = 'httpd'; +var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html'; +(function(w, d) { + if (w.location.hostname.toLowerCase() == "httpd.apache.org") { + d.write('<div id="comments_thread"><\/div>'); + var s = d.createElement('script'); + s.type = 'text/javascript'; + s.async = true; + s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; + (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); + } + else { + d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); + } +})(window, document); +//--><!]]></script></div><div id="footer"> +<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Autorisé sous <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossaire</a> | <a href="../sitemap.html">Plan du site</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- +if (typeof(prettyPrint) !== 'undefined') { + prettyPrint(); +} +//--><!]]></script> +</body></html>
\ No newline at end of file diff --git a/docs/manual/misc/security_tips.html.ko.euc-kr b/docs/manual/misc/security_tips.html.ko.euc-kr new file mode 100644 index 0000000..8d9e58b --- /dev/null +++ b/docs/manual/misc/security_tips.html.ko.euc-kr @@ -0,0 +1,373 @@ +<?xml version="1.0" encoding="EUC-KR"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="ko" xml:lang="ko"><head> +<meta content="text/html; charset=EUC-KR" http-equiv="Content-Type" /> +<!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>º¸¾È ÆÁ - Apache HTTP Server Version 2.4</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> +<script src="../style/scripts/prettify.min.js" type="text/javascript"> +</script> + +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">¸ðµâ</a> | <a href="../mod/directives.html">Áö½Ã¾îµé</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">¿ë¾î</a> | <a href="../sitemap.html">»çÀÌÆ®¸Ê</a></p> +<p class="apache">Apache HTTP Server Version 2.4</p> +<img alt="" src="../images/feather.png" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.4</a> > <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>º¸¾È ÆÁ</h1> +<div class="toplang"> +<p><span>°¡´ÉÇÑ ¾ð¾î: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div> +<div class="outofdate">ÀÌ ¹®¼´Â ÃÖ½ÅÆÇ ¹ø¿ªÀÌ ¾Æ´Õ´Ï´Ù. + ÃÖ±Ù¿¡ º¯°æµÈ ³»¿ëÀº ¿µ¾î ¹®¼¸¦ Âü°íÇϼ¼¿ä.</div> + + <p>À¥¼¹ö¸¦ ¿î¿µÇÒ¶§ µµ¿òÀÌ µÉ º¸¾È °ü·Ã ÈùÆ®¿Í ÆÁÀÌ´Ù. + ¾î¶² °ÍÀº ÀϹÝÀûÀÌ°í, ¾î¶² °ÍÀº ¾ÆÆÄÄ¡¿¡¸¸ ÇØ´çÇÏ´Â °ÍÀÌ´Ù.</p> + </div> +<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">ÃÖ½ÅÆÇÀ¸·Î À¯ÁöÇϱâ</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">ServerRoot µð·ºÅ丮 ±ÇÇÑ</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#cgi">ÀϹÝÀûÀÎ CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">ScriptAliasÇÏÁö ¾ÊÀº CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">ScriptAliasÇÑ CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">µ¿Àû ³»¿ëÀ» »ý¼ºÇÏ´Â ´Ù¸¥ ¹æ¹ý</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">½Ã½ºÅÛ ¼³Á¤ º¸È£Çϱâ</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">±âº»ÀûÀ¸·Î ¼¹ö¿¡ ÀÖ´Â ÆÄÀÏ º¸È£Çϱâ</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">·Î±× »ìÆ캸±â</a></li> +</ul><h3>Âü°í</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="uptodate" id="uptodate">ÃÖ½ÅÆÇÀ¸·Î À¯ÁöÇϱâ</a></h2> + + <p>¾ÆÆÄÄ¡ À¥¼¹ö´Â ¾ÈÀü°ú º¸¾È ¹®Á¦¿¡ °ü½ÉÀÌ ¸¹Àº °³¹ßÀÚ + °øµ¿Ã¼·Î À¯¸íÇÏ´Ù. ±×·¯³ª Å©°Ç ÀÛ°Ç ¹ßÇ¥ÈÄ ¹ß°ßµÇ´Â ¹®Á¦µéÀ» + ÇÇÇÒ ¼ö ¾ø´Ù. ±×·¡¼ ¼ÒÇÁÆ®¿þ¾î¸¦ ÃֽŹöÀüÀ¸·Î À¯ÁöÇÏ´Â + °ÍÀÌ Áß¿äÇÏ´Ù. ¾ÆÆÄÄ¡¿¡¼ Á÷Á¢ À¥¼¹ö¸¦ ´Ù¿î·ÎµåÇß´Ù¸é, + »õ·Î¿î ¹öÀü°ú º¸¾È ¾÷µ¥ÀÌÆ®¸¦ ¾Ë·ÁÁÖ´Â <a href="http://httpd.apache.org/lists.html#http-announce">¾ÆÆÄÄ¡ + À¥¼¹ö ¹ßÇ¥ ¸ÞÀϸµ¸®½ºÆ®</a>¸¦ ±¸µ¶ÇÏ±æ °·ÂÈ÷ ±ÇÇÑ´Ù. + ¾ÆÆÄÄ¡ ¼ÒÇÁÆ®¿þ¾î¸¦ ¹èÆ÷ÇÏ´Â ¸¹Àº Á¦»ïÀڵ鵵 ºñ½ÁÇÑ ¼ºñ½º¸¦ + Á¦°øÇÑ´Ù.</p> + + <p>¹°·Ð À¥¼¹ö Äڵ嶧¹®¿¡ À¥¼¹ö°¡ °ø°ÝÀ» ´çÇÏ´Â °æ¿ì´Â + ¸¹Áö ¾Ê´Ù. ±×º¸´Ù Ãß°¡ ÄÚµå, CGI ½ºÅ©¸³Æ®, ÇÏÀ§ ¿î¿µÃ¼Á¦ÀÇ + ¹®Á¦·Î °ø°ÝÀ» ´çÇÏ´Â °æ¿ì°¡ ¸¹´Ù. ±×·¯¹Ç·Î Ç×»ó ÁÖÀÇÇϸç + ½Ã½ºÅÛÀÇ ¸ðµç ¼ÒÇÁÆ®¿þ¾î¸¦ ¾÷µ¥ÀÌÆ®ÇØ¾ß ÇÑ´Ù.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="serverroot" id="serverroot">ServerRoot µð·ºÅ丮 ±ÇÇÑ</a></h2> + + + + <p>º¸Åë root »ç¿ëÀÚ°¡ ¾ÆÆÄÄ¡¸¦ ½ÃÀÛÇÑ ÈÄ, ¿äûÀ» ¼ºñ½ºÇϱâÀ§ÇØ + <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> Áö½Ã¾î·Î + ÁöÁ¤ÇÑ »ç¿ëÀÚ·Î º¯È¯ÇÑ´Ù. root°¡ ½ÇÇàÇÏ´Â ¸í·É¾î°¡ ÀÖ´Ù¸é, + root ÀÌ¿ÜÀÇ »ç¿ëÀÚ°¡ ¼öÁ¤ÇÏÁö ¸øÇϵµ·Ï ÁÖÀÇÇØ¾ß ÇÑ´Ù. ÀÌ + ÆÄÀϵéÀ» root¸¸ ¾µ ¼ö ÀÖ¾î¾ß ÇÏ°í, µð·ºÅ丮¿Í ¸ðµç »óÀ§µð·ºÅ丮µµ + ¸¶Âù°¡Áö´Ù. ¿¹¸¦ µé¾î, ServerRoot·Î /usr/local/apache¸¦ + »ç¿ëÇÑ´Ù¸é root »ç¿ëÀÚ°¡ ´ÙÀ½°ú °°ÀÌ µð·ºÅ丮¸¦ ¸¸µé±æ + Á¦¾ÈÇÑ´Ù:</p> + + <div class="example"><p><code> + mkdir /usr/local/apache <br /> + cd /usr/local/apache <br /> + mkdir bin conf logs <br /> + chown 0 . bin conf logs <br /> + chgrp 0 . bin conf logs <br /> + chmod 755 . bin conf logs + </code></p></div> + + <p>±×·¯¸é /, /usr, /usr/local Àº root¸¸ÀÌ ¼öÁ¤ÇÒ ¼ö ÀÖ´Ù. + httpd ½ÇÇàÆÄÀÏÀ» ¼³Ä¡ÇÒ¶§ ´ÙÀ½°ú °°ÀÌ º¸È£ÇØ¾ß ÇÑ´Ù:</p> + + <div class="example"><p><code> + cp httpd /usr/local/apache/bin <br /> + chown 0 /usr/local/apache/bin/httpd <br /> + chgrp 0 /usr/local/apache/bin/httpd <br /> + chmod 511 /usr/local/apache/bin/httpd + </code></p></div> + + <p>htdocs ÇÏÀ§µð·ºÅ丮´Â ´Ù¸¥ »ç¿ëÀÚµéÀÌ ¼öÁ¤ÇÒ ¼ö ÀÖµµ·Ï + ¸¸µé ¼ö ÀÖ´Ù -- root´Â ±×°÷¿¡ ÀÖ´Â ÆÄÀÏÀ» ½ÇÇàÇÏÁöµµ, ¸¸µéÁöµµ + ¾Ê¾Æ¾ß ÇÑ´Ù.