On October 1, 2012 15:47 , Tom Browder <tom.browder@xxxxxxxxx> wrote:
The solution -- as far as Apache HTTP Server is concerned -- is [1] > to move theCGIs into the area in 1, or, alternatively,[2] >configure area in 2 to alsorequire clients to present SSL certificates.[3]> If you prefer, you can make client certificates optional for the area inwhich you have the CGIs (while still requiring client certificates for area 1), but[4] then you'll need to modify each one of your CGIs to check to seewhether a client presented a certificate for a given request, and, based on that plus other details of the request, have each CGI make an authorization decision regarding whether to respond with the requested content or whether to respond with an HTTP 403 "Forbidden" error.Configuration [3] is what I have currently have. I considered configuration [1] originally but chose not to because of recommendations to get CGI programs out of the DocumentRoot area. The solution in [4] is what I'm working on at the moment.
Given this, I would go with [2] unless there is a reason against it. It keeps the CGI programs out of the DocumentRoot area, while preserving the requirement for client certificates. The only reason I could see to not do [2] would be if the CGIs also need to be accessed by clients that do not have certificates.
If this doesn't answer your question, then I'm not clear on what you are actually asking, and maybe someone else can respond better.That sums it up perfectly, and I appreciate the analysis. Given a choice of configurations [1] and [3], which would you choose? [1] would be easiest for maintenance, but some might not like the CGIs under DocumentRoot [3] might be better practice, but would require more attention (e.g., scripts to check that all CGIi programs have the necessary checks of SSL certificates--that's what I'm working on)
Just between these two? Modifying the CGIs is only practical if there are relatively few of them.
[1] is not bad, per se. The only reason to have CGIs outside of the DocumentRoot directory is to enforce separation between static and dynamic content (so that misconfigurations are a little less likely to result in disclosure of the code for CGI scripts, which may contain passwords or other details about your servers that you would not want getting out). The Apache HTTP Server documentation contains examples of serving CGIs from underneath DocumentRoot and also user home directories: https://httpd.apache.org/docs/2.4/howto/cgi.html
-- Mark Montague mark@xxxxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx