summaryrefslogtreecommitdiffstats
path: root/docs/manual/misc/security_tips.html
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--docs/manual/misc/security_tips.html17
-rw-r--r--docs/manual/misc/security_tips.html.en491
-rw-r--r--docs/manual/misc/security_tips.html.fr.utf8513
-rw-r--r--docs/manual/misc/security_tips.html.ko.euc-kr373
-rw-r--r--docs/manual/misc/security_tips.html.tr.utf8485
5 files changed, 1879 insertions, 0 deletions
diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html
new file mode 100644
index 0000000..9324c2d
--- /dev/null
+++ b/docs/manual/misc/security_tips.html
@@ -0,0 +1,17 @@
+# GENERATED FROM XML -- DO NOT EDIT
+
+URI: security_tips.html.en
+Content-Language: en
+Content-type: text/html; charset=UTF-8
+
+URI: security_tips.html.fr.utf8
+Content-Language: fr
+Content-type: text/html; charset=UTF-8
+
+URI: security_tips.html.ko.euc-kr
+Content-Language: ko
+Content-type: text/html; charset=EUC-KR
+
+URI: security_tips.html.tr.utf8
+Content-Language: tr
+Content-type: text/html; charset=UTF-8
diff --git a/docs/manual/misc/security_tips.html.en b/docs/manual/misc/security_tips.html.en
new file mode 100644
index 0000000..1aabfe3
--- /dev/null
+++ b/docs/manual/misc/security_tips.html.en
@@ -0,0 +1,491 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
+<!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>Security Tips - Apache HTTP Server Version 2.4</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
+<p class="apache">Apache HTTP Server Version 2.4</p>
+<img alt="" src="../images/feather.png" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>Security Tips</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="../en/misc/security_tips.html" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div>
+
+ <p>Some hints and tips on security issues in setting up a web server.
+ Some of the suggestions will be general, others specific to Apache.</p>
+ </div>
+<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Keep up to Date</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dos">Denial of Service (DoS) attacks</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions on ServerRoot Directories</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI in General</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">Non Script Aliased CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">Script Aliased CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Other sources of dynamic content</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dynamicsec">Dynamic content security</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protecting System Settings</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protect Server Files by Default</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Watching Your Logs</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#merging">Merging of configuration sections</a></li>
+</ul><h3>See also</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="uptodate" id="uptodate">Keep up to Date</a></h2>
+
+ <p>The Apache HTTP Server has a good record for security and a
+ developer community highly concerned about security issues. But
+ it is inevitable that some problems -- small or large -- will be
+ discovered in software after it is released. For this reason, it
+ is crucial to keep aware of updates to the software. If you have
+ obtained your version of the HTTP Server directly from Apache, we
+ highly recommend you subscribe to the <a href="http://httpd.apache.org/lists.html#http-announce">Apache
+ HTTP Server Announcements List</a> where you can keep informed of
+ new releases and security updates. Similar services are available
+ from most third-party distributors of Apache software.</p>
+
+ <p>Of course, most times that a web server is compromised, it is
+ not because of problems in the HTTP Server code. Rather, it comes
+ from problems in add-on code, CGI scripts, or the underlying
+ Operating System. You must therefore stay aware of problems and
+ updates with all the software on your system.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dos" id="dos">Denial of Service (DoS) attacks</a></h2>
+
+
+
+ <p>All network servers can be subject to denial of service attacks
+ that attempt to prevent responses to clients by tying up the
+ resources of the server. It is not possible to prevent such
+ attacks entirely, but you can do certain things to mitigate the
+ problems that they create.</p>
+
+ <p>Often the most effective anti-DoS tool will be a firewall or
+ other operating-system configurations. For example, most
+ firewalls can be configured to restrict the number of simultaneous
+ connections from any individual IP address or network, thus
+ preventing a range of simple attacks. Of course this is no help
+ against Distributed Denial of Service attacks (DDoS).</p>
+
+ <p>There are also certain Apache HTTP Server configuration
+ settings that can help mitigate problems:</p>
+
+ <ul>
+ <li>The <code class="directive"><a href="../mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code>
+ directive allows to limit the time a client may take to send the
+ request.</li>
+
+ <li>The <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> directive
+ should be lowered on sites that are subject to DoS attacks.
+ Setting this to as low as a few seconds may be appropriate.
+ As <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> is currently
+ used for several different operations, setting it to a low value
+ introduces problems with long running CGI scripts.</li>
+
+ <li>The <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code>
+ directive may be also lowered on sites that are subject to DoS
+ attacks. Some sites even turn off the keepalives completely via
+ <code class="directive"><a href="../mod/core.html#keepalive">KeepAlive</a></code>, which has of course
+ other drawbacks on performance.</li>
+
+ <li>The values of various timeout-related directives provided by
+ other modules should be checked.</li>
+
+ <li>The directives
+ <code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code>, and
+ <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code>
+ should be carefully configured to limit resource consumption
+ triggered by client input.</li>
+
+ <li>On operating systems that support it, make sure that you use
+ the <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> directive
+ to offload part of the request processing to the operating
+ system. This is active by default in Apache httpd, but may
+ require reconfiguration of your kernel.</li>
+
+ <li>Tune the <code class="directive"><a href="../mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> directive to allow
+ the server to handle the maximum number of simultaneous
+ connections without running out of resources. See also the <a href="perf-tuning.html">performance tuning
+ documentation</a>.</li>
+
+ <li>The use of a threaded <a href="../mpm.html">mpm</a> may
+ allow you to handle more simultaneous connections, thereby
+ mitigating DoS attacks. Further, the
+ <code class="module"><a href="../mod/event.html">event</a></code> mpm
+ uses asynchronous processing to avoid devoting a thread to each
+ connection. Due to the nature of the OpenSSL library the
+ <code class="module"><a href="../mod/event.html">event</a></code> mpm is currently incompatible with
+ <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> and other input filters. In these
+ cases it falls back to the behaviour of the
+ <code class="module"><a href="../mod/worker.html">worker</a></code> mpm.</li>
+
+ <li>There are a number of third-party modules available
+ that can restrict certain client behaviors and thereby mitigate
+ DoS problems.</li>
+
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="serverroot" id="serverroot">Permissions on ServerRoot Directories</a></h2>
+
+
+
+ <p>In typical operation, Apache is started by the root user, and it
+ switches to the user defined by the <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> directive to serve hits. As is the
+ case with any command that root executes, you must take care that it is
+ protected from modification by non-root users. Not only must the files
+ themselves be writeable only by root, but so must the directories, and
+ parents of all directories. For example, if you choose to place
+ ServerRoot in <code>/usr/local/apache</code> then it is suggested that
+ you create that directory as root, with commands like these:</p>
+
+ <div class="example"><p><code>
+ mkdir /usr/local/apache <br />
+ cd /usr/local/apache <br />
+ mkdir bin conf logs <br />
+ chown 0 . bin conf logs <br />
+ chgrp 0 . bin conf logs <br />
+ chmod 755 . bin conf logs
+ </code></p></div>
+
+ <p>It is assumed that <code>/</code>, <code>/usr</code>, and
+ <code>/usr/local</code> are only modifiable by root. When you install the
+ <code class="program"><a href="../programs/httpd.html">httpd</a></code> executable, you should ensure that it is
+ similarly protected:</p>
+
+ <div class="example"><p><code>
+ cp httpd /usr/local/apache/bin <br />
+ chown 0 /usr/local/apache/bin/httpd <br />
+ chgrp 0 /usr/local/apache/bin/httpd <br />
+ chmod 511 /usr/local/apache/bin/httpd
+ </code></p></div>
+
+ <p>You can create an htdocs subdirectory which is modifiable by other
+ users -- since root never executes any files out of there, and shouldn't
+ be creating files in there.</p>
+
+ <p>If you allow non-root users to modify any files that root either
+ executes or writes on then you open your system to root compromises.
+ For example, someone could replace the <code class="program"><a href="../programs/httpd.html">httpd</a></code> binary so
+ that the next time you start it, it will execute some arbitrary code. If
+ the logs directory is writeable (by a non-root user), someone could replace
+ a log file with a symlink to some other system file, and then root
+ might overwrite that file with arbitrary data. If the log files
+ themselves are writeable (by a non-root user), then someone may be
+ able to overwrite the log itself with bogus data.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ssi" id="ssi">Server Side Includes</a></h2>
+
+
+
+ <p>Server Side Includes (SSI) present a server administrator with
+ several potential security risks.</p>
+
+ <p>The first risk is the increased load on the server. All
+ SSI-enabled files have to be parsed by Apache, whether or not
+ there are any SSI directives included within the files. While this
+ load increase is minor, in a shared server environment it can become
+ significant.</p>
+
+ <p>SSI files also pose the same risks that are associated with CGI
+ scripts in general. Using the <code>exec cmd</code> element, SSI-enabled
+ files can execute any CGI script or program under the permissions of the
+ user and group Apache runs as, as configured in
+ <code>httpd.conf</code>.</p>
+
+ <p>There are ways to enhance the security of SSI files while still
+ taking advantage of the benefits they provide.</p>
+
+ <p>To isolate the damage a wayward SSI file can cause, a server
+ administrator can enable <a href="../suexec.html">suexec</a> as
+ described in the <a href="#cgi">CGI in General</a> section.</p>
+
+ <p>Enabling SSI for files with <code>.html</code> or <code>.htm</code>
+ extensions can be dangerous. This is especially true in a shared, or high
+ traffic, server environment. SSI-enabled files should have a separate
+ extension, such as the conventional <code>.shtml</code>. This helps keep
+ server load at a minimum and allows for easier management of risk.</p>
+
+ <p>Another solution is to disable the ability to run scripts and
+ programs from SSI pages. To do this replace <code>Includes</code>
+ with <code>IncludesNOEXEC</code> in the <code class="directive"><a href="../mod/core.html#options">Options</a></code> directive. Note that users may
+ still use <code>&lt;--#include virtual="..." --&gt;</code> to execute CGI
+ scripts if these scripts are in directories designated by a <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code> directive.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="cgi" id="cgi">CGI in General</a></h2>
+
+
+
+ <p>First of all, you always have to remember that you must trust the
+ writers of the CGI scripts/programs or your ability to spot potential
+ security holes in CGI, whether they were deliberate or accidental. CGI
+ scripts can run essentially arbitrary commands on your system with the
+ permissions of the web server user and can therefore be extremely
+ dangerous if they are not carefully checked.</p>
+
+ <p>All the CGI scripts will run as the same user, so they have potential
+ to conflict (accidentally or deliberately) with other scripts e.g. User
+ A hates User B, so he writes a script to trash User B's CGI database. One
+ program which can be used to allow scripts to run as different users is
+ <a href="../suexec.html">suEXEC</a> which is included with Apache as of
+ 1.2 and is called from special hooks in the Apache server code. Another
+ popular way of doing this is with
+ <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="nsaliasedcgi" id="nsaliasedcgi">Non Script Aliased CGI</a></h2>
+
+
+
+ <p>Allowing users to execute CGI scripts in any directory should only be
+ considered if:</p>
+
+ <ul>
+ <li>You trust your users not to write scripts which will deliberately
+ or accidentally expose your system to an attack.</li>
+ <li>You consider security at your site to be so feeble in other areas,
+ as to make one more potential hole irrelevant.</li>
+ <li>You have no users, and nobody ever visits your server.</li>
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="saliasedcgi" id="saliasedcgi">Script Aliased CGI</a></h2>