</p> + + <p>root°¡ ¾Æ´Ñ »ç¿ëÀÚ°¡ root°¡ ½ÇÇàÇϰųª ¾²±â°¡´ÉÇÑ ÆÄÀÏÀ» + ¼öÁ¤ÇÒ ¼ö ÀÖ´Ù¸é ½Ã½ºÅÛÀÇ root ±ÇÇÑÀ» ÈÉÄ¥ ¼ö ÀÖ´Ù. ¿¹¸¦ + µé¾î, ´©±º°¡ httpd ½ÇÇàÆÄÀÏÀ» º¯°æÇÏ¿´´Ù¸é ´ÙÀ½¹ø ½ÃÀÛÇÒ¶§ + ÀÓÀÇÀÇ Äڵ带 ½ÇÇàÇÏ°Ô µÈ´Ù. logs µð·ºÅ丮°¡ (root°¡ ¾Æ´Ñ + »ç¿ëÀÚ¿¡°Ô) ¾²±â°¡´ÉÇÏ´Ù¸é ´©±º°¡ ·Î±×ÆÄÀÏÀ» ´Ù¸¥ ½Ã½ºÅÛÆÄÀÏ·Î + ½Éº¼¸µÅ©¸¦ °É¾î¼ root°¡ ÆÄÀÏ¿¡ ÀÓÀÇÀÇ ÀڷḦ µ¤¾î¾µ ¼ö + ÀÖ´Ù. ·Î±×ÆÄÀÏÀÌ (root°¡ ¾Æ´Ñ »ç¿ëÀÚ¿¡°Ô) ¾²±â°¡´ÉÇÏ´Ù¸é + ´©±º°¡ ·Î±×¿¡ ÀÌ»óÇÑ ÀڷḦ ±â·ÏÇÒ ¼ö ÀÖ´Ù.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ssi" id="ssi">Server Side Includes</a></h2> + + + + <p>Server Side Includes (SSI)´Â ¼¹ö °ü¸®ÀÚ¿¡°Ô º¸¾È»ó ¸î°¡Áö + ÀáÀçÀûÀÎ À§ÇèÀÌ´Ù.</p> + + <p>ù¹ø° À§ÇèÀº ¼¹öÀÇ ºÎÇϸ¦ ´Ã¸®´Â Á¡ÀÌ´Ù. ¾ÆÆÄÄ¡´Â ÆÄÀÏ¿¡ + SSI Áö½Ã¾î°¡ ÀÖ´ÂÁö ¿©ºÎ¿Í °ü°è¾øÀÌ ¸ðµç SSI ÆÄÀÏÀ» ºÐ¼®ÇØ¾ß + ÇÑ´Ù. Á¶±Ý ºÎÇÏ°¡ ´ÃÁö¸¸, ¼¹ö¸¦ ¿©·¯ »ç¶÷ÀÌ °°ÀÌ »ç¿ëÇÏ´Â + ȯ°æ¿¡¼´Â ½É°¢ÇÒ ¼ö ÀÖ´Ù.</p> + + <p>¶Ç, SSI ÆÄÀÏÀº ÀϹÝÀûÀÎ CGI ½ºÅ©¸³Æ®¿Í µ¿ÀÏÇÑ À§ÇèÀ» + °¡Áø´Ù. SSI ÆÄÀÏ¿¡¼ "exec cmd"¸¦ »ç¿ëÇϸé httpd.conf¿¡¼ + ¾ÆÆÄÄ¡¸¦ ½ÇÇàÇϵµ·Ï ¼³Á¤ÇÑ »ç¿ëÀÚ¿Í ±×·ì ±ÇÇÑÀ¸·Î CGI + ½ºÅ©¸³Æ®³ª ÇÁ·Î±×·¥À» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.</p> + + <p>ÀåÁ¡À» È°¿ëÇÏ¸é¼ SSI ÆÄÀÏÀÇ º¸¾ÈÀ» Çâ»ó½ÃÅ°´Â ¹æ¹ýÀÌ + ÀÖ´Ù.</p> + + <p>SSI ÆÄÀÏÀÌ °¡Á®¿Ã ¼ö ÀÖ´Â ÇÇÇظ¦ °Ý¸®ÇϱâÀ§ÇØ ¼¹ö°ü¸®ÀÚ´Â + <a href="#cgi">ÀϹÝÀûÀÎ CGI</a> Àý¿¡¼ ¼³¸íÇÏ´Â ¹æ¹ýÀ¸·Î + <a href="../suexec.html">suexec</a>¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù</p> + + <p>.htmlÀ̳ª .htm È®ÀåÀÚ¸¦ SSI ÆÄÀÏ·Î »ç¿ëÇÏ´Â °ÍÀº À§ÇèÇÏ´Ù. + ƯÈ÷ ¿©·¯ »ç¶÷ÀÌ °øÀ¯Çϰųª Åë½Å·®ÀÌ ¸¹Àº ¼¹ö ȯ°æ¿¡¼ + À§ÇèÇÏ´Ù. SSI ÆÄÀÏÀº ÀϹÝÀûÀ¸·Î ¸¹ÀÌ »ç¿ëÇÏ´Â .shtml °°Àº + º°µµÀÇ È®ÀåÀÚ¸¦ °¡Á®¾ß ÇÑ´Ù. ±×·¯¸é ¼¹ö ºÎÇϸ¦ ÃÖ¼ÒÈÇÏ°í + À§Çè¿ä¼Ò¸¦ ½±°Ô °ü¸®ÇÒ ¼ö ÀÖ´Ù.</p> + + <p>´Ù¸¥ ¹æ¹ýÀº SSI ÆäÀÌÁö°¡ ½ºÅ©¸³Æ®³ª ÇÁ·Î±×·¥À» ½ÇÇàÇÏÁö + ¸øÇϵµ·Ï ¸¸µå´Â °ÍÀÌ´Ù. <code class="directive"><a href="../mod/core.html#options">Options</a></code> Áö½Ã¾î¿¡¼ <code>Includes</code> + ´ë½Å <code>IncludesNOEXEC</code>¸¦ »ç¿ëÇÑ´Ù. ±×·¡µµ ½ºÅ©¸³Æ®°¡ + <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code> Áö½Ã¾î·Î + ÁöÁ¤ÇÑ µð·ºÅ丮¿¡ ÀÖ´Ù¸é <--#include virtual="..." -->¸¦ + »ç¿ëÇÏ¿© CGI ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÒ ¼ö ÀÖÀ½À» ÁÖÀÇÇ϶ó.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="cgi" id="cgi">ÀϹÝÀûÀÎ CGI</a></h2> + + + + <p>°á±¹ ´ç½ÅÀº Ç×»ó CGI ½ºÅ©¸³Æ®/ÇÁ·Î±×·¥ÀÇ ÀúÀÚ¸¦ ½Å·ÚÇØ¾ß + ÇÏ°í, °íÀÇ°Ç ½Ç¼öÀÌ°Ç CGIÀÇ ÀáÀçÀûÀÎ º¸¾È»ó ÇãÁ¡À» ¹ß°ßÇÒ + ¼ö ÀÖ¾î¾ß ÇÑ´Ù. ±âº»ÀûÀ¸·Î CGI ½ºÅ©¸³Æ®´Â À¥¼¹ö »ç¿ëÀÚ + ±ÇÇÑÀ¸·Î ½Ã½ºÅÛ¿¡¼ ¾î¶² ¸í·É¾î¶óµµ ½ÇÇàÇÒ ¼ö Àֱ⶧¹®¿¡ + ÁÖÀÇÀÖ°Ô È®ÀÎÇÏÁö ¾ÊÀ¸¸é ¸Å¿ì À§ÇèÇÏ´Ù.</p> + + <p>¸ðµç CGI ½ºÅ©¸³Æ®°¡ °°Àº »ç¿ëÀÚ·Î ½ÇÇàµÇ±â¶§¹®¿¡ ´Ù¸¥ + ½ºÅ©¸³Æ®¿Í (°íÀÇ°Ç ½Ç¼öÀÌ°Ç) Ãæµ¹ÇÒ °¡´É¼ºÀÌ ÀÖ´Ù. ¿¹¸¦ + µé¾î, »ç¿ëÀÚ A´Â »ç¿ëÀÚ B¸¦ ¸Å¿ì ½È¾îÇÏ¿©, »ç¿ëÀÚ BÀÇ CGI + µ¥ÀÌÅͺ£À̽º¸¦ Áö¿ö¹ö¸®´Â ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÒ ¼ö ÀÖ´Ù. ¾ÆÆÄÄ¡ + 1.2 ¹öÀüºÎÅÍ Æ÷ÇԵǾú°í ¾ÆÆÄÄ¡ ¼¹ö¿¡¼ Ưº°ÇÑ ÈÅ(hook)À¸·Î + µ¿ÀÛÇÏ´Â <a href="../suexec.html">suEXEC</a>´Â ½ºÅ©¸³Æ®¸¦ + ´Ù¸¥ »ç¿ëÀÚ·Î ½ÇÇàÇÏ´Â ¹æ¹ýÁß Çϳª´Ù. ´Ù¸¥ ´ëÁßÀûÀÎ ¹æ¹ý¿¡´Â + <a href="http://cgiwrap.unixtools.org/">CGIWrap</a>ÀÌ ÀÖ´Ù.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="nsaliasedcgi" id="nsaliasedcgi">ScriptAliasÇÏÁö ¾ÊÀº CGI</a></h2> + + + + <p>´ÙÀ½ Á¶°ÇÀ» ¸¸Á·ÇÒ¶§¸¸ »ç¿ëÀÚ°¡ ¾î¶² µð·ºÅ丮¿¡¼¶óµµ + CGI ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇϵµ·Ï Çã¿ëÇÒ ¼ö ÀÖ´Ù:</p> + + <ul> + <li>´ç½ÅÀº °íÀÇ°Ç ½Ç¼öÀÌ°Ç »ç¿ëÀÚ°¡ ½Ã½ºÅÛÀ» °ø°Ý¿¡ ³ëÃâ½ÃÅ°´Â + ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÏÁö ¾Ê´Â´Ù°í ¹Ï´Â´Ù.</li> + <li>½Ã½ºÅÛÀÇ ´Ù¸¥ ºÎºÐÀÇ º¸¾ÈÀÌ ¾àÇؼ, ÀáÀçÀûÀÎ ÇãÁ¡À» + Çϳª ´õ ¸¸µé¾îµµ ³ªºüÁú °ÍÀÌ ¾ø´Ù°í »ý°¢ÇÏ´Â °æ¿ì.</li> + <li>»ç¿ëÀÚ°¡ ¾ø°í, ¾Æ¸¶ ¾Æ¹«µµ ¼¹ö¸¦ ¹æ¹®ÇÏÁö¾Ê´Â °æ¿ì.</li> + </ul> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="saliasedcgi" id="saliasedcgi">ScriptAliasÇÑ CGI</a></h2> + + + + <p>ƯÁ¤ µð·ºÅ丮¿¡¼¸¸ CGI¸¦ ½ÇÇàÇÒ ¼ö ÀÖµµ·Ï Á¦ÇÑÇÏ¸é °ü¸®ÀÚ´Â + ÀÌµé µð·ºÅ丮¸¦ ÅëÁ¦ÇÒ ¼ö ÀÖ´Ù. ÀÌ °æ¿ì´Â scriptaliasÇÏÁö + ¾ÊÀº CGIº¸´Ù È®½ÇÈ÷ ¾ÈÀüÇÏ´Ù. ´Ü, ½Å·ÚÇÏ´Â »ç¿ëÀÚ¸¸ µð·ºÅ丮¿¡ + Á¢±ÙÇÒ ¼ö ÀÖ°í, °ü¸®ÀÚ°¡ »õ·Î¿î CGI ½ºÅ©¸³Æ®/ÇÁ·Î±×·¥ÀÇ + ÀáÀçÀûÀÎ º¸¾È»ó ÇãÁ¡À» °Ë»çÇÒ ¿ëÀÌ°¡ ÀÖ´Ù¸é.</p> + + <p>´ëºÎºÐÀÇ »çÀÌÆ®´Â scriptaliasÇÏÁö ¾ÊÀº CGI ¹æ½Ä ´ë½Å + ÀÌ ¹æ½ÄÀ» »ç¿ëÇÑ´Ù.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dynamic" id="dynamic">µ¿Àû ³»¿ëÀ» »ý¼ºÇÏ´Â ´Ù¸¥ ¹æ¹ý</a></h2> + + + + <p> + mod_php, mod_perl, mod_tcl, mod_python °°ÀÌ ¼¹öÀÇ ÀϺηΠ+ µ¿ÀÛÇÏ´Â ÀÓº£µðµå ½ºÅ©¸³Æ®´Â ¼¹ö¿Í °°Àº »ç¿ëÀÚ·Î (<code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> Áö½Ã¾î Âü°í) ½ÇÇàµÇ±â¶§¹®¿¡, + ½ºÅ©¸³Æ® ¿£ÁøÀÌ ½ÇÇàÇÏ´Â ½ºÅ©¸³Æ®´Â ÀáÀçÀûÀ¸·Î ¼¹ö »ç¿ëÀÚ°¡ + Á¢±ÙÇÒ ¼ö ÀÖ´Â ¸ðµç °Í¿¡ Á¢±ÙÇÒ ¼ö ÀÖ´Ù. ¾î¶² ½ºÅ©¸³Æ® ¿£ÁøÀº + ¾î´ÀÁ¤µµ Á¦ÇÑÀ» ÇÏÁö¸¸, ¾ÈÀüÇÏ´Ù°í °¡Á¤ÇÏÁö ¾Ê´Â °ÍÀÌ ÁÁ´Ù.