Brandon Friedman <[EMAIL PROTECTED]> said:
> 1. SSL - How do you enable SSL on your alias directory Here is an example of forcing SSL and locking access to the admin: # Administration: phpmyadmin Alias /phpmyadmin /opt/administration/phpmyadmin <Directory /opt/administration/phpmyadmin> RequireSSL on Options -Indexes AllowOverride None order deny,allow deny from all allow from all AuthName "phpMyAdmin" AuthType Basic AuthExternal pwauth require user admin Satisfy all AddType application/x-httpd-php .php .php3 php_flag magic_quotes_gpc on php_flag track_vars on </Directory> Here is an example of forcing SSL and locking access to multiple defined user/passwords: <Directory /opt/developers> RequireSSL on Options -Indexes AllowOverride None order deny,allow deny from all allow from all AuthName "Restricted Developer Access Only" AuthType Basic AuthUserFile /etc/httpd/conf/htpasswd.developers Require valid-user AddType application/x-httpd-php .php .php3 php_flag magic_quotes_gpc on php_flag track_vars on </Directory> It follows this posted HowTo: http://myezserver.com /downloads /mitel /howto /website-access-security-howto.html > 2. .htaccess control - Is this required? No and it offers weak security. The above is better. > 3. Directory ownership - Who should be the owner of this directory? www > or root:shared? Why? The goal is to be restrictive and only permit access where access is directly needed. In this case www:www is not the best choice. Keep the majority of your files set root:root and either 640 or 644 which simply adds global read. Only files that your app MUST write to should be set www:www and this is where you need to be careful. > 4. Access right? - chmod ? 755 should be ok? 7 adds executable and this should be avoided. It is only necessary for binary files and scripts. How ever be careful as dirctories usually require 755 so make sure you do not chmod -R 640 *. Use the find command to change only files. # find . -type f -name "*" -exec chmod 640 {} \; Regards, -- Darrell May DMC Netsourced.com http://netsourced.com http://myEZserver.com -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org