+
+
+
+ <p>Limiting CGI to special directories gives the admin control over what
+ goes into those directories. This is inevitably more secure than non
+ script aliased CGI, but only if users with write access to the
+ directories are trusted or the admin is willing to test each
+ new CGI script/program for potential security holes.</p>
+
+ <p>Most sites choose this option over the non script aliased CGI
+ approach.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dynamic" id="dynamic">Other sources of dynamic content</a></h2>
+
+
+
+ <p>Embedded scripting options which run as part of the server itself,
+ such as <code>mod_php</code>, <code>mod_perl</code>, <code>mod_tcl</code>,
+ and <code>mod_python</code>, run under the identity of the server itself
+ (see the <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> directive), and
+ therefore scripts executed by these engines potentially can access anything
+ the server user can. Some scripting engines may provide restrictions, but
+ it is better to be safe and assume not.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dynamicsec" id="dynamicsec">Dynamic content security</a></h2>
+
+
+
+ <p>When setting up dynamic content, such as <code>mod_php</code>,
+ <code>mod_perl</code> or <code>mod_python</code>, many security considerations
+ get out of the scope of <code>httpd</code> itself, and you need to consult
+ documentation from those modules. For example, PHP lets you setup <a href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Safe Mode</a>,
+ which is most usually disabled by default. Another example is <a href="http://www.hardened-php.net/suhosin/">Suhosin</a>, a PHP addon for more
+ security. For more information about those, consult each project
+ documentation.</p>
+
+ <p>At the Apache level, a module named <a href="http://modsecurity.org/">mod_security</a>
+ can be seen as a HTTP firewall and, provided you configure it finely enough,
+ can help you enhance your dynamic content security.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="systemsettings" id="systemsettings">Protecting System Settings</a></h2>
+
+
+
+ <p>To run a really tight ship, you'll want to stop users from setting
+ up <code>.htaccess</code> files which can override security features
+ you've configured. Here's one way to do it.</p>
+
+ <p>In the server configuration file, put</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/"&gt;
+ AllowOverride None
+&lt;/Directory&gt;</pre>
+
+
+ <p>This prevents the use of <code>.htaccess</code> files in all
+ directories apart from those specifically enabled.</p>
+
+ <p>Note that this setting is the default since Apache 2.3.9.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="protectserverfiles" id="protectserverfiles">Protect Server Files by Default</a></h2>
+
+
+
+ <p>One aspect of Apache which is occasionally misunderstood is the
+ feature of default access. That is, unless you take steps to change it,
+ if the server can find its way to a file through normal URL mapping
+ rules, it can serve it to clients.</p>
+
+ <p>For instance, consider the following example:</p>
+
+ <div class="example"><p><code>
+ # cd /; ln -s / public_html <br />
+ Accessing <code>http://localhost/~root/</code>
+ </code></p></div>
+
+ <p>This would allow clients to walk through the entire filesystem. To
+ work around this, add the following block to your server's
+ configuration:</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/"&gt;
+ Require all denied
+&lt;/Directory&gt;</pre>
+
+
+ <p>This will forbid default access to filesystem locations. Add
+ appropriate <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> blocks to
+ allow access only in those areas you wish. For example,</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/usr/users/*/public_html"&gt;
+ Require all granted
+&lt;/Directory&gt;
+&lt;Directory "/usr/local/httpd"&gt;
+ Require all granted
+&lt;/Directory&gt;</pre>
+
+
+ <p>Pay particular attention to the interactions of <code class="directive"><a href="../mod/core.html#location">Location</a></code> and <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> directives; for instance, even
+ if <code>&lt;Directory "/"&gt;</code> denies access, a <code>
+ &lt;Location "/"&gt;</code> directive might overturn it.</p>
+
+ <p>Also be wary of playing games with the <code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> directive; setting it to
+ something like <code>./</code> would have the same effect, for root, as
+ the first example above. We strongly
+ recommend that you include the following line in your server
+ configuration files:</p>
+
+ <pre class="prettyprint lang-config">UserDir disabled root</pre>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="watchyourlogs" id="watchyourlogs">Watching Your Logs</a></h2>
+
+
+
+ <p>To keep up-to-date with what is actually going on against your server
+ you have to check the <a href="../logs.html">Log Files</a>. Even though
+ the log files only reports what has already happened, they will give you
+ some understanding of what attacks is thrown against the server and
+ allow you to check if the necessary level of security is present.</p>
+
+ <p>A couple of examples:</p>
+
+ <div class="example"><p><code>
+ grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
+ grep "client denied" error_log | tail -n 10
+ </code></p></div>
+
+ <p>The first example will list the number of attacks trying to exploit the
+ <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat
+ Source.JSP Malformed Request Information Disclosure Vulnerability</a>,
+ the second example will list the ten last denied clients, for example:</p>
+
+ <div class="example"><p><code>
+ [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
+ by server configuration: /usr/local/apache/htdocs/.htpasswd
+ </code></p></div>
+
+ <p>As you can see, the log files only report what already has happened, so
+ if the client had been able to access the <code>.htpasswd</code> file you
+ would have seen something similar to:</p>
+
+ <div class="example"><p><code>
+ foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
+ </code></p></div>
+
+ <p>in your <a href="../logs.html#accesslog">Access Log</a>. This means
+ you probably commented out the following in your server configuration
+ file:</p>
+
+ <pre class="prettyprint lang-config">&lt;Files ".ht*"&gt;
+ Require all denied
+&lt;/Files&gt;</pre>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="merging" id="merging">Merging of configuration sections</a></h2>
+
+
+
+ <p> The merging of configuration sections is complicated and sometimes
+ directive specific. Always test your changes when creating dependencies
+ on how directives are merged.</p>
+
+ <p> For modules that don't implement any merging logic, such as
+ <code class="module"><a href="../mod/mod_access_compat.html">mod_access_compat</a></code>, the behavior in later sections
+ depends on whether the later section has any directives
+ from the module. The configuration is inherited until a change is made,
+ at which point the configuration is <em>replaced</em> and not merged.</p>
+ </div></div>
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="../en/misc/security_tips.html" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
+</body></html> \ No newline at end of file
diff --git a/docs/manual/misc/security_tips.html.fr.utf8 b/docs/manual/misc/security_tips.html.fr.utf8
new file mode 100644
index 0000000..b99e3e9
--- /dev/null
+++ b/docs/manual/misc/security_tips.html.fr.utf8
@@ -0,0 +1,513 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"><head>
+<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
+<!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>Conseils sur la sécurité - Serveur HTTP Apache Version 2.4</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossaire</a> | <a href="../sitemap.html">Plan du site</a></p>
+<p class="apache">Serveur HTTP Apache Version 2.4</p>
+<img alt="" src="../images/feather.png" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">Serveur HTTP</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Documentations diverses</a></div><div id="page-content"><div id="preamble"><h1>Conseils sur la sécurité</h1>
+<div class="toplang">
+<p><span>Langues Disponibles: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div>
+
+ <p>Ce document propose quelques conseils et astuces concernant les
+ problèmes de sécurité liés
+ à l'installation d'un serveur web. Certaines suggestions seront à caractère
+ général, tandis que d'autres seront spécifiques à Apache.</p>
+ </div>
+<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Maintenez votre serveur à jour</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dos">Attaques de type "Déni de service"
+ (Denial of Service - DoS)</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">Permissions sur les répertoires de la racine du serveur</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Inclusions côté serveur</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cgi">Les CGI en général</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">CGI sans alias de script</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">CGI avec alias de script</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Autres sources de contenu dynamique</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Protection de la configuration du système</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Protection par défaut des fichiers du serveur</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Surveillez vos journaux</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#merging">Fusion des sections de configuration</a></li>
+</ul><h3>Voir aussi</h3><ul class="seealso"><li><a href="#comments_section">Commentaires</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="uptodate" id="uptodate">Maintenez votre serveur à jour</a></h2>
+
+ <p>Le serveur HTTP Apache a une bonne réputation en matière de sécurité
+ et possède une communauté de développeurs très sensibilisés aux problèmes
+ de sécurité. Mais il est inévitable de trouver certains problèmes
+ -- petits ou grands -- une fois le logiciel mis à disposition. C'est pour
+ cette raison qu'il est crucial de se tenir informé des mises à jour. Si
+ vous avez obtenu votre version du serveur HTTP directement depuis Apache,
+ nous vous conseillons grandement de vous abonner à la <a href="http://httpd.apache.org/lists.html#http-announce">Liste de diffusion
+ des annonces du serveur HTTP</a> qui vous informera de
+ la parution des nouvelles versions et des mises à jour de sécurité. La
+ plupart des distributeurs tiers d'Apache fournissent des services
+ similaires.</p>
+
+ <p>Gardez cependant à l'esprit que lorsqu'un serveur web est compromis, le
+ code du serveur HTTP n'est la plupart du temps pas en cause. Les problèmes
+ proviennent plutôt de code ajouté, de scripts CGI, ou du système
+ d'exploitation sous-jacent. Vous devez donc vous tenir informé des
+ problèmes et mises à jour concernant tous les logiciels présents sur
+ votre système.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dos" id="dos">Attaques de type "Déni de service"
+ (Denial of Service - DoS)</a></h2>
+
+
+
+ <p>Tous les services réseau peuvent faire l'objet d'attaques de type
+ "Déni de service" qui tentent de les empêcher de répondre aux clients en
+ saturant leurs ressources. Il est impossible de se prémunir totalement
+ contre ce type d'attaques, mais vous pouvez accomplir certaines actions
+ afin de minimiser les problèmes qu'elles créent.</p>
+
+ <p>Souvent, l'outil anti-DoS le plus efficace sera constitué par le
+ pare-feu ou certaines configurations du système d'exploitation. Par
+ exemple, la plupart des pare-feu peuvent être configurés de façon à
+ limiter le nombre de connexions simultanées depuis une adresse IP ou un
+ réseau, ce qui permet de prévenir toute une gamme d'attaques simples.
+ Bien sûr, ceci n'est d'aucun secours contre les attaques de type
+ "Déni de service" distribuées (DDoS).</p>
+
+ <p>Certains réglages de la configuration d'Apache peuvent aussi
+ minimiser les problèmes :</p>
+
+ <ul>
+ <li>La directive <code class="directive"><a href="../mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code> permet de
+ limiter le temps que met le client pour envoyer sa requête.</li>
+
+ <li>La valeur de la directive
+ <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> doit être diminuée sur les
+ sites sujets aux attaques DoS. Une valeur de quelques secondes devrait
+ convenir. Cependant, comme <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code>
+ est actuellement concerné par de nombreuses opérations différentes, lui
+ attribuer une valeur trop faible peut provoquer des problèmes avec les
+ scripts CGI qui présentent un long temps de réponse.</li>
+
+ <li>La valeur de la directive
+ <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code> doit aussi être
+ diminuée sur les sites sujets aux attaques DoS. Certains sites
+ désactivent même complètement le "maintien en vie" (keepalives)
+ à l'aide de la directive
+ <code class="directive"><a href="../mod/core.html#keepalive">KeepAlive</a></code>, ce qui bien sûr
+ présente des inconvénients en matière de performances.</li>
+
+ <li>Les valeurs des différentes directives fournies par d'autres modules
+ et en rapport avec des délais doivent aussi être vérifiées.</li>
+
+ <li>Les directives
+ <code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code>, et
+ <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> doivent être
+ configurées avec prudence afin de limiter la consommation de ressources
+ induite par les demandes des clients.
