User guide

Security Measures for Operation of the Web Server (Interstage HTTP Server)

2-5

• IP access control:

It is possible to permit access only to specific clients.

For information about IP access control, refer to IP Access Control in Authentication and Access

Control for the Interstage HTTP Server in Chapter 9.

• Use of SSL encryption:

High level of security can be retained, where client authentication is possible.

For information about SSL encryption, refer to Chapter 9, How to Use SSL with Interstage HTTP

Server.

• Limitations on the size of request message from client:

Set the maximum size of a request message to prevent a buffer overflow. The maximum size of

the request message is set by the following directives of the environmental definition file

(httpd.conf):

− LimitRequestBody

− LimitRequestFields

− LimitRequestFieldsize

− LimitRequestLine

Leakage of Password Information

The Interstage HTTP Server has a password file, which an ill-intentioned person may furtively look into.

The password data in the password file is encrypted; still, it is recommended that the administrator

create the password file using the 'htpasswd' command to make it inaccessible by end users.

Unauthorized Access to Resource Files

Interstage HTTP Server has resource files listed below:

• Contents

• Environment definition file (httpd.conf)

• Access log file

• Error log file

• CGI

• Environment definition file for each directory (.htaccess)

These files may be exposed to the threat of unauthorized access.

To protect these files, make these files inaccessible by end users. Making this file accessible only to

users with administrator privileges is recommended (superuser for a Solaris OE/Linux system, and

Administrator for Windows(R) system).