[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] SecureServerAlias Directory index forbidden hack
- Subject: [cobalt-users] SecureServerAlias Directory index forbidden hack
- From: "Sim Ayers" <sim@xxxxxxxxxxxx>
- Date: Sat Nov 17 11:01:06 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
SecureServerAlias Directory index forbidden hack & fix:
To keep users from getting a directory index of the cgi-bin directories
we added the typical -Indexes rule in our access.conf file.
<Directory /home/sites/*/web/cgi-bin>
Options -Indexes
</Directory>
This works fine if the user enters a URL something like this
http://www.myclient.com/cgi-bin/
The server returns the 'access forbidden' web page.
However, if the user enters a https URL and it's an alias
then the server returns a directory index listing.
https://www.myserver.com/myclient_alias/cgi-bin/
If you setup a SecureServerAlias for your clients
than you'll need to add the -Indexes rule to:
#SecureServerAlias rule
<Directory /home/sites/site1/secure>
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
</Directory>
changed to:
<Directory /home/sites/site1/secure>
Options +FollowSymLinks +ExecCGI -Indexes
AddHandler cgi-script .cgi
AddHandler cgi-script .pl
</Directory>
Typical secure server alias in srm.conf file example
#SecureServerAlias
Alias /amazondistributing /home/sites/site1/secure/amazondistributing
symbolic link in /home/sites/site1/secure
amazondistributing -> /home/sites/site11/web
You could put a index.html file in all of your clients cgi-bin directories,
but adding the -Indexes to your SecureServerAlias rule is easier.
Sim