Greg Stein <email@example.com> writes:
> On Mon, Apr 15, 2002 at 10:27:17PM -0400, Perry E. Metzger wrote:
> > Brian Behlendorf <firstname.lastname@example.org> writes:
> > > > The real problem is that Apache is very large. It has to be to do all
> > > > that it does, but that means that it is hard to secure it because you
> > > > can't audit all the relevant code. Big is bad in security.
> > >
> > > If the extra modules are stripped out, and you run only the prefork MPM,
> > > it's pretty small.
> > But that's not how we're running Apache for subversion.
> But that would appear to be your choice, hmm? You could definitely choose to
> run an Apache that is configured much "smaller" on your source code
> repository box.
How? I still need to run DAV and such.
> Run that on some alternate port, and you'll be set.
The port number isn't the issue.
> Or if you don't want users to mess with ports, you could use
> ProxyPass on your main web server and pass request thru to the
> internal interface/port where you've got your locked-down Subversion
When I ran a security consultancy, I made so much money off of
mentally challenged people1 who thought that proxies through the
firewall added security it wasn't funny. "Our web server is secure! We
have a firewall in front of it!"
The web server and associated software are the most dangerous pieces
of almost any company. I earned a very good living explaining to
people after they'd been broken into and mutilated why the apache
server had to be OUTSIDE the firewall.
> The point is: if you want to get seriously tight with the security of the
> server, the options are there.
> [ and note that using apache as a proxypass thingy, you could map ssl on the
> outside to a plain http on the inside so the secure repository doesn't
> have to install ssl code ]
Oh, great. "Crunchy on the outside, chewy middle, more moving parts".
> > > It's not like people aren't running Apache in pretty secure
> > > production situations - it's at least secure enough for netbsd's own web
> > > site (and openbsd's as well).
> > Our web site is not considered a secure application. We're fully
> Why is it on the same box as the source code repository?
It isn't. We don't want to run Apache on the repository box, or rely
on Apache being secure.
Perry E. Metzger email@example.com
NetBSD: The right OS for your embedded design. http://www.wasabisystems.com/
To unsubscribe, e-mail: firstname.lastname@example.org
For additional commands, e-mail: email@example.com
Received on Tue Apr 16 17:42:06 2002