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="systemsettings" id="systemsettings">½Ã½ºÅÛ ¼³Á¤ º¸È£Çϱâ</a></h2> + + + + <p>Á¤¸»·Î ¾ÈÀüÇÑ ¼¹ö¸¦ ¿î¿µÇÏ·Á¸é »ç¿ëÀÚ°¡ + <code>.htaccess</code> ÆÄÀÏÀ» »ç¿ëÇÏ¿© ´ç½ÅÀÌ ¼³Á¤ÇÑ º¸¾È±â´ÉÀ» + º¯°æÇÏ±æ ¹Ù¶óÁö ¾ÊÀ» °ÍÀÌ´Ù. ±×·¯±âÀ§ÇØ ´ÙÀ½°ú °°Àº ¹æ¹ýÀÌ + ÀÖ´Ù.</p> + + <p>¼¹ö ¼³Á¤ÆÄÀÏ¿¡ ´ÙÀ½À» Ãß°¡ÇÑ´Ù</p> + + <div class="example"><p><code> + <Directory /> <br /> + AllowOverride None <br /> + </Directory> + </code></p></div> + + <p>±×·¯¸é »ç¿ë°¡´ÉÇϵµ·Ï ¸í½ÃÀûÀ¸·Î Çã¿ëÇÑ µð·ºÅ丮¸¦ Á¦¿ÜÇÏ°í´Â + <code>.htaccess</code> ÆÄÀÏÀ» »ç¿ëÇÒ ¼ö ¾ø´Ù.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="protectserverfiles" id="protectserverfiles">±âº»ÀûÀ¸·Î ¼¹ö¿¡ ÀÖ´Â ÆÄÀÏ º¸È£Çϱâ</a></h2> + + + + <p>»ç¶÷µéÀº Á¾Á¾ ¾ÆÆÄÄ¡ÀÇ ±âº» Á¢±Ù¿¡ ´ëÇØ À߸ø ¾Ë°íÀÖ´Ù. + Áï, ¼¹ö°¡ ÀϹÝÀûÀÎ URL ´ëÀÀ ±ÔÄ¢À» »ç¿ëÇÏ¿© ÆÄÀÏÀ» ãÀ» + ¼ö ÀÖ´Ù¸é, Ưº°È÷ Á¶Ä¡¸¦ ÇÏÁö ¾Ê´ÂÇÑ Å¬¶óÀ̾ðÆ®¿¡°Ô ÆÄÀÏÀÌ + ¼ºñ½ºµÉ ¼ö ÀÖ´Ù.</p> + + <p>¿¹¸¦ µé¾î, ¾Æ·¡¿Í °°Àº °æ¿ì:</p> + + <div class="example"><p><code> + # cd /; ln -s / public_html <br /> + <code>http://localhost/~root/</code> ¿¡ Á¢±ÙÇÑ´Ù + </code></p></div> + + <p>±×·¯¸é Ŭ¶óÀ̾ðÆ®´Â Àüü ÆÄÀϽýºÅÛÀ» µ¹¾Æ´Ù´Ò ¼ö ÀÖ´Ù. + À̸¦ ¸·±âÀ§ÇØ ¼¹ö¼³Á¤¿¡¼ ´ÙÀ½°ú °°Àº Á¶Ä¡¸¦ ÇÑ´Ù:</p> + + <div class="example"><p><code> + <Directory /> <br /> + Order Deny,Allow <br /> + Deny from all <br /> + </Directory> + </code></p></div> + + <p>±×·¯¸é ÆÄÀϽýºÅÛ À§Ä¡¿¡ ´ëÇØ ±âº» Á¢±ÙÀÌ °ÅºÎµÈ´Ù. + ¿øÇÏ´Â ¿µ¿ª¿¡ Á¢±ÙÇÒ ¼ö ÀÖµµ·Ï ´ÙÀ½°ú °°Àº <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> ºí·ÏÀ» Ãß°¡ÇÑ´Ù.</p> + + <div class="example"><p><code> + <Directory /usr/users/*/public_html> <br /> + Order Deny,Allow <br /> + Allow from all <br /> + </Directory> <br /> + <Directory /usr/local/httpd> <br /> + Order Deny,Allow <br /> + Allow from all <br /> + </Directory> + </code></p></div> + + <p><code class="directive"><a href="../mod/core.html#location">Location</a></code>°ú <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> Áö½Ã¾î¸¦ °°ÀÌ »ç¿ëÇÏ´Â + °æ¿ì Ưº°È÷ ÁÖÀǸ¦ ±â¿ï¿©¶ó. ¿¹¸¦ µé¾î, <code><Directory + /></code>°¡ Á¢±ÙÀ» °ÅºÎÇÏ´õ¶óµµ <code><Location + /></code> Áö½Ã¾î°¡ À̸¦ ¹«½ÃÇÒ ¼ö ÀÖ´Ù</p> + + <p><code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> Áö½Ã¾î¸¦ + »ç¿ëÇÏ´Â °æ¿ì¿¡µµ ÁÖÀÇÇ϶ó. Áö½Ã¾î¸¦ "./" °°ÀÌ ¼³Á¤Çϸé + root »ç¿ëÀÚ¿¡ ´ëÇØ ¹Ù·Î À§ÀÇ °æ¿ì¿Í °°Àº ¹®Á¦°¡ ¹ß»ýÇÑ´Ù. + ¾ÆÆÄÄ¡ 1.3 ÀÌ»óÀ» »ç¿ëÇÑ´Ù¸é ¼¹ö ¼³Á¤ÆÄÀÏ¿¡ ¾Æ·¡ ÁÙÀ» Ãß°¡Çϱæ + °·ÂÈ÷ ±ÇÇÑ´Ù:</p> + + <div class="example"><p><code> + UserDir disabled root + </code></p></div> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="watchyourlogs" id="watchyourlogs">·Î±× »ìÆ캸±â</a></h2> + + + + <p>½ÇÁ¦·Î ¼¹ö¿¡¼ ¹«½¼ ÀÏÀÌ À־°í ÀÖ´ÂÁö ¾Ë·Á¸é <a href="../logs.html">·Î±×ÆÄÀÏ</a>À» »ìÆìºÁ¾ß ÇÑ´Ù. ·Î±×ÆÄÀÏÀº + ÀÌ¹Ì ÀÏ¾î³ Àϸ¸À» º¸°íÇÏÁö¸¸, ¼¹ö¿¡ ¾î¶² °ø°ÝÀÌ ÀÖ¾ú´ÂÁö + ¾Ë·ÁÁÖ°í ÇöÀç ÇÊ¿äÇÑ ¸¸Å ¾ÈÀüÇÑÁö È®ÀÎÇÏ°Ô ÇØÁØ´Ù.</p> + + <p>¿©·¯°¡Áö ¿¹:</p> + + <div class="example"><p><code> + grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br /> + grep "client denied" error_log | tail -n 10 + </code></p></div> + + <p>ù¹ø° ¿¹´Â <a href="http://online.securityfocus.com/bid/4876/info/">À߸øµÈ + Source.JSP ¿äûÀ¸·Î ¼¹öÁ¤º¸¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Â TomcatÀÇ + Ãë¾àÁ¡</a>¸¦ ÀÌ¿ëÇÏ·Á´Â °ø°Ý Ƚ¼ö¸¦ ¾Ë·ÁÁÖ°í, µÎ¹ø° ¿¹´Â + Á¢±ÙÀÌ °ÅºÎµÈ Ãֱ٠Ŭ¶óÀ̾ðÆ® 10°³¸¦ ´ÙÀ½°ú °°ÀÌ º¸¿©ÁØ´Ù:</p> + + <div class="example"><p><code> + [Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied + by server configuration: /usr/local/apache/htdocs/.htpasswd + </code></p></div> + + <p>Àß ¾Ë µíÀÌ ·Î±×ÆÄÀÏÀº ÀÌ¹Ì ¹ß»ýÇÑ »ç°Ç¸¸À» º¸°íÇÑ´Ù. + ±×·¡¼ Ŭ¶óÀ̾ðÆ®°¡ <code>.htpasswd</code> ÆÄÀÏ¿¡ Á¢±ÙÇÒ + ¼ö ÀÖ¾ú´Ù¸é <a href="../logs.html#accesslog">Á¢±Ù ·Î±×</a>¿¡ + ´ÙÀ½°ú °°Àº ±â·ÏÀÌ ³²À» °ÍÀÌ´Ù:</p> + + <div class="example"><p><code> + foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1" + </code></p></div> + + <p>Áï, ´ç½ÅÀº ¼¹ö ¼³Á¤ÆÄÀÏ¿¡¼ ´ÙÀ½ ºÎºÐÀ» ÁÖ¼®Ã³¸®ÇßÀ» + °ÍÀÌ´Ù:</p> + + <div class="example"><p><code> + <Files ".ht*"> <br /> + Order allow,deny <br /> + Deny from all <br /> + <Files> + </code></p></div> + + </div></div> +<div class="bottomlang"> +<p><span>°¡´ÉÇÑ ¾ð¾î: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe"> tr </a></p> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +<script type="text/javascript"><!--//--><![CDATA[//><!-- +var comments_shortname = 'httpd'; +var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html'; +(function(w, d) { + if (w.location.hostname.toLowerCase() == "httpd.apache.org") { + d.write('<div id="comments_thread"><\/div>'); + var s = d.createElement('script'); + s.type = 'text/javascript'; + s.async = true; + s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; + (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); + } + else { + d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); + } +})(window, document); +//--><!]]></script></div><div id="footer"> +<p class="apache">Copyright 2019 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p> +<p class="menu"><a href="../mod/">¸ðµâ</a> | <a href="../mod/directives.html">Áö½Ã¾îµé</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">¿ë¾î</a> | <a href="../sitemap.html">»çÀÌÆ®¸Ê</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- +if (typeof(prettyPrint) !== 'undefined') { + prettyPrint(); +} +//--><!]]></script> +</body></html>
