[Geomoose-users] Securing an application- hidden directories
Bistrais, Bob
Bob.Bistrais at maine.gov
Thu Jan 28 12:04:40 PST 2016
Good point. I already have directory settings in the conf file, might need some adjustment.
From: TC Haddad [mailto:tchaddad at gmail.com]
Sent: Thursday, January 28, 2016 2:58 PM
To: Bistrais, Bob
Cc: geomoose-users at lists.osgeo.org
Subject: Re: [Geomoose-users] Securing an application- hidden directories
One guess is that I think you can set permissions for your own applications based on their IP address, such that they can use that directory, while others cannot.
So in the directory settings you would have:
Order deny,allow
Deny from all
Allow from xyz
Where xyz is the IP address, that you want to allow access from.
I'm not sure how this works in combination with the redirect you are trying to set - you would have to test to see which takes precedence.
But I think if implemented successfully the directory setting would protect the content of your directory, even if the name is not hidden.
On Thu, Jan 28, 2016 at 11:46 AM, Bistrais, Bob <Bob.Bistrais at maine.gov<mailto:Bob.Bistrais at maine.gov>> wrote:
My saga of securing a GeoMoose website continues. One of the issues reported in the latest security scan is that hidden directories were detected. These normally issue a 403 Forbidden response. The recommended practice is to issue a 404 Not Found response instead.
I found out how to do this through the Apache settings, and it’s pretty easy- in the http_d.cong file, add a line like this:
RedirectMatch 404 "../(the_directory_name)"
-That works for the majority of the hidden directories, but it falls apart with the cgi-bin directory. If I add a line in the conf file:
RedirectMatch 404 "cgi-bin"
-Then the application itself seems unable to access its own PHP files, or at least the errors occur when calling them.
This may be more a Mapserver or Apache question, but wonder if anyone here has any suggestions?
_______________________________________________
Geomoose-users mailing list
Geomoose-users at lists.osgeo.org<mailto:Geomoose-users at lists.osgeo.org>
http://lists.osgeo.org/mailman/listinfo/geomoose-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-users/attachments/20160128/fddaeec3/attachment.html>
More information about the Geomoose-users
mailing list