1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Directory Options directive and AllowOverride, help constructing right syntax

Discussion in 'Apache' started by postcd, Dec 12, 2017.

  1. #1
    Hello,

    i have Apache 2.2, PHP 5.3, SuPHP handler web server

    and my aim is to:
    SEMrush
    - prevent users/hosted php/js scripts executing pl, cgi, sh and other possibly dangerous scripts that are not necessary to run php web sites
    - prevent website visitors to use symlinks to a locations out of their username

    in aim to do that i found following code and included it to all virtualhosts on the server:

    <Directory "/">
      Options -ExecCGI -FollowSymLinks Includes IncludesNOEXEC Indexes -MultiViews SymLinksIfOwnerMatch
      AllowOverride All
    </Directory>
    Code (markup):
    (BUT i think this code is wrong and at least missing "+" signs and also i allow all users to override my directives in their .htaccess files)

    So i want to tighten the security and found that other people advise these constructs instead:

    <Directory "/">
    Options +ExecCGI -FollowSymLinks -Includes +IncludesNOEXEC +Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride AuthConfig FileInfo Indexes Limit Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,FollowSymLinks
    </Directory>
    Code (markup):
    or:

    <Directory "/">
    Options +All +ExecCGI -FollowSymLinks +Includes +IncludesNOEXEC -Indexes -MultiViews +SymLinksIfOwnerMatch
    AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    Code (markup):
    (i do not understand how the allowoverride works, i allow override all, and then what is the use of the Options= while i allowed all options overriding already by defining AllowOverride All?)

    So far this is what i want to use now and i need to ask your kind feedback on how to enhance it:

    <Directory "/">
    Options +All +ExecCGI -FollowSymLinks +SymLinksIfOwnerMatch +Includes +IncludesNOEXEC -Indexes -MultiViews
    AllowOverride None Options=Indexes,MultiViews
    </Directory>
    Code (markup):
    I have doubt if i should use Option +All and AllowOverride None . Third thing is the "-FollowSymLinks +SymLinksIfOwnerMatch" which i assume (if hosted websites like Joomla will work) will need me to adjust all .htaccess files (on regular basis) not to contain FollowSymLinks in them and contain FollowSymLinksIfOwnerMatch instead, unless i want people to see Error 500. I want to ask for feedback on how to adjust above mentioned code for good security. I am hosting websites which may be hacked or the sites which owners can abuse server on purpose, so my aim is highest security. But at same time i do not want to cause excessive Error 500 to casual CMSs like Wordpress, Joomla, Drupal.
    Thank You
     
    postcd, Dec 12, 2017 IP
    SEMrush