\ No newline at end of file diff --git a/docs/manual/misc/security_tips.html.tr.utf8 b/docs/manual/misc/security_tips.html.tr.utf8 new file mode 100644 index 0000000..3ce6775 --- /dev/null +++ b/docs/manual/misc/security_tips.html.tr.utf8 @@ -0,0 +1,486 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml" lang="tr" xml:lang="tr"><head> +<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" /> +<!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --> +<title>Güvenlik İpuçları - Apache HTTP Sunucusu Sürüm 2.4</title> +<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /> +<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /> +<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" /> +<script src="../style/scripts/prettify.min.js" type="text/javascript"> +</script> + +<link href="../images/favicon.ico" rel="shortcut icon" /></head> +<body id="manual-page"><div id="page-header"> +<p class="menu"><a href="../mod/">Modüller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="http://wiki.apache.org/httpd/FAQ">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p> +<p class="apache">Apache HTTP Sunucusu Sürüm 2.4</p> +<img alt="" src="../images/feather.png" /></div> +<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div> +<div id="path"> +<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Sunucusu</a> > <a href="http://httpd.apache.org/docs/">Belgeleme</a> > <a href="../">Sürüm 2.4</a> > <a href="./">Çeşitli Belgeler</a></div><div id="page-content"><div id="preamble"><h1>Güvenlik İpuçları</h1> +<div class="toplang"> +<p><span>Mevcut Diller: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" title="Türkçe"> tr </a></p> +</div> + + <p>Bir HTTP Sunucusunu ayarlarken dikkat edilmesi gerekenler ve bazı + ipuçları. Öneriler kısmen Apache’ye özel kısmen de genel olacaktır.</p> + </div> +<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Güncel Tutma</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dos">Hizmet Reddi (DoS) Saldırıları</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#serverroot"><code>ServerRoot</code> Dizinlerinin İzinleri</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Sunucu Taraflı İçerik Yerleştirme</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI Genelinde</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi"><code>ScriptAlias</code>’sız CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi"><code>ScriptAlias</code>’lı CGI</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Devingen içerikli kaynaklar</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#dynamicsec">Devingen içeriğin güvenliği</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Sistem Ayarlarının Korunması</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Sunucu dosyalarının öntanımlı olarak korunması</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Günlüklerin İzlenmesi</a></li> +<li><img alt="" src="../images/down.gif" /> <a href="#merging">Yapılandırma bölümlerinin birleştirilmesi</a></li> +</ul><h3>Ayrıca bakınız:</h3><ul class="seealso"><li><a href="#comments_section">Yorum</a></li></ul></div> +<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="uptodate" id="uptodate">Güncel Tutma</a></h2> + + <p>Apache HTTP Sunucusu iyi bir güvenlik sicilinin yanında güvenlik + konularıyla oldukça ilgili bir geliştirici topluluğuna sahiptir. Fakat, + bir yazılımın dağıtılmasının ardından küçük ya da büyük bazı sorunların + keşfedilmesi kaçınılmazdır. Bu sebeple, yazılım güncellemelerinden + haberdar olmak oldukça önem kazanır. HTTP sunucunuzu doğrudan + Apache’den temin ediyorsanız yeni sürümler ve güvenlik güncellemeleri + ile ilgili bilgileri tam zamanında alabilmek için <a href="http://httpd.apache.org/lists.html#http-announce">Apache + HTTP Sunucusu Duyuru Listesi</a>ne mutlaka üye olmanızı öneririz. + Apache yazılımının üçüncü parti dağıtımlarını yapanların da buna benzer + hizmetleri vardır.</p> + + <p>Şüphesiz, bir HTTP sunucusu, sunucu kodunda bir sorun olmasa da + tehlike altındadır. Eklenti kodları, CGI betikleri hatta işletim + sisteminden kaynaklanan sorunlar nedeniyle bu ortaya çıkabilir. Bu + bakımdan, sisteminizdeki tüm yazılımların sorunları ve güncellemeleri + hakkında bilgi sahibi olmalısınız.