On Sat, 2013-07-20 at 16:10 -0400, Nico Kadel-Garcia wrote: > On Sat, Jul 20, 2013 at 3:53 PM, Adam Williamson <awilliam@xxxxxxxxxx> wrote: > > I'm not sure if I'm missing anything here, but is it intended that > > webapps should not be accessible from anywhere but localhost by default? > > This seems to be the case for at least wordpress - which is my kind of > > 'gold standard' for webapp packaging on Fedora, I use it as a reference > > - and roundcubemail. They both have this block in > > their /etc/httpd/conf.d/name.conf file: > > > > <Directory /usr/share/name> > > AllowOverride Options > > <IfModule mod_authz_core.c> > > # Apache 2.4 > > Require local > > </IfModule> > > <IfModule !mod_authz_core.c> > > # Apache 2.2 > > Order Deny,Allow > > Deny from All > > Allow from 127.0.0.1 > > Allow from ::1 > > </IfModule> > > </Directory> > > > > Which pretty clearly disallows access from anywhere but localhost. It > > seems an odd default configuration, in that if you ever want to allow > > anyone to actually access your webapp you're going to have to change it, > > which will prevent it ever being automatically updated again (you'll > > always get a .rpmnew file). I have to change the 'Require local' to > > 'Require all granted' and restart httpd in order to actually let > > anything but localhost access the site. > > It's a vastly safer initial setup than leaving it wide open, by > default. this applies to many tools such as Nagios and cacti, that may > share information about your system that you really should review > before exposing. > > You should also be albe to use a reload, not necessarily a restart, to > get it working. (Although I've not been trying this with systemd!) 'apachectl reload' didn't seem to do the job. It's a 'safer' default in the same way that a computer that's turned off is safer than one that's turned on, I guess...though I suppose lots of webapps do have initial configuration that you want to make sure is not run remotely, obviously. But it does leave the rpmnew problem. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