+ </li>
+
+ <li>Sur les systèmes d'exploitation qui le supportent, assurez-vous que
+ la directive <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> est
+ activée afin de déléguer une partie du traitement des requêtes au
+ système d'exploitation. Elle est activée par défaut dans le démon httpd
+ d'Apache, mais peut nécessiter une reconfiguration de votre noyau.</li>
+
+ <li>Optimisez la directive <code class="directive"><a href="../mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> de façon à définir le nombre
+ maximum de connexions simultanées au dessus duquel les ressources
+ s'épuisent. Voir aussi la <a href="perf-tuning.html">documentation sur l'optimisation des
+ performances</a>.</li>
+
+ <li>L'utilisation d'un <a href="../mpm.html">module mpm</a> threadé
+ vous permet de traiter d'avantage de connexions simultanées, ce qui
+ minimise l'effet des attaques DoS. Dans le futur, le module mpm
+ <code class="module"><a href="../mod/event.html">event</a></code> utilisera un traitement asynchrone afin de ne pas
+ dédier un thread à chaque connexion. De par la
+ nature de la bibliothèque OpenSSL, le module mpm <code class="module"><a href="../mod/event.html">event</a></code> est actuellement incompatible
+ avec le module <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ainsi que d'autres filtres
+ en entrée. Dans ces cas, son comportement se ramène à celui
+ du module mpm <code class="module"><a href="../mod/worker.html">worker</a></code>.</li>
+
+ <li>Il existe de nombreux modules tiers qui peuvent restreindre les
+ comportements de certains clients et ainsi minimiser les problèmes de
+ DoS.</li>
+
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="serverroot" id="serverroot">Permissions sur les répertoires de la racine du serveur</a></h2>
+
+
+
+ <p>Typiquement, Apache est démarré par l'utilisateur root, puis il devient
+ la propriété de l'utilisateur défini par la directive <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> afin de répondre aux demandes. Comme
+ pour toutes les commandes exécutées par root, vous devez vous assurer
+ qu'elle n'est pas modifiable par les utilisateurs autres que root. Les
+ fichiers eux-mêmes, mais aussi les répertoires ainsi que leurs parents ne
+ doivent être modifiables que par root. Par exemple, si vous avez choisi de
+ placer la racine du serveur dans <code>/usr/local/apache</code>, il est conseillé de
+ créer le répertoire en tant que root, avec des commandes du style :</p>
+
+ <div class="example"><p><code>
+ mkdir /usr/local/apache <br />
+ cd /usr/local/apache <br />
+ mkdir bin conf logs <br />
+ chown 0 . bin conf logs <br />
+ chgrp 0 . bin conf logs <br />
+ chmod 755 . bin conf logs
+ </code></p></div>
+
+ <p>Nous supposerons que <code>/</code>, <code>/usr</code> et
+ <code>/usr/local</code> ne sont modifiables que par
+ root. Quand vous installez l'exécutable <code class="program"><a href="../programs/httpd.html">httpd</a></code>, vous
+ devez vous assurer qu'il possède des protections similaires :</p>
+
+ <div class="example"><p><code>
+ cp httpd /usr/local/apache/bin <br />
+ chown 0 /usr/local/apache/bin/httpd <br />
+ chgrp 0 /usr/local/apache/bin/httpd <br />
+ chmod 511 /usr/local/apache/bin/httpd
+ </code></p></div>
+
+ <p>Vous pouvez créer un sous-répertoire htdocs modifiable par d'autres
+ utilisateurs -- car root ne crée ni exécute aucun fichier dans ce
+ sous-répertoire.</p>
+
+ <p>Si vous permettez à des utilisateurs non root de modifier des fichiers
+ que root écrit ou exécute, vous exposez votre système à une compromission
+ de l'utilisateur root. Par exemple, quelqu'un pourrait remplacer le binaire
+ <code class="program"><a href="../programs/httpd.html">httpd</a></code> de façon à ce que la prochaine fois que vous le
+ redémarrerez, il exécutera un code arbitraire. Si le répertoire des
+ journaux a les droits en écriture (pour un utilisateur non root), quelqu'un
+ pourrait remplacer un fichier journal par un lien symbolique vers un autre
+ fichier système, et root pourrait alors écraser ce fichier avec des données
+ arbitraires. Si les fichiers journaux eux-mêmes ont des droits en
+ écriture (pour un utilisateur non root), quelqu'un pourrait
+ modifier les journaux eux-mêmes avec des données fausses.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ssi" id="ssi">Inclusions côté serveur</a></h2>
+
+
+
+ <p>Les inclusions côté serveur (Server Side Includes - SSI) exposent
+ l'administrateur du serveur à de nombreux risques potentiels en matière de
+ sécurité.</p>
+
+ <p>Le premier risque est l'augmentation de la charge du serveur. Tous les
+ fichiers où SSI est activé doivent être analysés par Apache, qu'ils
+ contiennent des directives SSI ou non. L'augmentation de la charge induite
+ est minime, mais peut devenir significative dans le contexte d'un
+ serveur partagé.</p>
+
+ <p>Les fichiers SSI présentent les mêmes risques que les scripts CGI en
+ général. Les fichiers où SSI est activé peuvent exécuter tout script CGI
+ ou autre programme à l'aide de la commande <code>"exec cmd"</code> avec les permissions
+ des utilisateur et groupe sous lesquels Apache s'exécute, comme défini
+ dans <code>httpd.conf</code>.</p>
+
+ <p>Des méthodes existent pour améliorer la sécurité des fichiers SSI, tout
+ en tirant parti des bénéfices qu'ils apportent.</p>
+
+ <p>Pour limiter les dommages qu'un fichier SSI agressif pourrait causer,
+ l'administrateur du serveur peut activer<a href="../suexec.html">suexec</a>
+ comme décrit dans la section <a href="#cgi">Les CGI en général</a>.</p>
+
+ <p>L'activation des SSI pour des fichiers possédant des extensions
+ <code>.html</code> ou
+ <code>.htm</code> peut s'avérer dangereux. Ceci est particulièrement vrai dans un
+ environnement de serveur partagé ou étant le siège d'un traffic élevé. Les
+ fichiers où SSI est activé doivent posséder une extension spécifique, telle
+ que la conventionnelle <code>.shtml</code>. Ceci permet de limiter la charge du serveur
+ à un niveau minimum et de simplifier la gestion des risques.</p>
+
+ <p>Une autre solution consiste à interdire l'exécution de scripts et
+ programmes à partir de pages SSI. Pour ce faire, remplacez
+ <code>Includes</code> par <code>IncludesNOEXEC</code> dans la directive
+ <code class="directive"><a href="../mod/core.html#options">Options</a></code>. Notez que les utilisateurs
+ pourront encore utiliser <code>&lt;--#include virtual="..." --&gt;</code> pour exécuter
+ des scripts CGI si ces scripts sont situés dans des répertoires spécifiés
+ par une directive
+ <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code>.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="cgi" id="cgi">Les CGI en général</a></h2>
+
+
+
+ <p>Tout d'abord, vous devez toujours garder à l'esprit que vous devez
+ faire confiance aux développeurs de scripts ou programmes CGI ainsi qu'à
+ vos compétences pour déceler les trous de sécurité potentiels dans les
+ CGI, que ceux-ci soient délibérés ou accidentels. Les scripts CGI peuvent
+ essentiellement exécuter des commandes arbitraires sur votre système avec
+ les droits de l'utilisateur du serveur web, et peuvent par conséquent être
+ extrèmement dangereux s'ils ne sont pas vérifiés avec soin.</p>
+
+ <p>Tous les scripts CGI s'exécutent sous le même utilisateur, il peuvent
+ donc entrer en conflit (accidentellement ou délibérément) avec d'autres
+ scripts. Par exemple, l'utilisateur A hait l'utilisateur B, il écrit donc
+ un script qui efface la base de données CGI de l'utilisateur B. Vous pouvez
+ utiliser le programme <a href="../suexec.html">suEXEC</a> pour faire en
+ sorte que les scripts s'exécutent sous des utilisateurs différents. Ce
+ programme est inclus dans la distribution d'Apache depuis la version 1.2
+ et est appelé à partir de certaines portions de code du serveur Apache. Une
+ autre méthode plus connue est l'utilisation de
+ <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a>.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="nsaliasedcgi" id="nsaliasedcgi">CGI sans alias de script</a></h2>
+
+
+
+ <p>Vous ne devez permettre aux utilisateurs d'exécuter des scripts CGI
+ depuis n'importe quel répertoire que dans l'éventualité où :</p>
+
+ <ul>
+ <li>Vous faites confiance à vos utilisateurs pour ne pas écrire de
+ scripts qui vont délibérément ou accidentellement exposer votre
+ système à une attaque.</li>
+ <li>Vous estimez que le niveau de sécurité dans les autres parties de
+ votre site est si faible qu'un trou de sécurité de plus ou de moins
+ n'est pas très important.</li>
+ <li>Votre système ne comporte aucun utilisateur, et personne ne visite
+ jamais votre site.</li>
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="saliasedcgi" id="saliasedcgi">CGI avec alias de script</a></h2>
+
+
+
+ <p>Le confinement des CGI dans des répertoires spécifiques permet à
+ l'administrateur de contrôler ce que l'on met dans ces répertoires. Ceci
+ est bien entendu mieux sécurisé que les CGI sans alias de script, mais
+ seulement à condition que les utilisateurs avec les droits en écriture sur
+ les répertoires soient dignes de confiance, et que l'administrateur ait la
+ volonté de tester chaque programme ou script CGI à la recherche d'éventuels
+ trous de sécurité.</p>
+
+ <p>La plupart des sites choisissent cette approche au détriment des CGI
+ sans alias de script.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dynamic" id="dynamic">Autres sources de contenu dynamique</a></h2>
+
+
+
+ <p>
+ Les options de scripting intégrées qui s'exécutent en tant que partie du
+ serveur lui-même, comme <code>mod_php</code>, <code>mod_perl</code>,
+ <code>mod_tcl</code>, et <code>mod_python</code>,
+ s'exécutent sous le même utilisateur que le serveur (voir la directive
+ <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code>), et par conséquent,
+ les scripts que ces moteurs exécutent peuvent accéder aux mêmes ressources
+ que le serveur. Certains moteurs de scripting peuvent proposer des
+ restrictions, mais pour plus de sûreté, il vaut mieux partir du principe
+ que ce n'est pas le cas.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="systemsettings" id="systemsettings">Protection de la configuration du système</a></h2>
+
+
+
+ <p>Pour contrôler étroitement votre serveur, vous pouvez interdire
+ l'utilisation des fichiers <code>.htaccess</code> qui permettent de
+ passer outre les fonctionnalités de sécurité que vous avez configurées.
+ Voici un moyen pour y parvenir :</p>
+
+ <p>Ajoutez dans le fichier de configuration du serveur</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/"&gt;
+ AllowOverride None
+&lt;/Directory&gt;</pre>
+
+
+ <p>Ceci interdit l'utilisation des fichiers <code>.htaccess</code> dans
+ tous les répertoires, sauf ceux pour lesquels c'est explicitement
+ autorisé.</p>
+
+ <p>Notez que c'est la configuration par défaut depuis Apache 2.3.9.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="protectserverfiles" id="protectserverfiles">Protection par défaut des fichiers du serveur</a></h2>
+
+
+
+ <p>Le concept d'accès par défaut est un aspect d'Apache qui est parfois mal
+ compris. C'est à dire que, à moins que vous ne changiez explicitement ce
+ comportement, si le serveur trouve son chemin vers un fichier en suivant
+ les règles normales de correspondance URL - fichier, il peut le retourner
+ aux clients.</p>
+
+ <p>Considérons l'exemple suivant :</p>
+
+ <div class="example"><p><code>
+ # cd /; ln -s / public_html <br />
+ puis accès à <code>http://localhost/~root/</code>
+ </code></p></div>
+
+ <p>Ceci permettrait aux clients de parcourir l'ensemble du système de
+ fichiers. Pour l'éviter, ajoutez le bloc suivant à la configuration
+ de votre serveur :</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/"&gt;
+ Require all denied
+&lt;/Directory&gt;</pre>
+
+
+ <p>ceci va interdire l'accès par défaut à tous les fichiers du système de
+ fichiers. Vous devrez ensuite ajouter les blocs
+ <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> appropriés correspondant
+ aux répertoires auxquels vous voulez autorisez l'accès. Par exemple,</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/usr/users/*/public_html"&gt;
+ Require all granted
+&lt;/Directory&gt;
+&lt;Directory "/usr/local/httpd"&gt;
+ Require all granted
+&lt;/Directory&gt;</pre>
+
+
+ <p>Portez une attention particulière aux interactions entre les directives
+ <code class="directive"><a href="../mod/core.html#location">Location</a></code> et
+ <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> ; par exemple, si une
+ directive <code>&lt;Directory ""/&gt;</code> interdit un accès, une
+ directive <code>&lt;Location "/"&gt;</code> pourra passer outre.</p>
+
+ <p>De même, soyez méfiant en jouant avec la directive
+ <code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> ; la positionner à
+ <code>"./"</code> aurait le même effet, pour root, que le premier exemple plus haut.
