• Limit Apache to listen only on local interface by configuring /etc/httpd/conf/httpd.conf to read:
Listen 127.0.0.1:80
• Use the following to disable access to the entire filesystem by default, unless explicitly permitted. This will disable printing of indexes if no index.html exists, server-side includes, and following symbolic links. Disabling symlinks may impact performance for large sites.
<Directory /> Options None AllowOverride None Order deny,allow Deny from all </Directory>
• Use the following to control access to the server from limited addresses in /etc/httpd/conf/access.conf to read:
<Directory /home/httpd/html> # Deny all accesses by default Order deny,allow # Allow access to local machine Allow from 127.0.0.1 # Allow access to entire local network Allow from 192.168.1. # Allow access to single remote host Allow from 192.168.5.3 # Deny from everyone else Deny from all </Directory>
• Use the following to require password authentication when attempting to access a specific directory in /etc/httpd/conf/access.conf:
<Directory /home/httpd/html/protected> Order Deny,Allow Deny from All Allow from 192.168.1.11 AuthName “Private Information” AuthType Basic AuthUserFile /etc/httpd/conf/private-users AuthGroupFile /etc/httpd/conf/private-groups require group <group-name> </Directory>
Create the private-groups file using the following format:
group-name: user1 user2 user…
Create password entries for each user in the above list:
# htpasswd -cm /etc/httpd/conf/private-users user1 New password: <password> Re-type new password: <password> Adding password for user user1
Be sure to restart apache and test it. This will result in the enabling of double reverse lookups to verify the identity of the remote host. Remove the -c option to htpasswd after the first user has been added. Be sure the password file you create is not located within the DocumentRoot to prevent it from being downloaded.