Public bug reported: Hi folks,
When running the Hardenize (https://www.hardenize.com) tool against my web server, it picked up that on the default Apache2 web page (located at /var/www/html/index.html) has an insecure link. Upon further investigation, it's the "Document Roots" section, where it says "By default, Ubuntu does not allow access through the web browser to any file outside of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications)."; public_html is a link to the apache docs page for mod_userdir (https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd as a http:// link. IMO this should be updated to be https. To reproduce * Start with a base install of ubuntu server * run the following commands: sudo apt-get update; sudo apt-get dist-upgrade; sudo apt-get install apache2 * optionally set up SSL * browse to http(s)://<your server IP or hostname>/index.html * hover over the link on public_html & observe it begins with http:// All the best, Chris 8-) ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server/Client Support Team, which is subscribed to apache2 in Ubuntu. Matching subscriptions: Ubuntu Server/Client Support Team https://bugs.launchpad.net/bugs/2045055 Title: link in default index.html should be HTTPS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/2045055/+subscriptions -- Mailing list: https://launchpad.net/~enterprise-support Post to : [email protected] Unsubscribe : https://launchpad.net/~enterprise-support More help : https://help.launchpad.net/ListHelp