+ Nous vous conseillons
+ fortement d'inclure la ligne suivante dans le fichier de configuration de
+ votre serveur :</p>
+
+ <pre class="prettyprint lang-config">UserDir disabled root</pre>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="watchyourlogs" id="watchyourlogs">Surveillez vos journaux</a></h2>
+
+
+
+ <p>Pour vous tenir informé de ce qui se passe réellement dans votre
+ serveur, vous devez consulter vos
+ <a href="../logs.html">fichiers journaux</a>. Même si les fichiers journaux
+ ne consignent que des évènements qui se sont déjà produits, ils vous
+ informeront sur la nature des attaques qui sont lancées contre le serveur
+ et vous permettront de vérifier si le niveau de sécurité nécessaire est
+ atteint.</p>
+
+ <p>Quelques exemples :</p>
+
+ <div class="example"><p><code>
+ grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
+ grep "client denied" error_log | tail -n 10
+ </code></p></div>
+
+ <p>Le premier exemple listera les attaques essayant d'exploiter la
+ <a href="http://online.securityfocus.com/bid/4876/info/">vulnérabilité
+ d'Apache Tomcat pouvant provoquer la divulgation d'informations par des
+ requêtes Source.JSP mal formées</a>, le second donnera la liste des dix
+ dernières interdictions client ; par exemple :</p>
+
+ <div class="example"><p><code>
+ [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
+ by server configuration: /usr/local/apache/htdocs/.htpasswd
+ </code></p></div>
+
+ <p>Comme vous le voyez, les fichiers journaux ne consignent que ce qui
+ s'est déjà produit ; ainsi, si le client a pu accéder au fichier
+ <code>.htpasswd</code>, vous devriez avoir quelque chose du style :</p>
+
+ <div class="example"><p><code>
+ foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
+ </code></p></div>
+
+ <p>dans votre <a href="../logs.html#accesslog">journal des accès</a> ; ce
+ qui signifie que vous avez probablement mis en commentaire ce qui suit dans
+ le fichier de configuration de votre serveur :</p>
+
+ <pre class="prettyprint lang-config">&lt;Files ".ht*"&gt;
+ Require all denied
+&lt;/Files&gt;</pre>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="merging" id="merging">Fusion des sections de configuration</a></h2>
+
+
+
+ <p>La fusion des sections de configuration est complexe et dépend
+ souvent des directives utilisées. Vous devez systématiquement tester
+ vos modifications pour vérifier la manière dont les directives sont
+ fusionnées.</p>
+
+ <p>Concernant les modules qui n'implémentent aucune logique de
+ fusion, comme <code class="module"><a href="../mod/mod_access_compat.html">mod_access_compat</a></code>, le
+ comportement des sections suivantes est tributaire de la présence
+ dans ces dernières de directives appartenant à ces modules. La
+ configuration est héritée jusqu'à ce qu'une modification soit
+ effectuée ; à ce moment, la configuration est <em>remplacée</em> et
+ non fusionnée.</p>
+ </div></div>
+<div class="bottomlang">
+<p><span>Langues Disponibles: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Commentaires</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Autorisé sous <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">Glossaire</a> | <a href="../sitemap.html">Plan du site</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
+</body></html> \ No newline at end of file
diff --git a/docs/manual/misc/security_tips.html.ko.euc-kr b/docs/manual/misc/security_tips.html.ko.euc-kr
new file mode 100644
index 0000000..f186361
--- /dev/null
+++ b/docs/manual/misc/security_tips.html.ko.euc-kr
@@ -0,0 +1,373 @@
+<?xml version="1.0" encoding="EUC-KR"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="ko" xml:lang="ko"><head>
+<meta content="text/html; charset=EUC-KR" http-equiv="Content-Type" />
+<!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>º¸¾È ÆÁ - Apache HTTP Server Version 2.4</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">¸ðµâ</a> | <a href="../mod/directives.html">Áö½Ã¾îµé</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">¿ë¾î</a> | <a href="../sitemap.html">»çÀÌÆ®¸Ê</a></p>
+<p class="apache">Apache HTTP Server Version 2.4</p>
+<img alt="" src="../images/feather.png" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs/">Documentation</a> &gt; <a href="../">Version 2.4</a> &gt; <a href="./">Miscellaneous Documentation</a></div><div id="page-content"><div id="preamble"><h1>º¸¾È ÆÁ</h1>
+<div class="toplang">
+<p><span>°¡´ÉÇÑ ¾ð¾î: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Fran&#231;ais">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="T&#252;rk&#231;e">&nbsp;tr&nbsp;</a></p>
+</div>
+<div class="outofdate">ÀÌ ¹®¼­´Â ÃÖ½ÅÆÇ ¹ø¿ªÀÌ ¾Æ´Õ´Ï´Ù.
+ ÃÖ±Ù¿¡ º¯°æµÈ ³»¿ëÀº ¿µ¾î ¹®¼­¸¦ Âü°íÇϼ¼¿ä.</div>
+
+ <p>À¥¼­¹ö¸¦ ¿î¿µÇÒ¶§ µµ¿òÀÌ µÉ º¸¾È °ü·Ã ÈùÆ®¿Í ÆÁÀÌ´Ù.
+ ¾î¶² °ÍÀº ÀϹÝÀûÀÌ°í, ¾î¶² °ÍÀº ¾ÆÆÄÄ¡¿¡¸¸ ÇØ´çÇÏ´Â °ÍÀÌ´Ù.</p>
+ </div>
+<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">ÃÖ½ÅÆÇÀ¸·Î À¯ÁöÇϱâ</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#serverroot">ServerRoot µð·ºÅ丮 ±ÇÇÑ</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Server Side Includes</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cgi">ÀϹÝÀûÀÎ CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi">ScriptAliasÇÏÁö ¾ÊÀº CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi">ScriptAliasÇÑ CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">µ¿Àû ³»¿ëÀ» »ý¼ºÇÏ´Â ´Ù¸¥ ¹æ¹ý</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">½Ã½ºÅÛ ¼³Á¤ º¸È£Çϱâ</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">±âº»ÀûÀ¸·Î ¼­¹ö¿¡ ÀÖ´Â ÆÄÀÏ º¸È£Çϱâ</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">·Î±× »ìÆ캸±â</a></li>
+</ul><h3>Âü°í</h3><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="uptodate" id="uptodate">ÃÖ½ÅÆÇÀ¸·Î À¯ÁöÇϱâ</a></h2>
+
+ <p>¾ÆÆÄÄ¡ À¥¼­¹ö´Â ¾ÈÀü°ú º¸¾È ¹®Á¦¿¡ °ü½ÉÀÌ ¸¹Àº °³¹ßÀÚ
+ °øµ¿Ã¼·Î À¯¸íÇÏ´Ù. ±×·¯³ª Å©°Ç ÀÛ°Ç ¹ßÇ¥ÈÄ ¹ß°ßµÇ´Â ¹®Á¦µéÀ»
+ ÇÇÇÒ ¼ö ¾ø´Ù. ±×·¡¼­ ¼ÒÇÁÆ®¿þ¾î¸¦ ÃֽŹöÀüÀ¸·Î À¯ÁöÇÏ´Â
+ °ÍÀÌ Áß¿äÇÏ´Ù. ¾ÆÆÄÄ¡¿¡¼­ Á÷Á¢ À¥¼­¹ö¸¦ ´Ù¿î·ÎµåÇß´Ù¸é,
+ »õ·Î¿î ¹öÀü°ú º¸¾È ¾÷µ¥ÀÌÆ®¸¦ ¾Ë·ÁÁÖ´Â <a href="http://httpd.apache.org/lists.html#http-announce">¾ÆÆÄÄ¡
+ À¥¼­¹ö ¹ßÇ¥ ¸ÞÀϸµ¸®½ºÆ®</a>¸¦ ±¸µ¶ÇÏ±æ °­·ÂÈ÷ ±ÇÇÑ´Ù.
+ ¾ÆÆÄÄ¡ ¼ÒÇÁÆ®¿þ¾î¸¦ ¹èÆ÷ÇÏ´Â ¸¹Àº Á¦»ïÀڵ鵵 ºñ½ÁÇÑ ¼­ºñ½º¸¦
+ Á¦°øÇÑ´Ù.</p>
+
+ <p>¹°·Ð À¥¼­¹ö Äڵ嶧¹®¿¡ À¥¼­¹ö°¡ °ø°ÝÀ» ´çÇÏ´Â °æ¿ì´Â
+ ¸¹Áö ¾Ê´Ù. ±×º¸´Ù Ãß°¡ ÄÚµå, CGI ½ºÅ©¸³Æ®, ÇÏÀ§ ¿î¿µÃ¼Á¦ÀÇ
+ ¹®Á¦·Î °ø°ÝÀ» ´çÇÏ´Â °æ¿ì°¡ ¸¹´Ù. ±×·¯¹Ç·Î Ç×»ó ÁÖÀÇÇϸç
+ ½Ã½ºÅÛÀÇ ¸ðµç ¼ÒÇÁÆ®¿þ¾î¸¦ ¾÷µ¥ÀÌÆ®ÇØ¾ß ÇÑ´Ù.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="serverroot" id="serverroot">ServerRoot µð·ºÅ丮 ±ÇÇÑ</a></h2>
+
+
+
+ <p>º¸Åë root »ç¿ëÀÚ°¡ ¾ÆÆÄÄ¡¸¦ ½ÃÀÛÇÑ ÈÄ, ¿äûÀ» ¼­ºñ½ºÇϱâÀ§ÇØ
+ <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> Áö½Ã¾î·Î
+ ÁöÁ¤ÇÑ »ç¿ëÀÚ·Î º¯È¯ÇÑ´Ù. root°¡ ½ÇÇàÇÏ´Â ¸í·É¾î°¡ ÀÖ´Ù¸é,
+ root ÀÌ¿ÜÀÇ »ç¿ëÀÚ°¡ ¼öÁ¤ÇÏÁö ¸øÇϵµ·Ï ÁÖÀÇÇØ¾ß ÇÑ´Ù. ÀÌ
+ ÆÄÀϵéÀ» root¸¸ ¾µ ¼ö ÀÖ¾î¾ß ÇÏ°í, µð·ºÅ丮¿Í ¸ðµç »óÀ§µð·ºÅ丮µµ
+ ¸¶Âù°¡Áö´Ù. ¿¹¸¦ µé¾î, ServerRoot·Î /usr/local/apache¸¦
+ »ç¿ëÇÑ´Ù¸é root »ç¿ëÀÚ°¡ ´ÙÀ½°ú °°ÀÌ µð·ºÅ丮¸¦ ¸¸µé±æ
+ Á¦¾ÈÇÑ´Ù:</p>
+
+ <div class="example"><p><code>
+ mkdir /usr/local/apache <br />
+ cd /usr/local/apache <br />
+ mkdir bin conf logs <br />
+ chown 0 . bin conf logs <br />
+ chgrp 0 . bin conf logs <br />
+ chmod 755 . bin conf logs
+ </code></p></div>
+
+ <p>±×·¯¸é /, /usr, /usr/local Àº root¸¸ÀÌ ¼öÁ¤ÇÒ ¼ö ÀÖ´Ù.
+ httpd ½ÇÇàÆÄÀÏÀ» ¼³Ä¡ÇÒ¶§ ´ÙÀ½°ú °°ÀÌ º¸È£ÇØ¾ß ÇÑ´Ù:</p>
+
+ <div class="example"><p><code>
+ cp httpd /usr/local/apache/bin <br />
+ chown 0 /usr/local/apache/bin/httpd <br />
+ chgrp 0 /usr/local/apache/bin/httpd <br />
+ chmod 511 /usr/local/apache/bin/httpd
+ </code></p></div>
+
+ <p>htdocs ÇÏÀ§µð·ºÅ丮´Â ´Ù¸¥ »ç¿ëÀÚµéÀÌ ¼öÁ¤ÇÒ ¼ö ÀÖµµ·Ï
+ ¸¸µé ¼ö ÀÖ´Ù -- root´Â ±×°÷¿¡ ÀÖ´Â ÆÄÀÏÀ» ½ÇÇàÇÏÁöµµ, ¸¸µéÁöµµ
+ ¾Ê¾Æ¾ß ÇÑ´Ù.</p>
+
+ <p>root°¡ ¾Æ´Ñ »ç¿ëÀÚ°¡ root°¡ ½ÇÇàÇϰųª ¾²±â°¡´ÉÇÑ ÆÄÀÏÀ»
+ ¼öÁ¤ÇÒ ¼ö ÀÖ´Ù¸é ½Ã½ºÅÛÀÇ root ±ÇÇÑÀ» ÈÉÄ¥ ¼ö ÀÖ´Ù. ¿¹¸¦
+ µé¾î, ´©±º°¡ httpd ½ÇÇàÆÄÀÏÀ» º¯°æÇÏ¿´´Ù¸é ´ÙÀ½¹ø ½ÃÀÛÇÒ¶§
+ ÀÓÀÇÀÇ Äڵ带 ½ÇÇàÇÏ°Ô µÈ´Ù. logs µð·ºÅ丮°¡ (root°¡ ¾Æ´Ñ
+ »ç¿ëÀÚ¿¡°Ô) ¾²±â°¡´ÉÇÏ´Ù¸é ´©±º°¡ ·Î±×ÆÄÀÏÀ» ´Ù¸¥ ½Ã½ºÅÛÆÄÀÏ·Î
+ ½Éº¼¸µÅ©¸¦ °É¾î¼­ root°¡ ÆÄÀÏ¿¡ ÀÓÀÇÀÇ ÀڷḦ µ¤¾î¾µ ¼ö
+ ÀÖ´Ù. ·Î±×ÆÄÀÏÀÌ (root°¡ ¾Æ´Ñ »ç¿ëÀÚ¿¡°Ô) ¾²±â°¡´ÉÇÏ´Ù¸é
+ ´©±º°¡ ·Î±×¿¡ ÀÌ»óÇÑ ÀڷḦ ±â·ÏÇÒ ¼ö ÀÖ´Ù.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ssi" id="ssi">Server Side Includes</a></h2>
+
+
+
+ <p>Server Side Includes (SSI)´Â ¼­¹ö °ü¸®ÀÚ¿¡°Ô º¸¾È»ó ¸î°¡Áö
+ ÀáÀçÀûÀÎ À§ÇèÀÌ´Ù.</p>
+
+ <p>ù¹ø° À§ÇèÀº ¼­¹öÀÇ ºÎÇϸ¦ ´Ã¸®´Â Á¡ÀÌ´Ù. ¾ÆÆÄÄ¡´Â ÆÄÀÏ¿¡
+ SSI Áö½Ã¾î°¡ ÀÖ´ÂÁö ¿©ºÎ¿Í °ü°è¾øÀÌ ¸ðµç SSI ÆÄÀÏÀ» ºÐ¼®Çؾß
+ ÇÑ´Ù. Á¶±Ý ºÎÇÏ°¡ ´ÃÁö¸¸, ¼­¹ö¸¦ ¿©·¯ »ç¶÷ÀÌ °°ÀÌ »ç¿ëÇÏ´Â
+ ȯ°æ¿¡¼­´Â ½É°¢ÇÒ ¼ö ÀÖ´Ù.</p>
+
+ <p>¶Ç, SSI ÆÄÀÏÀº ÀϹÝÀûÀÎ CGI ½ºÅ©¸³Æ®¿Í µ¿ÀÏÇÑ À§ÇèÀ»
+ °¡Áø´Ù. SSI ÆÄÀÏ¿¡¼­ "exec cmd"¸¦ »ç¿ëÇϸé httpd.conf¿¡¼­
+ ¾ÆÆÄÄ¡¸¦ ½ÇÇàÇϵµ·Ï ¼³Á¤ÇÑ »ç¿ëÀÚ¿Í ±×·ì ±ÇÇÑÀ¸·Î CGI
+ ½ºÅ©¸³Æ®³ª ÇÁ·Î±×·¥À» ½ÇÇàÇÒ ¼ö ÀÖ´Ù.</p>
+
+ <p>ÀåÁ¡À» È°¿ëÇϸ鼭 SSI ÆÄÀÏÀÇ º¸¾ÈÀ» Çâ»ó½ÃÅ°´Â ¹æ¹ýÀÌ
+ ÀÖ´Ù.</p>
+
+ <p>SSI ÆÄÀÏÀÌ °¡Á®¿Ã ¼ö ÀÖ´Â ÇÇÇظ¦ °Ý¸®ÇϱâÀ§ÇØ ¼­¹ö°ü¸®ÀÚ´Â
+ <a href="#cgi">ÀϹÝÀûÀÎ CGI</a> Àý¿¡¼­ ¼³¸íÇÏ´Â ¹æ¹ýÀ¸·Î
+ <a href="../suexec.html">suexec</a>¸¦ »ç¿ëÇÒ ¼ö ÀÖ´Ù</p>
+
+ <p>.htmlÀ̳ª .htm È®ÀåÀÚ¸¦ SSI ÆÄÀÏ·Î »ç¿ëÇÏ´Â °ÍÀº À§ÇèÇÏ´Ù.