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dos" id="dos">Hizmet Reddi (DoS) Saldırıları</a></h2> + + + <p>Tüm ağ sunucuları, istemcilerin sistem kaynaklarından yararlanmalarını + engellemeye çalışan hizmet reddi saldırılarına (HRS) maruz kalabilir. + Bu tür saldırıları tamamen engellemek mümkün değildir, fakat + yarattıkları sorunları azaltmak için bazı şeyler yapabilirsiniz.</p> + + <p>Çoğunlukla en etkili anti-HRS aracı bir güvenlik duvarı veya başka bir + işletim sistemi yapılandırmasıdır. Örneğin, çoğu güvenlik duvarı + herhangi bir IP adresinden aynı anda yapılan bağlantıların sayısına bir + sınırlama getirmek üzere yapılandırılabilir. Böylece basit saldırılar + engellenebilir. Ancak bunun dağıtık hizmet reddi saldırılarına (DHRS) + karşı bir etkisi olmaz.</p> + + <p>Bunların yanında Apache HTTP Sunucusunun da sorunları azaltıcı + tedbirler alınmasını sağlayacak bazı yapılandırmaları vardır:</p> + + <ul> + <li><code class="directive"><a href="../mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code> + yönergesi bir istemcinin isteği göndermek için harcadığı zamanı + sınırlamayı sağlar.</li> + + <li>HRS’ye maruz kalması olası sitelerde <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> yönergesinin değeri düşürülmelidir. Birkaç + saniye gibi mümkün olduğunca düşük bir ayar uygun olabilir. Ancak + <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> başka işlemlerde de + kullanıldığından çok düşük değerler, örneğin, uzun süre çalışan CGI + betiklerinde sorunlar çıkmasına sebep olabilir.</li> + + <li>HRS’ye maruz kalması olası sitelerde <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code> yönergesinin değeri de düşürülebilir. + Hatta bazı siteler başarımı arttırmak amacıyla <code class="directive"><a href="../mod/core.html#keepalive">KeepAlive</a></code> yönergesi üzerinden kalıcı + bağlantıları tamamen kapatabilirler.</li> + + <li>Zaman aşımıyla ilgili yönergeler bakımından diğer modüller de + araştırılmalıdır.</li> + + <li><code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>, + <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code> ve + <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> yönergeleri, + istemci girdileri ile tetiklenen özkaynak tüketimini sınırlamak için + yapılandırılırken dikkatli olunmalıdır.</li> + + <li>İşletim sisteminiz desteklediği takdirde, işletim sisteminin isteği + işleyen kısmını yüksüz bırakmak için <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> yönergesinin etkin olmasını sağlamalısınız. + Bu, Apache HTTP Sunucusunda zaten öntanımlı olarak etkindir. + Yapacağınız şey işletim sistemi çekirdeğini buna göre yapılandırmak + olacaktır.</li> + + <li>Sunucu tarafından özkaynakları tüketmeden aynı anda işlenebilecek + bağlantıların sayısını sınırlamak için <code class="directive"><a href="../mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> yönergesini kullanın. Ayrıca, <a href="perf-tuning.html">başarım arttırma belgesine</a> de + bakabilirsiniz.</li> + + <li>HRS’lerin etkilerini azaltmak için aynı andaki bağlantı sayısını + arttırabilecek evreli <a href="../mpm.html">MPM</a>’lerden birini + kullanmak iyi olabilir. Dahası, <code class="module"><a href="../mod/event.html">event</a></code> MPM’i + her bağlantıya yeni bir evre atanmaması için eşzamansız işlem yapar. + OpenSSL kütüphanesinin doğası nedeniyle + <code class="module"><a href="../mod/event.html">event</a></code> MPM’i <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ve diğer girdi + süzgeçleri ile henüz uyumlu değildir. Bu durumlarda, + <code class="module"><a href="../mod/worker.html">worker</a></code> MPM'inin davranışına geri döner.</li> + + <li><a href="http://modules.apache.org/">http://modules.apache.org/</a> + adresinde, belli istemci davranışlarını sınırlayacak ve HRS ile + ilgili sorunları azaltmaya yardımcı olacak üçüncü parti modüller + bulunabilir.</li> + </ul> + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="serverroot" id="serverroot"><code>ServerRoot</code> Dizinlerinin İzinleri</a></h2> + + + <p>Normalde, Apache root kullanıcı tarafından başlatılır ve hizmetleri + sunarken <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> yönergesi + tarafından tanımlanan kullanıcının aidiyetinde çalışır. Root tarafından + çalıştırılan komutlarda olduğu gibi, root olmayan kullanıcıların + yapacakları değişikliklerden korunmak konusunda da dikkatli + olmalısınız. Dosyaların sadece root tarafından yazılabilir olmasını + sağlamak yeterli değildir, bu dizinler ve üst dizinler için de + yapılmalıdır. Örneğin, sunucu kök dizininin + <code>/usr/local/apache</code> olmasına karar verdiyseniz, bu dizini + root olarak şöyle oluşturmanız önerilir:</p> + + <div class="example"><p><code> + mkdir /usr/local/apache <br /> + cd /usr/local/apache <br /> + mkdir bin conf logs <br /> + chown 0 . bin conf logs <br /> + chgrp 