| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> |
| <HTML |
| ><HEAD |
| ><TITLE |
| >Webserver</TITLE |
| ><META |
| NAME="GENERATOR" |
| CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK |
| REL="HOME" |
| TITLE="The Bugzilla Guide - 2.20.1 |
| Release" |
| HREF="index.html"><LINK |
| REL="UP" |
| TITLE="Bugzilla Security" |
| HREF="security.html"><LINK |
| REL="PREVIOUS" |
| TITLE="MySQL" |
| HREF="security-mysql.html"><LINK |
| REL="NEXT" |
| TITLE="Bugzilla" |
| HREF="security-bugzilla.html"></HEAD |
| ><BODY |
| CLASS="section" |
| BGCOLOR="#FFFFFF" |
| TEXT="#000000" |
| LINK="#0000FF" |
| VLINK="#840084" |
| ALINK="#0000FF" |
| ><DIV |
| CLASS="NAVHEADER" |
| ><TABLE |
| SUMMARY="Header navigation table" |
| WIDTH="100%" |
| BORDER="0" |
| CELLPADDING="0" |
| CELLSPACING="0" |
| ><TR |
| ><TH |
| COLSPAN="3" |
| ALIGN="center" |
| >The Bugzilla Guide - 2.20.1 |
| Release</TH |
| ></TR |
| ><TR |
| ><TD |
| WIDTH="10%" |
| ALIGN="left" |
| VALIGN="bottom" |
| ><A |
| HREF="security-mysql.html" |
| ACCESSKEY="P" |
| >Prev</A |
| ></TD |
| ><TD |
| WIDTH="80%" |
| ALIGN="center" |
| VALIGN="bottom" |
| >Chapter 4. Bugzilla Security</TD |
| ><TD |
| WIDTH="10%" |
| ALIGN="right" |
| VALIGN="bottom" |
| ><A |
| HREF="security-bugzilla.html" |
| ACCESSKEY="N" |
| >Next</A |
| ></TD |
| ></TR |
| ></TABLE |
| ><HR |
| ALIGN="LEFT" |
| WIDTH="100%"></DIV |
| ><DIV |
| CLASS="section" |
| ><H1 |
| CLASS="section" |
| ><A |
| NAME="security-webserver" |
| >4.3. Webserver</A |
| ></H1 |
| ><DIV |
| CLASS="section" |
| ><H2 |
| CLASS="section" |
| ><A |
| NAME="security-webserver-access" |
| >4.3.1. Disabling Remote Access to Bugzilla Configuration Files</A |
| ></H2 |
| ><P |
| >There are many files that are placed in the Bugzilla directory |
| area that should not be accessable from the web. Because of the way |
| Bugzilla is currently layed out, the list of what should and should not |
| be accessible is rather complicated. A new installation method is |
| currently in the works which should solve this by allowing files that |
| shouldn't be accessible from the web to be placed in a directory outside |
| the webroot. See |
| <A |
| HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=44659" |
| TARGET="_top" |
| >bug 44659</A |
| > |
| for more information. |
| </P |
| ><DIV |
| CLASS="tip" |
| ><P |
| ></P |
| ><TABLE |
| CLASS="tip" |
| WIDTH="100%" |
| BORDER="0" |
| ><TR |
| ><TD |
| WIDTH="25" |
| ALIGN="CENTER" |
| VALIGN="TOP" |
| ><IMG |
| SRC="../images/tip.gif" |
| HSPACE="5" |
| ALT="Tip"></TD |
| ><TD |
| ALIGN="LEFT" |
| VALIGN="TOP" |
| ><P |
| >Bugzilla ships with the ability to create |
| <A |
| HREF="glossary.html#gloss-htaccess" |
| ><I |
| CLASS="glossterm" |
| ><TT |
| CLASS="filename" |
| >.htaccess</TT |
| ></I |
| ></A |
| > |
| files that enforce these rules. Instructions for enabling these |
| directives in Apache can be found in <A |
| HREF="configuration.html#http-apache" |
| >Section 2.2.4.1</A |
| > |
| </P |
| ></TD |
| ></TR |
| ></TABLE |
| ></DIV |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >In the main Bugzilla directory, you should:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block: |
| <TT |
| CLASS="filename" |
| >*.pl</TT |
| >, <TT |
| CLASS="filename" |
| >*localconfig*</TT |
| > |
| </P |
| ></LI |
| ><LI |
| ><P |
| >But allow: |
| <TT |
| CLASS="filename" |
| >localconfig.js</TT |
| >, <TT |
| CLASS="filename" |
| >localconfig.rdf</TT |
| > |
| </P |
| ></LI |
| ></UL |
| ></LI |
| ><LI |
| ><P |
| >In <TT |
| CLASS="filename" |
| >data</TT |
| >:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block everything</P |
| ></LI |
| ><LI |
| ><P |
| >But allow: |
| <TT |
| CLASS="filename" |
| >duplicates.rdf</TT |
| > |
| </P |
| ></LI |
| ></UL |
| ></LI |
| ><LI |