+ ƯÈ÷ ¿©·¯ »ç¶÷ÀÌ °øÀ¯Çϰųª Åë½Å·®ÀÌ ¸¹Àº ¼­¹ö ȯ°æ¿¡¼­
+ À§ÇèÇÏ´Ù. SSI ÆÄÀÏÀº ÀϹÝÀûÀ¸·Î ¸¹ÀÌ »ç¿ëÇÏ´Â .shtml °°Àº
+ º°µµÀÇ È®ÀåÀÚ¸¦ °¡Á®¾ß ÇÑ´Ù. ±×·¯¸é ¼­¹ö ºÎÇϸ¦ ÃÖ¼ÒÈ­ÇÏ°í
+ À§Çè¿ä¼Ò¸¦ ½±°Ô °ü¸®ÇÒ ¼ö ÀÖ´Ù.</p>
+
+ <p>´Ù¸¥ ¹æ¹ýÀº SSI ÆäÀÌÁö°¡ ½ºÅ©¸³Æ®³ª ÇÁ·Î±×·¥À» ½ÇÇàÇÏÁö
+ ¸øÇϵµ·Ï ¸¸µå´Â °ÍÀÌ´Ù. <code class="directive"><a href="../mod/core.html#options">Options</a></code> Áö½Ã¾î¿¡¼­ <code>Includes</code>
+ ´ë½Å <code>IncludesNOEXEC</code>¸¦ »ç¿ëÇÑ´Ù. ±×·¡µµ ½ºÅ©¸³Æ®°¡
+ <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code> Áö½Ã¾î·Î
+ ÁöÁ¤ÇÑ µð·ºÅ丮¿¡ ÀÖ´Ù¸é &lt;--#include virtual="..." --&gt;¸¦
+ »ç¿ëÇÏ¿© CGI ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÒ ¼ö ÀÖÀ½À» ÁÖÀÇÇ϶ó.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="cgi" id="cgi">ÀϹÝÀûÀÎ CGI</a></h2>
+
+
+
+ <p>°á±¹ ´ç½ÅÀº Ç×»ó CGI ½ºÅ©¸³Æ®/ÇÁ·Î±×·¥ÀÇ ÀúÀÚ¸¦ ½Å·ÚÇؾß
+ ÇÏ°í, °íÀÇ°Ç ½Ç¼öÀÌ°Ç CGIÀÇ ÀáÀçÀûÀÎ º¸¾È»ó ÇãÁ¡À» ¹ß°ßÇÒ
+ ¼ö ÀÖ¾î¾ß ÇÑ´Ù. ±âº»ÀûÀ¸·Î CGI ½ºÅ©¸³Æ®´Â À¥¼­¹ö »ç¿ëÀÚ
+ ±ÇÇÑÀ¸·Î ½Ã½ºÅÛ¿¡¼­ ¾î¶² ¸í·É¾î¶óµµ ½ÇÇàÇÒ ¼ö Àֱ⶧¹®¿¡
+ ÁÖÀÇÀÖ°Ô È®ÀÎÇÏÁö ¾ÊÀ¸¸é ¸Å¿ì À§ÇèÇÏ´Ù.</p>
+
+ <p>¸ðµç CGI ½ºÅ©¸³Æ®°¡ °°Àº »ç¿ëÀÚ·Î ½ÇÇàµÇ±â¶§¹®¿¡ ´Ù¸¥
+ ½ºÅ©¸³Æ®¿Í (°íÀÇ°Ç ½Ç¼öÀÌ°Ç) Ãæµ¹ÇÒ °¡´É¼ºÀÌ ÀÖ´Ù. ¿¹¸¦
+ µé¾î, »ç¿ëÀÚ A´Â »ç¿ëÀÚ B¸¦ ¸Å¿ì ½È¾îÇÏ¿©, »ç¿ëÀÚ BÀÇ CGI
+ µ¥ÀÌÅͺ£À̽º¸¦ Áö¿ö¹ö¸®´Â ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÒ ¼ö ÀÖ´Ù. ¾ÆÆÄÄ¡
+ 1.2 ¹öÀüºÎÅÍ Æ÷ÇԵǾú°í ¾ÆÆÄÄ¡ ¼­¹ö¿¡¼­ Ưº°ÇÑ ÈÅ(hook)À¸·Î
+ µ¿ÀÛÇÏ´Â <a href="../suexec.html">suEXEC</a>´Â ½ºÅ©¸³Æ®¸¦
+ ´Ù¸¥ »ç¿ëÀÚ·Î ½ÇÇàÇÏ´Â ¹æ¹ýÁß Çϳª´Ù. ´Ù¸¥ ´ëÁßÀûÀÎ ¹æ¹ý¿¡´Â
+ <a href="http://cgiwrap.unixtools.org/">CGIWrap</a>ÀÌ ÀÖ´Ù.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="nsaliasedcgi" id="nsaliasedcgi">ScriptAliasÇÏÁö ¾ÊÀº CGI</a></h2>
+
+
+
+ <p>´ÙÀ½ Á¶°ÇÀ» ¸¸Á·ÇÒ¶§¸¸ »ç¿ëÀÚ°¡ ¾î¶² µð·ºÅ丮¿¡¼­¶óµµ
+ CGI ½ºÅ©¸³Æ®¸¦ ½ÇÇàÇϵµ·Ï Çã¿ëÇÒ ¼ö ÀÖ´Ù:</p>
+
+ <ul>
+ <li>´ç½ÅÀº °íÀÇ°Ç ½Ç¼öÀÌ°Ç »ç¿ëÀÚ°¡ ½Ã½ºÅÛÀ» °ø°Ý¿¡ ³ëÃâ½ÃÅ°´Â
+ ½ºÅ©¸³Æ®¸¦ ÀÛ¼ºÇÏÁö ¾Ê´Â´Ù°í ¹Ï´Â´Ù.</li>
+ <li>½Ã½ºÅÛÀÇ ´Ù¸¥ ºÎºÐÀÇ º¸¾ÈÀÌ ¾àÇؼ­, ÀáÀçÀûÀÎ ÇãÁ¡À»
+ Çϳª ´õ ¸¸µé¾îµµ ³ªºüÁú °ÍÀÌ ¾ø´Ù°í »ý°¢ÇÏ´Â °æ¿ì.</li>
+ <li>»ç¿ëÀÚ°¡ ¾ø°í, ¾Æ¸¶ ¾Æ¹«µµ ¼­¹ö¸¦ ¹æ¹®ÇÏÁö¾Ê´Â °æ¿ì.</li>
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="saliasedcgi" id="saliasedcgi">ScriptAliasÇÑ CGI</a></h2>
+
+
+
+ <p>ƯÁ¤ µð·ºÅ丮¿¡¼­¸¸ CGI¸¦ ½ÇÇàÇÒ ¼ö ÀÖµµ·Ï Á¦ÇÑÇÏ¸é °ü¸®ÀÚ´Â
+ ÀÌµé µð·ºÅ丮¸¦ ÅëÁ¦ÇÒ ¼ö ÀÖ´Ù. ÀÌ °æ¿ì´Â scriptaliasÇÏÁö
+ ¾ÊÀº CGIº¸´Ù È®½ÇÈ÷ ¾ÈÀüÇÏ´Ù. ´Ü, ½Å·ÚÇÏ´Â »ç¿ëÀÚ¸¸ µð·ºÅ丮¿¡
+ Á¢±ÙÇÒ ¼ö ÀÖ°í, °ü¸®ÀÚ°¡ »õ·Î¿î CGI ½ºÅ©¸³Æ®/ÇÁ·Î±×·¥ÀÇ
+ ÀáÀçÀûÀÎ º¸¾È»ó ÇãÁ¡À» °Ë»çÇÒ ¿ëÀÌ°¡ ÀÖ´Ù¸é.</p>
+
+ <p>´ëºÎºÐÀÇ »çÀÌÆ®´Â scriptaliasÇÏÁö ¾ÊÀº CGI ¹æ½Ä ´ë½Å
+ ÀÌ ¹æ½ÄÀ» »ç¿ëÇÑ´Ù.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dynamic" id="dynamic">µ¿Àû ³»¿ëÀ» »ý¼ºÇÏ´Â ´Ù¸¥ ¹æ¹ý</a></h2>
+
+
+
+ <p>
+ mod_php, mod_perl, mod_tcl, mod_python °°ÀÌ ¼­¹öÀÇ ÀϺηÎ
+ µ¿ÀÛÇÏ´Â ÀÓº£µðµå ½ºÅ©¸³Æ®´Â ¼­¹ö¿Í °°Àº »ç¿ëÀÚ·Î (<code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> Áö½Ã¾î Âü°í) ½ÇÇàµÇ±â¶§¹®¿¡,
+ ½ºÅ©¸³Æ® ¿£ÁøÀÌ ½ÇÇàÇÏ´Â ½ºÅ©¸³Æ®´Â ÀáÀçÀûÀ¸·Î ¼­¹ö »ç¿ëÀÚ°¡
+ Á¢±ÙÇÒ ¼ö ÀÖ´Â ¸ðµç °Í¿¡ Á¢±ÙÇÒ ¼ö ÀÖ´Ù. ¾î¶² ½ºÅ©¸³Æ® ¿£ÁøÀº
+ ¾î´ÀÁ¤µµ Á¦ÇÑÀ» ÇÏÁö¸¸, ¾ÈÀüÇÏ´Ù°í °¡Á¤ÇÏÁö ¾Ê´Â °ÍÀÌ ÁÁ´Ù.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="systemsettings" id="systemsettings">½Ã½ºÅÛ ¼³Á¤ º¸È£Çϱâ</a></h2>
+
+
+
+ <p>Á¤¸»·Î ¾ÈÀüÇÑ ¼­¹ö¸¦ ¿î¿µÇÏ·Á¸é »ç¿ëÀÚ°¡
+ <code>.htaccess</code> ÆÄÀÏÀ» »ç¿ëÇÏ¿© ´ç½ÅÀÌ ¼³Á¤ÇÑ º¸¾È±â´ÉÀ»
+ º¯°æÇÏ±æ ¹Ù¶óÁö ¾ÊÀ» °ÍÀÌ´Ù. ±×·¯±âÀ§ÇØ ´ÙÀ½°ú °°Àº ¹æ¹ýÀÌ
+ ÀÖ´Ù.</p>
+
+ <p>¼­¹ö ¼³Á¤ÆÄÀÏ¿¡ ´ÙÀ½À» Ãß°¡ÇÑ´Ù</p>
+
+ <div class="example"><p><code>
+ &lt;Directory /&gt; <br />
+ AllowOverride None <br />
+ &lt;/Directory&gt;
+ </code></p></div>
+
+ <p>±×·¯¸é »ç¿ë°¡´ÉÇϵµ·Ï ¸í½ÃÀûÀ¸·Î Çã¿ëÇÑ µð·ºÅ丮¸¦ Á¦¿ÜÇÏ°í´Â
+ <code>.htaccess</code> ÆÄÀÏÀ» »ç¿ëÇÒ ¼ö ¾ø´Ù.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="protectserverfiles" id="protectserverfiles">±âº»ÀûÀ¸·Î ¼­¹ö¿¡ ÀÖ´Â ÆÄÀÏ º¸È£Çϱâ</a></h2>
+
+
+
+ <p>»ç¶÷µéÀº Á¾Á¾ ¾ÆÆÄÄ¡ÀÇ ±âº» Á¢±Ù¿¡ ´ëÇØ À߸ø ¾Ë°íÀÖ´Ù.