0 . bin conf logs <br /> + chmod 755 . bin conf logs + </code></p></div> + + <p><code>/</code>, <code>/usr</code>, <code>/usr/local</code> + dizinlerinde sadece root tarafından değişiklik yapılabileceği kabul + edilir. <code class="program"><a href="../programs/httpd.html">httpd</a></code> çalıştırılabilirini kurarken de benzer + bir önlemin alındığından emin olmalısınız:</p> + + <div class="example"><p><code> + cp httpd /usr/local/apache/bin <br /> + chown 0 /usr/local/apache/bin/httpd <br /> + chgrp 0 /usr/local/apache/bin/httpd <br /> + chmod 511 /usr/local/apache/bin/httpd + </code></p></div> + + <p>Diğer kullanıcıların değişiklik yapabileceği bir dizin olarak bir + <code>htdocs</code> dizini oluşturabilirsiniz. Bu dizine root + tarafından çalıştırılabilecek dosyalar konulmamalı ve burada root + tarafından hiçbir dosya oluşturulmamalıdır.</p> + + <p>Diğer kullanıcılara root tarafından yazılabilen ve çalıştırılabilen + dosyalarda değişiklik yapma hakkını tanırsanız, onlara root + kullanıcısını ele geçirilebilme hakkını da tanımış olursunuz. Örneğin, + biri <code class="program"><a href="../programs/httpd.html">httpd</a></code> çalıştırılabilirini zararlı bir programla + değiştirebilir ve o programı tekrar çalıştırdığınız sırada program + yapacağını yapmış olur. Günlükleri kaydettiğiniz dizin herkes + tarafından yazılabilen bir dizin olduğu takdirde, birileri bir günlük + dosyasını bir sistem dosyasına sembolik bağ haline getirerek root + kullanıcısının bu dosyaya ilgisiz şeyler yazmasına sebep olabilir. + Günlüklerin dosyaları herkes tarafından yazılabilir olduğu takdirde ise + birileri dosyaya yanıltıcı veriler girebilir.</p> + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="ssi" id="ssi">Sunucu Taraflı İçerik Yerleştirme</a></h2> + + + <p>SSI sayfaları bir sunucu yöneticisi açısından çeşitli olası risklere + kaynaklık edebilir.</p> + + <p>İlk risk, sunucu yükündeki artış olasılığıdır. Tüm SSI sayfaları, SSI + kodu içersin içermesin Apache tarafından çözümlenir. Bu küçük bir artış + gibi görünürse de bir paylaşımlı sunucu ortamında önemli bir yük haline + gelebilir.</p> + + <p>SSI sayfaları, CGI betikleriyle ilgili riskleri de taşır. <code>exec + cmd</code> elemanı kullanılarak bir SSI sayfasından herhangi bir CGI + betiğini veya bir sistem programını Apache’nin aidiyetinde olduğu + kullanıcının yetkisiyle çalıştırmak mümkündür.</p> + + <p>SSI sayfalarının yararlı özelliklerinden yararlanırken güvenliğini de + arttırmanın bazı yolları vardır.</p> + + <p>Sunucu yöneticisi, bir başıbozuk SSI sayfasının sebep olabileceği + zararları bertaraf etmek için <a href="#cgi">CGI Genelinde</a> + bölümünde açıklandığı gibi <a href="../suexec.html">suexec</a>’i etkin + kılabilir.</p> + + <p>SSI sayfalarını <code>.html</code> veya <code>.htm</code> + uzantılarıyla etkinleştirmek tehlikeli olabilir. Bu özellikle + paylaşımlı ve yüksek trafikli bir sunucu ortamında önemlidir. SSI + sayfalarını normal sayfalardan farklı olarak <code>.shtml</code> gibi + bildik bir uzantıyla etkinleştirmek gerekir. Bu, sunucu yükünü asgari + düzeyde tutmaya ve risk yönetimini kolaylaştırmaya yarar.</p> + + <p>Diğer bir çözüm de SSI sayfalarından betik ve program çalıştırmayı + iptal etmektir. Bu, <code class="directive"><a href="../mod/core.html#options">Options</a></code> + yönergesine değer olarak <code>Includes</code> yerine + <code>IncludesNOEXEC</code> vererek sağlanır. Ancak, eğer betiklerin + bulunduğu dizinde <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code> + yönergesiyle CGI betiklerinin çalışması mümkün kılınmışsa, + kullanıcıların <code><--#include virtual="..." --></code> ile bu + betikleri çalıştırabileceklerine dikkat ediniz.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="cgi" id="cgi">CGI Genelinde</a></h2> + + + <p>Herşeyden önce ya CGI betiğini/programını yazanlara ya da kendinizin + CGI'deki güvenlik açıklarını (ister kasıtlı olsun ister tesadüfi) + yakalama becerinize güvenmek zorundasınız. CGI betikleri esasen + sisteminizdeki komutları site kullanıcılarının izinleriyle + çalıştırırlar. Bu bakımdan dikkatle denenmedikleri takdirde oldukça + tehlikeli olabilirler.</p> + + <p>CGI betiklerinin hepsi aynı kullanıcının aidiyetinde çalışırsa diğer + betiklerle aralarında çelişkilerin ortaya çıkması ister istemez + kaçınılmazdır. Örneğin A kullanıcısının B kullanıcısına garezi varsa + bir betik yazıp B’nin CGI veritabanını silebilir. Bu gibi durumların + ortaya çıkmaması için betiklerin farklı kullanıcıların aidiyetlerinde + çalışmasını sağlayan ve 1.2 sürümünden beri Apache ile dağıtılan <a href="../suexec.html">suEXEC</a> diye bir program vardır. Başka bir yol + da <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a> kullanmaktır.