> -----Original Message----- > From: John Rodenbiker [mailto:jrodenbiker@xxxxxxxxxxxxxx] > Sent: Freitag, 10. März 2006 22:59 > To: users@xxxxxxxxxxxxxxxx > Subject: [users@httpd] Blocking invalid URIs? > > I'm very new to running a web server. > > Is there a way to have httpd drop requests No. The HTTP RFC requires a server to respond to a valid HTTP request. It can respond with an error (401, 403, 404 etc) but it must respond. [NB - a request for a resource you don't have is a valid request]. >to URIs that don't > actually > exist in my environment? > > For example, if I have a very simple web site with just the document > "index.html" I don't want people trying to access > "../../../../../users/john/secretstuff". I would prefer such attempts > be dropped, logged, and an alert thrown to my mailbox or a > script that > calls my cell phone. They'll be responded with a 403 Forbidden (assuming they land outside the docroot) and logged in the access log and error log. You can define the ErrorDocument directive to run a program when the error is hit (see docs for details) and that program can do what you like - send mails, ring phones etc. Do you really want your phone to ring ever time someone sends a funny request? > > If such functionality exists, is there a way for httpd to > automatically > figure out which URIs are valid and which are not without me > changing a > database, config file, etc. every time I update my site? No. httpd is a webserver - it parses requests, fetches the resource and sends the data. The only way you can figure out the extent of a website is by mirroring it. So you could run something like wget on your site, make an image, then write a module that only allowed requests if the resource was in the image (but that's what apache does anyway?) > > It seems like this is an obvious way How is it obvious? What you are asking is, in parts, in violation of the RFC, impossible, extremely difficult, performance-reducing and re-inventing the wheel. >to prevent a host of > attacks on my > web server like > buffer-overflow attempts, Buffer overflows are identified and fixed by the guys in the white hats long before anyone ever develops an exploit - keep up to date with patches and upgrades and you don't need to worry. > mis-configuration of the server, If you've misconfigured your server, your wget image will contain the misconfiguration so will be allowed. UNless you define the image separately (ah - but you don't want to do that). > cross-site scripting attacks, Eh? This is java-script loaded into forum pages and so on... That's valid content. If you don't want it, filter it at the form-handler. To put your mind at ease, an up-to-date apache, with up-to-date components (OpenSSL, modules etc) running on an up-to-date OS is a pretty solid proposition. Sure, you'll get lots of wierd requests but they'll all end up in the bit-bucket and are nothing to worry about... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > etc. I > just can't figure out where to look to turn this on and configure it. > > Thanks. > -- > Freedom, Truth, Love, Beauty. > John Rodenbiker > jrodenbiker@xxxxxxxxxxxxxx > > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP > Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > > Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|