+ Áï, ¼­¹ö°¡ ÀϹÝÀûÀÎ URL ´ëÀÀ ±ÔÄ¢À» »ç¿ëÇÏ¿© ÆÄÀÏÀ» ãÀ»
+ ¼ö ÀÖ´Ù¸é, Ưº°È÷ Á¶Ä¡¸¦ ÇÏÁö ¾Ê´ÂÇÑ Å¬¶óÀ̾ðÆ®¿¡°Ô ÆÄÀÏÀÌ
+ ¼­ºñ½ºµÉ ¼ö ÀÖ´Ù.</p>
+
+ <p>¿¹¸¦ µé¾î, ¾Æ·¡¿Í °°Àº °æ¿ì:</p>
+
+ <div class="example"><p><code>
+ # cd /; ln -s / public_html <br />
+ <code>http://localhost/~root/</code> ¿¡ Á¢±ÙÇÑ´Ù
+ </code></p></div>
+
+ <p>±×·¯¸é Ŭ¶óÀ̾ðÆ®´Â Àüü ÆÄÀϽýºÅÛÀ» µ¹¾Æ´Ù´Ò ¼ö ÀÖ´Ù.
+ À̸¦ ¸·±âÀ§ÇØ ¼­¹ö¼³Á¤¿¡¼­ ´ÙÀ½°ú °°Àº Á¶Ä¡¸¦ ÇÑ´Ù:</p>
+
+ <div class="example"><p><code>
+ &lt;Directory /&gt; <br />
+ Order Deny,Allow <br />
+ Deny from all <br />
+ &lt;/Directory&gt;
+ </code></p></div>
+
+ <p>±×·¯¸é ÆÄÀϽýºÅÛ À§Ä¡¿¡ ´ëÇØ ±âº» Á¢±ÙÀÌ °ÅºÎµÈ´Ù.
+ ¿øÇÏ´Â ¿µ¿ª¿¡ Á¢±ÙÇÒ ¼ö ÀÖµµ·Ï ´ÙÀ½°ú °°Àº <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> ºí·ÏÀ» Ãß°¡ÇÑ´Ù.</p>
+
+ <div class="example"><p><code>
+ &lt;Directory /usr/users/*/public_html&gt; <br />
+ Order Deny,Allow <br />
+ Allow from all <br />
+ &lt;/Directory&gt; <br />
+ &lt;Directory /usr/local/httpd&gt; <br />
+ Order Deny,Allow <br />
+ Allow from all <br />
+ &lt;/Directory&gt;
+ </code></p></div>
+
+ <p><code class="directive"><a href="../mod/core.html#location">Location</a></code>°ú <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> Áö½Ã¾î¸¦ °°ÀÌ »ç¿ëÇÏ´Â
+ °æ¿ì Ưº°È÷ ÁÖÀǸ¦ ±â¿ï¿©¶ó. ¿¹¸¦ µé¾î, <code>&lt;Directory
+ /&gt;</code>°¡ Á¢±ÙÀ» °ÅºÎÇÏ´õ¶óµµ <code>&lt;Location
+ /&gt;</code> Áö½Ã¾î°¡ À̸¦ ¹«½ÃÇÒ ¼ö ÀÖ´Ù</p>
+
+ <p><code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> Áö½Ã¾î¸¦
+ »ç¿ëÇÏ´Â °æ¿ì¿¡µµ ÁÖÀÇÇ϶ó. Áö½Ã¾î¸¦ "./" °°ÀÌ ¼³Á¤Çϸé
+ root »ç¿ëÀÚ¿¡ ´ëÇØ ¹Ù·Î À§ÀÇ °æ¿ì¿Í °°Àº ¹®Á¦°¡ ¹ß»ýÇÑ´Ù.
+ ¾ÆÆÄÄ¡ 1.3 ÀÌ»óÀ» »ç¿ëÇÑ´Ù¸é ¼­¹ö ¼³Á¤ÆÄÀÏ¿¡ ¾Æ·¡ ÁÙÀ» Ãß°¡Çϱæ
+ °­·ÂÈ÷ ±ÇÇÑ´Ù:</p>
+
+ <div class="example"><p><code>
+ UserDir disabled root
+ </code></p></div>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="watchyourlogs" id="watchyourlogs">·Î±× »ìÆ캸±â</a></h2>
+
+
+
+ <p>½ÇÁ¦·Î ¼­¹ö¿¡¼­ ¹«½¼ ÀÏÀÌ À־°í ÀÖ´ÂÁö ¾Ë·Á¸é <a href="../logs.html">·Î±×ÆÄÀÏ</a>À» »ìÆìºÁ¾ß ÇÑ´Ù. ·Î±×ÆÄÀÏÀº
+ ÀÌ¹Ì ÀϾ Àϸ¸À» º¸°íÇÏÁö¸¸, ¼­¹ö¿¡ ¾î¶² °ø°ÝÀÌ ÀÖ¾ú´ÂÁö
+ ¾Ë·ÁÁÖ°í ÇöÀç ÇÊ¿äÇÑ ¸¸Å­ ¾ÈÀüÇÑÁö È®ÀÎÇÏ°Ô ÇØÁØ´Ù.</p>
+
+ <p>¿©·¯°¡Áö ¿¹:</p>
+
+ <div class="example"><p><code>
+ grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
+ grep "client denied" error_log | tail -n 10
+ </code></p></div>
+
+ <p>ù¹ø° ¿¹´Â <a href="http://online.securityfocus.com/bid/4876/info/">À߸øµÈ
+ Source.JSP ¿äûÀ¸·Î ¼­¹öÁ¤º¸¸¦ ¾Ë¾Æ³¾ ¼ö ÀÖ´Â TomcatÀÇ
+ Ãë¾àÁ¡</a>¸¦ ÀÌ¿ëÇÏ·Á´Â °ø°Ý Ƚ¼ö¸¦ ¾Ë·ÁÁÖ°í, µÎ¹ø° ¿¹´Â
+ Á¢±ÙÀÌ °ÅºÎµÈ Ãֱ٠Ŭ¶óÀ̾ðÆ® 10°³¸¦ ´ÙÀ½°ú °°ÀÌ º¸¿©ÁØ´Ù:</p>
+
+ <div class="example"><p><code>
+ [Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied
+ by server configuration: /usr/local/apache/htdocs/.htpasswd
+ </code></p></div>
+
+ <p>Àß ¾Ë µíÀÌ ·Î±×ÆÄÀÏÀº ÀÌ¹Ì ¹ß»ýÇÑ »ç°Ç¸¸À» º¸°íÇÑ´Ù.
+ ±×·¡¼­ Ŭ¶óÀ̾ðÆ®°¡ <code>.htpasswd</code> ÆÄÀÏ¿¡ Á¢±ÙÇÒ
+ ¼ö ÀÖ¾ú´Ù¸é <a href="../logs.html#accesslog">Á¢±Ù ·Î±×</a>¿¡
+ ´ÙÀ½°ú °°Àº ±â·ÏÀÌ ³²À» °ÍÀÌ´Ù:</p>
+
+ <div class="example"><p><code>
+ foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
+ </code></p></div>
+
+ <p>Áï, ´ç½ÅÀº ¼­¹ö ¼³Á¤ÆÄÀÏ¿¡¼­ ´ÙÀ½ ºÎºÐÀ» ÁÖ¼®Ã³¸®ÇßÀ»
+ °ÍÀÌ´Ù:</p>
+
+ <div class="example"><p><code>
+ &lt;Files ".ht*"&gt; <br />
+ Order allow,deny <br />
+ Deny from all <br />
+ &lt;Files&gt;
+ </code></p></div>
+
+ </div></div>
+<div class="bottomlang">
+<p><span>°¡´ÉÇÑ ¾ð¾î: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Fran&#231;ais">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" hreflang="tr" rel="alternate" title="T&#252;rk&#231;e">&nbsp;tr&nbsp;</a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2023 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="../mod/">¸ðµâ</a> | <a href="../mod/directives.html">Áö½Ã¾îµé</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="../glossary.html">¿ë¾î</a> | <a href="../sitemap.html">»çÀÌÆ®¸Ê</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
+</body></html> \ No newline at end of file
diff --git a/docs/manual/misc/security_tips.html.tr.utf8 b/docs/manual/misc/security_tips.html.tr.utf8
new file mode 100644
index 0000000..4a46578
--- /dev/null
+++ b/docs/manual/misc/security_tips.html.tr.utf8
@@ -0,0 +1,485 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="tr" xml:lang="tr"><head>
+<meta content="text/html; charset=UTF-8" http-equiv="Content-Type" />
+<!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ -->
+<title>Güvenlik İpuçları - Apache HTTP Sunucusu Sürüm 2.4</title>
+<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
+<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
+<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
+<script src="../style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
+<link href="../images/favicon.ico" rel="shortcut icon" /></head>
+<body id="manual-page"><div id="page-header">
+<p class="menu"><a href="../mod/">Modüller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="http://wiki.apache.org/httpd/FAQ">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p>
+<p class="apache">Apache HTTP Sunucusu Sürüm 2.4</p>
+<img alt="" src="../images/feather.png" /></div>
+<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="../images/left.gif" /></a></div>
+<div id="path">
+<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Sunucusu</a> &gt; <a href="http://httpd.apache.org/docs/">Belgeleme</a> &gt; <a href="../">Sürüm 2.4</a> &gt; <a href="./">Çeşitli Belgeler</a></div><div id="page-content"><div id="preamble"><h1>Güvenlik İpuçları</h1>
+<div class="toplang">
+<p><span>Mevcut Diller: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div>
+
+ <p>Bir HTTP Sunucusunu ayarlarken dikkat edilmesi gerekenler ve bazı
+ ipuçları. Öneriler kısmen Apache’ye özel kısmen de genel olacaktır.</p>
+ </div>
+<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#uptodate">Güncel Tutma</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dos">Hizmet Reddi (DoS) Saldırıları</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#serverroot"><code>ServerRoot</code> Dizinlerinin Ä°zinleri</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#ssi">Sunucu Taraflı İçerik Yerleştirme</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#cgi">CGI Genelinde</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#nsaliasedcgi"><code>ScriptAlias</code>’sız CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#saliasedcgi"><code>ScriptAlias</code>’lı CGI</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dynamic">Devingen içerikli kaynaklar</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#dynamicsec">Devingen içeriğin güvenliği</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#systemsettings">Sistem Ayarlarının Korunması</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#protectserverfiles">Sunucu dosyalarının öntanımlı olarak korunması</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#watchyourlogs">Günlüklerin İzlenmesi</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#merging">Yapılandırma bölümlerinin birleştirilmesi</a></li>
+</ul><h3>Ayrıca bakınız:</h3><ul class="seealso"><li><a href="#comments_section">Yorumlar</a></li></ul></div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="uptodate" id="uptodate">Güncel Tutma</a></h2>
+
+ <p>Apache HTTP Sunucusu iyi bir güvenlik sicilinin yanında güvenlik
+ konularıyla oldukça ilgili bir geliştirici topluluğuna sahiptir. Fakat,
+ bir yazılımın dağıtılmasının ardından küçük ya da büyük bazı sorunların
+ keşfedilmesi kaçınılmazdır. Bu sebeple, yazılım güncellemelerinden
+ haberdar olmak oldukça önem kazanır. HTTP sunucunuzu doğrudan
+ Apache’den temin ediyorsanız yeni sürümler ve güvenlik güncellemeleri
+ ile ilgili bilgileri tam zamanında alabilmek için <a href="http://httpd.apache.org/lists.html#http-announce">Apache
+ HTTP Sunucusu Duyuru Listesi</a>ne mutlaka üye olmanızı öneririz.