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="nsaliasedcgi" id="nsaliasedcgi"><code>ScriptAlias</code>’sız CGI</a></h2> + + + <p>Kullanıcıların sitenin her yerinde CGI betiklerini çalıştırmalarına + izin vermek ancak şu koşullarda mümkün olabilir:</p> + + <ul> + <li>Kullanıcılarınızın kasıtlı ya da kasıtsız sistemi saldırıya açık + hale getirecek betikler yazmayacaklarına tam güveniniz vardır.</li> + <li>Sitenizin güvenliği zaten o kadar kötüdür ki, bir delik daha + açılmasının mahzuru yoktur.</li> + <li>Sitenizin sizden başka kullanıcısı yoktur ve sunucunuzu sizden + başka hiç kimsenin ziyaret etmesi mümkün değildir.</li> + </ul> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="saliasedcgi" id="saliasedcgi"><code>ScriptAlias</code>’lı CGI</a></h2> + + + <p>CGI’yi belli dizinlerle sınırlamak yöneticiye bu dizinlerde daha iyi + denetim imkanı sağlar. Bu kaçınılmaz olarak <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code>’sız CGI’den çok daha + güvenlidir, ancak bu dizinlere yazma hakkı olan kullanıcılarınız + güvenilir kişiler olması ve site yöneticisinin de olası güvenlik + açıklarına karşı CGI betiklerini ve programlarını denemeye istekli + olması şartıyla.</p> + + <p>Çoğu site yöneticisi <code>ScriptAlias</code>’sız CGI yerine bu + yaklaşımı seçer.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dynamic" id="dynamic">Devingen içerikli kaynaklar</a></h2> + + + <p>Sunucunun bir parçası gibi çalışan, <code>mod_php</code>, + <code>mod_perl</code>, <code>mod_tcl</code> ve <code>mod_python</code> + gibi gömülü betik çalıştırma seçenekleri sunucuyu çalıştıran + kullanıcının aidiyetinde çalışırlar (<code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> yönergesine bakınız). Bu bakımdan bu betik + yorumlayıcılar tarafından çalıştırılan betikler, sunucu kullanıcısının + eriştiği herşeye erişebilirler. Bazı betik yorumlayıcıların getirdiği + bazı sınırlamalar varsa da bunlara pek güvenmemek, gerekli sınamaları + yine de yapmak gerekir.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="dynamicsec" id="dynamicsec">Devingen içeriğin güvenliği</a></h2> + + + <p><code>mod_php</code>, <code>mod_perl</code> veya + <code>mod_python</code> gibi devingen içeriği yapılandırırken + güvenlikle ilgili değerlendirmelerin çoğu <code>httpd</code>'nin + kapsamından çıkar ve bu modüllerin belgelerini incelemek ihtiyacı + duyarsınız. Örneğin, PHP çoğu zaman kapalı tutulan + <a href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Güvenli + Kip</a> ayarını etkin kılmanızı önerir. Daha fazla güvenlik için bir + diğer örnek bir PHP eklentisi olan + <a href="http://www.hardened-php.net/suhosin/">Suhosin</a>'dir. Bunlar + hakkında daha ayrıntılı bilgi için her projenin kendi belgelerine + başvurun.</p> + + <p>Apache seviyesinde, <a href="http://modsecurity.org/">mod_security</a> + adı verilen modülü bir HTTP güvenlik duvarı gibi ele alabilir, devingen + içeriğin güvenliğini arttırmanıza yardımcı olmak üzere inceden inceye + yapılandırabilirsiniz.</p> + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="systemsettings" id="systemsettings">Sistem Ayarlarının Korunması</a></h2> + + + <p>Güvenliği gerçekten sıkı tutmak istiyorsanız, kullanıcılarınızın + yapılandırmanızdaki güvenlik ayarlarını geçersiz kılmak için + <code>.htaccess</code> dosyalarını kullanabilmelerinin de önüne + geçmelisiniz. Bunu yapmanın tek bir yolu vardır.</p> + + <p>Sunucu yapılandırma dosyanıza şunu yerleştirin:</p> + + <pre class="prettyprint lang-config"><Directory "/"> + AllowOverride None +</Directory></pre> + + + <p>Böylece, belli dizinlerde özellikle etkinleştirilmedikçe bütün + dizinlerde <code>.htaccess</code> dosyalarının kullanımını engellemiş + olursunuz.</p> + + <p>Bu ayar Apache 2.3.9 itibariyle öntanımlıdır.</p> + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="protectserverfiles" id="protectserverfiles">Sunucu dosyalarının öntanımlı olarak korunması</a></h2> + + + <p>Apache’nin ister istemez yanlış anlaşılan yönlerinden biri öntanımlı + erişim özelliğidir. Yani siz aksine bir şeyler yapmadıkça, sunucu normal + URL eşleme kurallarını kullanarak bir dosyayı bulabildiği sürece onu + istemciye sunacaktır.</p> + + <p>Örneğin, aşağıdaki durumu ele alalım:</p> + + <div class="example"><p><code> + # cd /; ln -s / public_html + </code></p></div> + + <p>Ve, tarayıcınıza <code>http://localhost/~root/</code> yazın.</p> + + <p>Böylece, istemcilerin tüm dosya sisteminizi gezmelerine izin vermiş + olursunuz. Bu işlemin sonuçlarının önünü almak için sunucu yapılandırma + dosyanıza şunları yazın:</p> + + <pre class="prettyprint lang-config"><Directory "/"> + Require all denied +</Directory></pre> + + + <p>Bu suretle, dosya sisteminize öntanımlı erişimi yasaklamış olursunuz. + Erişime izin vermek istediğiniz dizinler için uygun <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> bölümleri eklemeniz yeterli + olacaktır. Örnek:</p> + + <pre class="prettyprint lang-config"><Directory "/usr/users/*/public_html"> + Require all granted +</Directory> +<Directory "/usr/local/httpd"> + Require all granted +</Directory></pre> + + + <p><code class="directive"><a href="../mod/core.html#location">Location</a></code> ve <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> yönergelerinin etkileşimine de + özellikle önem vermelisiniz; örneğin <code><Directory "/"></code> + erişimi yasaklarken bir <code><Location "/"></code> yönergesi bunu + ortadan kaldırabilir.