4.2 Ensure Appropriate Access to Web Content Is Allowed - 'httpd.conf Order Deny,Allow'

Information

In order to serve web content, the Apache 'Allow' directive will need to be used to allow for appropriate access to directories, locations, and virtual hosts that contain web content.

Rationale:

The 'Allow' directive may be used within a directory, a location, or other context to allow appropriate access. Access may be allowed to all, or to specific networks, hosts, or users as appropriate.

Solution

Perform the following to implement the recommended state:

1. Search the Apache configuration files ('httpd.conf' and any included configuration files) to find all '<Directory>' and '<Location>' elements. There should be one for the document root and any special purpose directories or locations. There are likely to be other access control directives in other contexts, such as virtual hosts or special elements like '<Proxy>'.
2. Add a single 'Order' directive and set the value to 'deny, allow'.
3. Include the appropriate 'Allow' and 'Deny' directives, with values that are appropriate for the purposes of the directory.

The configurations below are just a few possible examples.

Order deny,allow
Deny from all
Allow from 192.169.

Order allow,deny
Allow from all

Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv6|14.4, CSCv7|14.6

Plugin: Unix

Control ID: 5ace48ae10023230874dfe05c48c593207eef1672e6e529643c3bc6b7308e39a