+ Apache yazılımının üçüncü parti dağıtımlarını yapanların da buna benzer
+ hizmetleri vardır.</p>
+
+ <p>Şüphesiz, bir HTTP sunucusu, sunucu kodunda bir sorun olmasa da
+ tehlike altındadır. Eklenti kodları, CGI betikleri hatta işletim
+ sisteminden kaynaklanan sorunlar nedeniyle bu ortaya çıkabilir. Bu
+ bakımdan, sisteminizdeki tüm yazılımların sorunları ve güncellemeleri
+ hakkında bilgi sahibi olmalısınız.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dos" id="dos">Hizmet Reddi (DoS) Saldırıları</a></h2>
+
+
+ <p>Tüm ağ sunucuları, istemcilerin sistem kaynaklarından yararlanmalarını
+ engellemeye çalışan hizmet reddi saldırılarına (HRS) maruz kalabilir.
+ Bu tür saldırıları tamamen engellemek mümkün değildir, fakat
+ yarattıkları sorunları azaltmak için bazı şeyler yapabilirsiniz.</p>
+
+ <p>Çoğunlukla en etkili anti-HRS aracı bir güvenlik duvarı veya başka bir
+ işletim sistemi yapılandırmasıdır. Örneğin, çoğu güvenlik duvarı
+ herhangi bir IP adresinden aynı anda yapılan bağlantıların sayısına bir
+ sınırlama getirmek üzere yapılandırılabilir. Böylece basit saldırılar
+ engellenebilir. Ancak bunun dağıtık hizmet reddi saldırılarına (DHRS)
+ karşı bir etkisi olmaz.</p>
+
+ <p>Bunların yanında Apache HTTP Sunucusunun da sorunları azaltıcı
+ tedbirler alınmasını sağlayacak bazı yapılandırmaları vardır:</p>
+
+ <ul>
+ <li><code class="directive"><a href="../mod/mod_reqtimeout.html#requestreadtimeout">RequestReadTimeout</a></code>
+ yönergesi bir istemcinin isteği göndermek için harcadığı zamanı
+ sınırlamayı sağlar.</li>
+
+ <li>HRS’ye maruz kalması olası sitelerde <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> yönergesinin değeri düşürülmelidir. Birkaç
+ saniye gibi mümkün olduğunca düşük bir ayar uygun olabilir. Ancak
+ <code class="directive"><a href="../mod/core.html#timeout">TimeOut</a></code> baÅŸka iÅŸlemlerde de
+ kullanıldığından çok düşük değerler, örneğin, uzun süre çalışan CGI
+ betiklerinde sorunlar çıkmasına sebep olabilir.</li>
+
+ <li>HRS’ye maruz kalması olası sitelerde <code class="directive"><a href="../mod/core.html#keepalivetimeout">KeepAliveTimeout</a></code> yönergesinin değeri de düşürülebilir.
+ Hatta bazı siteler başarımı arttırmak amacıyla <code class="directive"><a href="../mod/core.html#keepalive">KeepAlive</a></code> yönergesi üzerinden kalıcı
+ bağlantıları tamamen kapatabilirler.</li>
+
+ <li>Zaman aşımıyla ilgili yönergeler bakımından diğer modüller de
+ araştırılmalıdır.</li>
+
+ <li><code class="directive"><a href="../mod/core.html#limitrequestbody">LimitRequestBody</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestfields">LimitRequestFields</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestfieldsize">LimitRequestFieldSize</a></code>,
+ <code class="directive"><a href="../mod/core.html#limitrequestline">LimitRequestLine</a></code> ve
+ <code class="directive"><a href="../mod/core.html#limitxmlrequestbody">LimitXMLRequestBody</a></code> yönergeleri,
+ istemci girdileri ile tetiklenen özkaynak tüketimini sınırlamak için
+ yapılandırılırken dikkatli olunmalıdır.</li>
+
+ <li>Ä°ÅŸletim sisteminiz desteklediÄŸi takdirde, iÅŸletim sisteminin isteÄŸi
+ işleyen kısmını yüksüz bırakmak için <code class="directive"><a href="../mod/core.html#acceptfilter">AcceptFilter</a></code> yönergesinin etkin olmasını sağlamalısınız.
+ Bu, Apache HTTP Sunucusunda zaten öntanımlı olarak etkindir.
+ Yapacağınız şey işletim sistemi çekirdeğini buna göre yapılandırmak
+ olacaktır.</li>
+
+ <li>Sunucu tarafından özkaynakları tüketmeden aynı anda işlenebilecek
+ bağlantıların sayısını sınırlamak için <code class="directive"><a href="../mod/mpm_common.html#maxrequestworkers">MaxRequestWorkers</a></code> yönergesini kullanın. Ayrıca, <a href="perf-tuning.html">başarım arttırma belgesine</a> de
+ bakabilirsiniz.</li>
+
+ <li>HRS’lerin etkilerini azaltmak için aynı andaki bağlantı sayısını
+ arttırabilecek evreli <a href="../mpm.html">MPM</a>’lerden birini
+ kullanmak iyi olabilir. Dahası, <code class="module"><a href="../mod/event.html">event</a></code> MPM’i
+ her bağlantıya yeni bir evre atanmaması için eşzamansız işlem yapar.
+ OpenSSL kütüphanesinin doğası nedeniyle
+ <code class="module"><a href="../mod/event.html">event</a></code> MPM’i <code class="module"><a href="../mod/mod_ssl.html">mod_ssl</a></code> ve diğer girdi
+ süzgeçleri ile henüz uyumlu değildir. Bu durumlarda,
+ <code class="module"><a href="../mod/worker.html">worker</a></code> MPM'inin davranışına geri döner.</li>
+
+ <li>Belli istemci davranışlarını sınırlayacak ve HRS ile
+ ilgili sorunları azaltmaya yardımcı olacak üçüncü parti modüller
+ bulunabilir.</li>
+ </ul>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="serverroot" id="serverroot"><code>ServerRoot</code> Dizinlerinin Ä°zinleri</a></h2>
+
+
+ <p>Normalde, Apache root kullanıcı tarafından başlatılır ve hizmetleri
+ sunarken <code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> yönergesi
+ tarafından tanımlanan kullanıcının aidiyetinde çalışır. Root tarafından
+ çalıştırılan komutlarda olduğu gibi, root olmayan kullanıcıların
+ yapacakları değişikliklerden korunmak konusunda da dikkatli
+ olmalısınız. Dosyaların sadece root tarafından yazılabilir olmasını
+ sağlamak yeterli değildir, bu dizinler ve üst dizinler için de
+ yapılmalıdır. Örneğin, sunucu kök dizininin
+ <code>/usr/local/apache</code> olmasına karar verdiyseniz, bu dizini
+ root olarak şöyle oluşturmanız önerilir:</p>
+
+ <div class="example"><p><code>
+ mkdir /usr/local/apache <br />
+ cd /usr/local/apache <br />
+ mkdir bin conf logs <br />
+ chown 0 . bin conf logs <br />
+ chgrp 0 . bin conf logs <br />
+ chmod 755 . bin conf logs
+ </code></p></div>
+
+ <p><code>/</code>, <code>/usr</code>, <code>/usr/local</code>
+ dizinlerinde sadece root tarafından değişiklik yapılabileceği kabul
+ edilir. <code class="program"><a href="../programs/httpd.html">httpd</a></code> çalıştırılabilirini kurarken de benzer
+ bir önlemin alındığından emin olmalısınız:</p>
+
+ <div class="example"><p><code>
+ cp httpd /usr/local/apache/bin <br />
+ chown 0 /usr/local/apache/bin/httpd <br />
+ chgrp 0 /usr/local/apache/bin/httpd <br />
+ chmod 511 /usr/local/apache/bin/httpd
+ </code></p></div>
+
+ <p>Diğer kullanıcıların değişiklik yapabileceği bir dizin olarak bir
+ <code>htdocs</code> dizini oluÅŸturabilirsiniz. Bu dizine root
+ tarafından çalıştırılabilecek dosyalar konulmamalı ve burada root
+ tarafından hiçbir dosya oluşturulmamalıdır.</p>
+
+ <p>Diğer kullanıcılara root tarafından yazılabilen ve çalıştırılabilen
+ dosyalarda değişiklik yapma hakkını tanırsanız, onlara root
+ kullanıcısını ele geçirilebilme hakkını da tanımış olursunuz. Örneğin,
+ biri <code class="program"><a href="../programs/httpd.html">httpd</a></code> çalıştırılabilirini zararlı bir programla
+ değiştirebilir ve o programı tekrar çalıştırdığınız sırada program
+ yapacağını yapmış olur. Günlükleri kaydettiğiniz dizin herkes
+ tarafından yazılabilen bir dizin olduğu takdirde, birileri bir günlük
+ dosyasını bir sistem dosyasına sembolik bağ haline getirerek root
+ kullanıcısının bu dosyaya ilgisiz şeyler yazmasına sebep olabilir.