</p> + + <p><code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> yönergesi de size + buna benzer bir oyun oynayabilir; yönergeye <code>./</code> atamasını + yaparsanız, root kullanıcısı söz konusu olduğunda yukarıda ilk örnekteki + durumla karşılaşırız. Sunucu yapılandırma dosyanızda aşağıdaki satırın + mutlaka bulunmasını öneririz:</p> + + <pre class="prettyprint lang-config">UserDir disabled root</pre> + + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="watchyourlogs" id="watchyourlogs">Günlüklerin İzlenmesi</a></h2> + + + <p>Sunucunuzda olup biteni günü gününe bilmek istiyorsanız <a href="../logs.html">günlük dosyalarına</a> bakmalısınız. Günlük dosyaları + sadece olup biteni raporlamakla kalmaz, sunucunuza ne tür saldırılar + yapıldığını ve güvenlik seviyenizin yeterli olup olmadığını anlamanızı da + sağlarlar.</p> + + <p>Bazı örnekler:</p> + + <div class="example"><p><code> + grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br /> + grep "client denied" error_log | tail -n 10 + </code></p></div> + + <p>İlk örnek, <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat Source.JSP Bozuk İstek Bilgilerini İfşa Açığı</a>nı + istismar etmeyi deneyen saldırıların sayısını verirken ikinci örnek, + reddedilen son on istemciyi listeler; örnek:</p> + + <div class="example"><p><code> + [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied + by server configuration: /usr/local/apache/htdocs/.htpasswd + </code></p></div> + + <p>Gördüğünüz gibi günlük dosyaları sadece ne olup bittiğini raporlar, bu + bakımdan eğer istemci <code>.htpasswd</code> dosyasına erişebiliyorsa <a href="../logs.html#accesslog">erişim günlüğünüzde</a> şuna benzer bir + kayıt görürsünüz:</p> + + <div class="example"><p><code> + foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1" + </code></p></div> + + <p>Bu, sunucu yapılandırma dosyanızda aşağıdaki yapılandırmayı iptal + ettiğiniz anlamına gelir:</p> + + <pre class="prettyprint lang-config"><Files ".ht*"> + Require all denied +</Files></pre> + + + </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> +<div class="section"> +<h2><a name="merging" id="merging">Yapılandırma bölümlerinin birleştirilmesi</a></h2> + + + + <p>Yapılandırma bölümlerinin birleştirilmesi karmaşık bir işlem olup bazı + durumlarda yönergelere bağlıdır. Yönergeleri bir araya getirirken + aralarındaki bağımlılıkları daima sınayın.</p> + + <p><code class="directive">mod_access_compat</code> gibi henüz yönerge katıştırma + mantığını gerçeklememiş modüller için sonraki bölümlerdeki davranış, bu + modüllerin yönergelerini içerip içermemesine bağlıdır. Yapılandırmada + yönergelerin <em>yerleri değiştirildiğinde</em> fakat bir katıştırma + yapılmadığında, yapılandırma bir değişiklik yapılana kadar miras + alınır.</p> + </div></div> +<div class="bottomlang"> +<p><span>Mevcut Diller: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English"> en </a> | +<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français"> fr </a> | +<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean"> ko </a> | +<a href="../tr/misc/security_tips.html" title="Türkçe"> tr </a></p> +</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Yorum</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div> +<script type="text/javascript"><!--//--><![CDATA[//><!-- +var comments_shortname = 'httpd'; +var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html'; +(function(w, d) { + if (w.location.hostname.toLowerCase() == "httpd.apache.org") { + d.write('<div id="comments_thread"><\/div>'); + var s = d.createElement('script'); + s.type = 'text/javascript'; + s.async = true; + s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier; + (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s); + } + else { + d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>'); + } +})(window, document); +//--><!]]></script></div><div id="footer"> +<p class="apache">Copyright 2019 The Apache Software Foundation.<br /><a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a> altında lisanslıdır.</p> +<p class="menu"><a href="../mod/">Modüller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="http://wiki.apache.org/httpd/FAQ">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!-- +if (typeof(prettyPrint) !== 'undefined') { + prettyPrint(); +} +//--><!]]></script> +</body></html>
\ No newline at end of file |