User Tools

Site Tools


User Comments

Securing Apache (httpd)

Right now, the main consideration is, SECURE THE /CGI-BIN! The only persons that need access to this directory are Evergreen system administrators. This directory should be restricted by both IP (to those workstations designated as Evergeen Administration systems), AND by Username/password AT THE LEAST.

Good news: Even if a user gets access to this directory, there's nothing extremely damaging that can be done. Almost everything in the bootstrapping script will have references to it, and therefore cannot be deleted. However, a user can add new libraries, re-arrange consortia, and change user groups. The worst thing (I can imagine at the moment) is a staff member could access the directory, and change his associated security group to administrative level privileges.

Hiding overdue notices from non-staff users

If your overdue notices go to a publicly accessible webserver, putting this into eg_vhost.conf should require a staff login before viewing them.

# ----------------------------------------------------------------------------------
# Overdue Notices
# ----------------------------------------------------------------------------------
<Location /notices/>
    SetHandler perl-script
    PerlSetVar OILSProxyTitle "Notices Login"
    PerlSetVar OILSProxyDescription "Please log in to view overdue notices"
    PerlSetVar OILSProxyPermissions "STAFF_LOGIN"
    PerlHandler OpenILS::WWW::Proxy
    Options +ExecCGI +Indexes
    PerlSendHeader On
    allow from all
evergreen-admin/security/apache.txt · Last modified: 2022/02/10 13:34 by

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki

© 2008-2022 GPLS and others. Evergreen is open source software, freely licensed under GNU GPLv2 or later.
The Evergreen Project is a U.S. 501(c)3 non-profit organization.