+ Günlüklerin dosyaları herkes tarafından yazılabilir olduğu takdirde ise
+ birileri dosyaya yanıltıcı veriler girebilir.</p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="ssi" id="ssi">Sunucu Taraflı İçerik Yerleştirme</a></h2>
+
+
+ <p>SSI sayfaları bir sunucu yöneticisi açısından çeşitli olası risklere
+ kaynaklık edebilir.</p>
+
+ <p>İlk risk, sunucu yükündeki artış olasılığıdır. Tüm SSI sayfaları, SSI
+ kodu içersin içermesin Apache tarafından çözümlenir. Bu küçük bir artış
+ gibi görünürse de bir paylaşımlı sunucu ortamında önemli bir yük haline
+ gelebilir.</p>
+
+ <p>SSI sayfaları, CGI betikleriyle ilgili riskleri de taşır. <code>exec
+ cmd</code> elemanı kullanılarak bir SSI sayfasından herhangi bir CGI
+ betiğini veya bir sistem programını Apache’nin aidiyetinde olduğu
+ kullanıcının yetkisiyle çalıştırmak mümkündür.</p>
+
+ <p>SSI sayfalarının yararlı özelliklerinden yararlanırken güvenliğini de
+ arttırmanın bazı yolları vardır.</p>
+
+ <p>Sunucu yöneticisi, bir başıbozuk SSI sayfasının sebep olabileceği
+ zararları bertaraf etmek için <a href="#cgi">CGI Genelinde</a>
+ bölümünde açıklandığı gibi <a href="../suexec.html">suexec</a>’i etkin
+ kılabilir.</p>
+
+ <p>SSI sayfalarını <code>.html</code> veya <code>.htm</code>
+ uzantılarıyla etkinleştirmek tehlikeli olabilir. Bu özellikle
+ paylaşımlı ve yüksek trafikli bir sunucu ortamında önemlidir. SSI
+ sayfalarını normal sayfalardan farklı olarak <code>.shtml</code> gibi
+ bildik bir uzantıyla etkinleştirmek gerekir. Bu, sunucu yükünü asgari
+ düzeyde tutmaya ve risk yönetimini kolaylaştırmaya yarar.</p>
+
+ <p>Diğer bir çözüm de SSI sayfalarından betik ve program çalıştırmayı
+ iptal etmektir. Bu, <code class="directive"><a href="../mod/core.html#options">Options</a></code>
+ yönergesine değer olarak <code>Includes</code> yerine
+ <code>IncludesNOEXEC</code> vererek sağlanır. Ancak, eğer betiklerin
+ bulunduÄŸu dizinde <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code>
+ yönergesiyle CGI betiklerinin çalışması mümkün kılınmışsa,
+ kullanıcıların <code>&lt;--#include virtual="..." --&gt;</code> ile bu
+ betikleri çalıştırabileceklerine dikkat ediniz.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="cgi" id="cgi">CGI Genelinde</a></h2>
+
+
+ <p>Herşeyden önce ya CGI betiğini/programını yazanlara ya da kendinizin
+ CGI'deki güvenlik açıklarını (ister kasıtlı olsun ister tesadüfi)
+ yakalama becerinize güvenmek zorundasınız. CGI betikleri esasen
+ sisteminizdeki komutları site kullanıcılarının izinleriyle
+ çalıştırırlar. Bu bakımdan dikkatle denenmedikleri takdirde oldukça
+ tehlikeli olabilirler.</p>
+
+ <p>CGI betiklerinin hepsi aynı kullanıcının aidiyetinde çalışırsa diğer
+ betiklerle aralarında çelişkilerin ortaya çıkması ister istemez
+ kaçınılmazdır. Örneğin A kullanıcısının B kullanıcısına garezi varsa
+ bir betik yazıp B’nin CGI veritabanını silebilir. Bu gibi durumların
+ ortaya çıkmaması için betiklerin farklı kullanıcıların aidiyetlerinde
+ çalışmasını sağlayan ve 1.2 sürümünden beri Apache ile dağıtılan <a href="../suexec.html">suEXEC</a> diye bir program vardır. Başka bir yol
+ da <a href="http://cgiwrap.sourceforge.net/">CGIWrap</a> kullanmaktır.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="nsaliasedcgi" id="nsaliasedcgi"><code>ScriptAlias</code>’sız CGI</a></h2>
+
+
+ <p>Kullanıcıların sitenin her yerinde CGI betiklerini çalıştırmalarına
+ izin vermek ancak şu koşullarda mümkün olabilir:</p>
+
+ <ul>
+ <li>Kullanıcılarınızın kasıtlı ya da kasıtsız sistemi saldırıya açık
+ hale getirecek betikler yazmayacaklarına tam güveniniz vardır.</li>
+ <li>Sitenizin güvenliği zaten o kadar kötüdür ki, bir delik daha
+ açılmasının mahzuru yoktur.</li>
+ <li>Sitenizin sizden başka kullanıcısı yoktur ve sunucunuzu sizden
+ başka hiç kimsenin ziyaret etmesi mümkün değildir.</li>
+ </ul>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="saliasedcgi" id="saliasedcgi"><code>ScriptAlias</code>’lı CGI</a></h2>
+
+
+ <p>CGI’yi belli dizinlerle sınırlamak yöneticiye bu dizinlerde daha iyi
+ denetim imkanı sağlar. Bu kaçınılmaz olarak <code class="directive"><a href="../mod/mod_alias.html#scriptalias">ScriptAlias</a></code>’sız CGI’den çok daha
+ güvenlidir, ancak bu dizinlere yazma hakkı olan kullanıcılarınız
+ güvenilir kişiler olması ve site yöneticisinin de olası güvenlik
+ açıklarına karşı CGI betiklerini ve programlarını denemeye istekli
+ olması şartıyla.</p>
+
+ <p>Çoğu site yöneticisi <code>ScriptAlias</code>’sız CGI yerine bu
+ yaklaşımı seçer.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dynamic" id="dynamic">Devingen içerikli kaynaklar</a></h2>
+
+
+ <p>Sunucunun bir parçası gibi çalışan, <code>mod_php</code>,
+ <code>mod_perl</code>, <code>mod_tcl</code> ve <code>mod_python</code>
+ gibi gömülü betik çalıştırma seçenekleri sunucuyu çalıştıran
+ kullanıcının aidiyetinde çalışırlar (<code class="directive"><a href="../mod/mod_unixd.html#user">User</a></code> yönergesine bakınız). Bu bakımdan bu betik
+ yorumlayıcılar tarafından çalıştırılan betikler, sunucu kullanıcısının
+ eriştiği herşeye erişebilirler. Bazı betik yorumlayıcıların getirdiği
+ bazı sınırlamalar varsa da bunlara pek güvenmemek, gerekli sınamaları
+ yine de yapmak gerekir.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="dynamicsec" id="dynamicsec">Devingen içeriğin güvenliği</a></h2>
+
+
+ <p><code>mod_php</code>, <code>mod_perl</code> veya
+ <code>mod_python</code> gibi devingen içeriği yapılandırırken
+ güvenlikle ilgili değerlendirmelerin çoğu <code>httpd</code>'nin
+ kapsamından çıkar ve bu modüllerin belgelerini incelemek ihtiyacı
+ duyarsınız. Örneğin, PHP çoğu zaman kapalı tutulan
+ <a href="http://www.php.net/manual/en/ini.sect.safe-mode.php">Güvenli
+ Kip</a> ayarını etkin kılmanızı önerir. Daha fazla güvenlik için bir
+ diğer örnek bir PHP eklentisi olan
+ <a href="http://www.hardened-php.net/suhosin/">Suhosin</a>'dir. Bunlar
+ hakkında daha ayrıntılı bilgi için her projenin kendi belgelerine
+ baÅŸvurun.</p>
+
+ <p>Apache seviyesinde, <a href="http://modsecurity.org/">mod_security</a>
+ adı verilen modülü bir HTTP güvenlik duvarı gibi ele alabilir, devingen
+ içeriğin güvenliğini arttırmanıza yardımcı olmak üzere inceden inceye
+ yapılandırabilirsiniz.</p>
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="systemsettings" id="systemsettings">Sistem Ayarlarının Korunması</a></h2>
+
+
+ <p>Güvenliği gerçekten sıkı tutmak istiyorsanız, kullanıcılarınızın
+ yapılandırmanızdaki güvenlik ayarlarını geçersiz kılmak için
+ <code>.htaccess</code> dosyalarını kullanabilmelerinin de önüne
+ geçmelisiniz. Bunu yapmanın tek bir yolu vardır.</p>
+
+ <p>Sunucu yapılandırma dosyanıza şunu yerleştirin:</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/"&gt;
+ AllowOverride None
+&lt;/Directory&gt;</pre>
+
+
+ <p>Böylece, belli dizinlerde özellikle etkinleştirilmedikçe bütün
+ dizinlerde <code>.htaccess</code> dosyalarının kullanımını engellemiş
+ olursunuz.</p>
+
+ <p>Bu ayar Apache 2.3.9 itibariyle öntanımlıdır.</p>
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="protectserverfiles" id="protectserverfiles">Sunucu dosyalarının öntanımlı olarak korunması</a></h2>
+
+
+ <p>Apache’nin ister istemez yanlış anlaşılan yönlerinden biri öntanımlı
+ erişim özelliğidir. Yani siz aksine bir şeyler yapmadıkça, sunucu normal
+ URL eşleme kurallarını kullanarak bir dosyayı bulabildiği sürece onu
+ istemciye sunacaktır.</p>
+
+ <p>Örneğin, aşağıdaki durumu ele alalım:</p>
+
+ <div class="example"><p><code>
+ # cd /; ln -s / public_html
+ </code></p></div>
+
+ <p>Ve, tarayıcınıza <code>http://localhost/~root/</code> yazın.</p>
+
+ <p>Böylece, istemcilerin tüm dosya sisteminizi gezmelerine izin vermiş
+ olursunuz. Bu işlemin sonuçlarının önünü almak için sunucu yapılandırma
+ dosyanıza şunları yazın:</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/"&gt;
+ Require all denied
+&lt;/Directory&gt;</pre>
+
+
+ <p>Bu suretle, dosya sisteminize öntanımlı erişimi yasaklamış olursunuz.
+ Erişime izin vermek istediğiniz dizinler için uygun <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> bölümleri eklemeniz yeterli
+ olacaktır. Örnek:</p>
+
+ <pre class="prettyprint lang-config">&lt;Directory "/usr/users/*/public_html"&gt;
+ Require all granted
+&lt;/Directory&gt;
+&lt;Directory "/usr/local/httpd"&gt;
+ Require all granted
+&lt;/Directory&gt;</pre>
+
+
+ <p><code class="directive"><a href="../mod/core.html#location">Location</a></code> ve <code class="directive"><a href="../mod/core.html#directory">Directory</a></code> yönergelerinin etkileşimine de
+ özellikle önem vermelisiniz; örneğin <code>&lt;Directory "/"&gt;</code>
+ erişimi yasaklarken bir <code>&lt;Location "/"&gt;</code> yönergesi bunu
+ ortadan kaldırabilir.</p>
+
+ <p><code class="directive"><a href="../mod/mod_userdir.html#userdir">UserDir</a></code> yönergesi de size
+ buna benzer bir oyun oynayabilir; yönergeye <code>./</code> atamasını
+ yaparsanız, root kullanıcısı söz konusu olduğunda yukarıda ilk örnekteki
+ durumla karşılaşırız. Sunucu yapılandırma dosyanızda aşağıdaki satırın
+ mutlaka bulunmasını öneririz:</p>
+
+ <pre class="prettyprint lang-config">UserDir disabled root</pre>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="watchyourlogs" id="watchyourlogs">Günlüklerin İzlenmesi</a></h2>
+
+
+ <p>Sunucunuzda olup biteni günü gününe bilmek istiyorsanız <a href="../logs.html">günlük dosyalarına</a> bakmalısınız. Günlük dosyaları
+ sadece olup biteni raporlamakla kalmaz, sunucunuza ne tür saldırılar
+ yapıldığını ve güvenlik seviyenizin yeterli olup olmadığını anlamanızı da
+ saÄŸlarlar.</p>
+
+ <p>Bazı örnekler:</p>
+
+ <div class="example"><p><code>
+ grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />
+ grep "client denied" error_log | tail -n 10
+ </code></p></div>
+
+ <p>İlk örnek, <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat Source.JSP Bozuk İstek Bilgilerini İfşa Açığı</a>nı
+ istismar etmeyi deneyen saldırıların sayısını verirken ikinci örnek,
+ reddedilen son on istemciyi listeler; örnek:</p>
+
+ <div class="example"><p><code>
+ [Thu Jul 11 17:18:39 2002] [error] [client foo.example.com] client denied
+ by server configuration: /usr/local/apache/htdocs/.htpasswd
+ </code></p></div>
+
+ <p>Gördüğünüz gibi günlük dosyaları sadece ne olup bittiğini raporlar, bu
+ bakımdan eğer istemci <code>.htpasswd</code> dosyasına erişebiliyorsa <a href="../logs.html#accesslog">erişim günlüğünüzde</a> şuna benzer bir
+ kayıt görürsünüz:</p>
+
+ <div class="example"><p><code>
+ foo.example.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"
+ </code></p></div>
+
+ <p>Bu, sunucu yapılandırma dosyanızda aşağıdaki yapılandırmayı iptal
+ ettiğiniz anlamına gelir:</p>
+
+ <pre class="prettyprint lang-config">&lt;Files ".ht*"&gt;
+ Require all denied
+&lt;/Files&gt;</pre>
+
+
+ </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="section">
+<h2><a name="merging" id="merging">Yapılandırma bölümlerinin birleştirilmesi</a></h2>
+
+
+
+ <p>Yapılandırma bölümlerinin birleştirilmesi karmaşık bir işlem olup bazı
+ durumlarda yönergelere bağlıdır. Yönergeleri bir araya getirirken
+ aralarındaki bağımlılıkları daima sınayın.</p>
+
+ <p><code class="module"><a href="../mod/mod_access_compat.html">mod_access_compat</a></code> gibi henüz yönerge katıştırma
+ mantığını gerçeklememiş modüller için sonraki bölümlerdeki davranış, bu
+ modüllerin yönergelerini içerip içermemesine bağlıdır. Yapılandırmada
+ yönergelerin <em>yerleri değiştirildiğinde</em> fakat bir katıştırma
+ yapılmadığında, yapılandırma bir değişiklik yapılana kadar miras
+ alınır.</p>
+ </div></div>
+<div class="bottomlang">
+<p><span>Mevcut Diller: </span><a href="../en/misc/security_tips.html" hreflang="en" rel="alternate" title="English">&nbsp;en&nbsp;</a> |
+<a href="../fr/misc/security_tips.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a> |
+<a href="../ko/misc/security_tips.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a> |
+<a href="../tr/misc/security_tips.html" title="Türkçe">&nbsp;tr&nbsp;</a></p>
+</div><div class="top"><a href="#page-header"><img src="../images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Yorumlar</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&amp;A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Libera.chat, or sent to our <a href="https://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/2.4/misc/security_tips.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2023 The Apache Software Foundation.<br /><a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a> altında lisanslıdır.</p>
+<p class="menu"><a href="../mod/">Modüller</a> | <a href="../mod/directives.html">Yönergeler</a> | <a href="http://wiki.apache.org/httpd/FAQ">SSS</a> | <a href="../glossary.html">Terimler</a> | <a href="../sitemap.html">Site Haritası</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
+</body></html> \ No newline at end of file