Security and Apache: An Essential Primer
Maxwell's Demon and Hat Colour
February 21, 2000
"Long ago and far away
Maxwell felt the need one day
For a Demon, scarce as high
As the atoms going by.
Over heat he gave it sway,
Making warmth go either way
From the vector Nature gave.
Maxwell's Demon, come and save!"
�����-- Christopher Stasheff, Her Majesty's
Chances are that your Web site has at least a few pages that you really
don't want published to the Internet at large. How do you keep the Black Hats
from seeing them, whilst not impeding the access of the White Hats who need
What Apache Security Won't Help
At the time I'm writing this (February 2000), there's a lot of
current-events news about major Web sites being taken down temporarily by
denial-of-service (DoS) attacks. The specific attack type in question
cannot be stopped by Apache, even though it may be aimed at the Web
site. Apache is just a software application running on the system; these
attacks are aimed at the systems themselves. As someone has pointed out,
"If you have 1GB/s heading for your server then the pipe is going to
saturate before Apache even gets a chance to see the packets."
But for less extreme cases, Apache's implementation of the Web security
mechanisms, when properly implemented, should be more than adequate to protect
your sensitive pages from exposure.
Assumptions in This Article
For the rest of this article, I'm going to make the following assumptions:
- your Apache source tree starts at
- your Apache ServerRoot is
- your Apache DocumentRoot is
- the username under which Apache runs (the value of the
directive in your
httpd.conf file) is
All of the
cd and other shell commands in this article that
refer to directories use these locations.