| ><P |
| >In <TT |
| CLASS="filename" |
| >data/webdot</TT |
| >:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >If you use a remote webdot server:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block everything</P |
| ></LI |
| ><LI |
| ><P |
| >But allow |
| <TT |
| CLASS="filename" |
| >*.dot</TT |
| > |
| only for the remote webdot server</P |
| ></LI |
| ></UL |
| ></LI |
| ><LI |
| ><P |
| >Otherwise, if you use a local GraphViz:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block everything</P |
| ></LI |
| ><LI |
| ><P |
| >But allow: |
| <TT |
| CLASS="filename" |
| >*.png</TT |
| >, <TT |
| CLASS="filename" |
| >*.gif</TT |
| >, <TT |
| CLASS="filename" |
| >*.jpg</TT |
| >, <TT |
| CLASS="filename" |
| >*.map</TT |
| > |
| </P |
| ></LI |
| ></UL |
| ></LI |
| ><LI |
| ><P |
| >And if you don't use any dot:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block everything</P |
| ></LI |
| ></UL |
| ></LI |
| ></UL |
| ></LI |
| ><LI |
| ><P |
| >In <TT |
| CLASS="filename" |
| >Bugzilla</TT |
| >:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block everything</P |
| ></LI |
| ></UL |
| ></LI |
| ><LI |
| ><P |
| >In <TT |
| CLASS="filename" |
| >template</TT |
| >:</P |
| ><P |
| ></P |
| ><UL |
| COMPACT="COMPACT" |
| ><LI |
| ><P |
| >Block everything</P |
| ></LI |
| ></UL |
| ></LI |
| ></UL |
| ><P |
| >Be sure to test that data that should not be accessed remotely is |
| properly blocked. Of particular intrest is the localconfig file which |
| contains your database password. Also, be aware that many editors |
| create temporary and backup files in the working directory and that |
| those should also not be accessable. For more information, see |
| <A |
| HREF="http://bugzilla.mozilla.org/show_bug.cgi?id=186383" |
| TARGET="_top" |
| >bug 186383</A |
| > |
| or |
| <A |
| HREF="http://online.securityfocus.com/bid/6501" |
| TARGET="_top" |
| >Bugtraq ID 6501</A |
| >. |
| To test, simply point your web browser at the file; for example, to |
| test mozilla.org's installation, we'd try to access |
| <A |
| HREF="http://bugzilla.mozilla.org/localconfig" |
| TARGET="_top" |
| >http://bugzilla.mozilla.org/localconfig</A |
| >. You should get |
| a <SPAN |
| CLASS="QUOTE" |
| >"<SPAN |
| CLASS="errorcode" |
| >403</SPAN |
| > <SPAN |
| CLASS="errorname" |
| >Forbidden</SPAN |
| >"</SPAN |
| > |
| error. |
| </P |
| ><DIV |
| CLASS="tip" |
| ><P |
| ></P |
| ><TABLE |
| CLASS="tip" |
| WIDTH="100%" |
| BORDER="0" |
| ><TR |
| ><TD |
| WIDTH="25" |
| ALIGN="CENTER" |
| VALIGN="TOP" |
| ><IMG |
| SRC="../images/tip.gif" |
| HSPACE="5" |
| ALT="Tip"></TD |
| ><TD |
| ALIGN="LEFT" |
| VALIGN="TOP" |
| ><P |
| >Be sure to check <A |
| HREF="configuration.html#http" |
| >Section 2.2.4</A |
| > for instructions |
| specific to the webserver you use. |
| </P |
| ></TD |
| ></TR |
| ></TABLE |
| ></DIV |
| ></DIV |
| ><DIV |
| CLASS="section" |
| ><H2 |
| CLASS="section" |
| ><A |
| NAME="security-webserver-mod-throttle" |
| >4.3.2. Using <TT |
| CLASS="filename" |
| >mod_throttle</TT |
| > to Prevent a DOS</A |
| ></H2 |
| ><DIV |
| CLASS="note" |
| ><P |
| ></P |
| ><TABLE |
| CLASS="note" |
| WIDTH="100%" |
| BORDER="0" |
| ><TR |
| ><TD |
| WIDTH="25" |
| ALIGN="CENTER" |
| VALIGN="TOP" |
| ><IMG |
| SRC="../images/note.gif" |
| HSPACE="5" |
| ALT="Note"></TD |
| ><TD |
| ALIGN="LEFT" |
| VALIGN="TOP" |
| ><P |
| >This section only applies to people who have chosen the Apache |
| webserver. It may be possible to do similar things with other |
| webservers. Consult the documentation that came with your webserver |
| to find out. |
| </P |
| ></TD |
| ></TR |
| ></TABLE |
| ></DIV |
| ><P |
| >It is possible for a user, by mistake or on purpose, to access |
| the database many times in a row which can result in very slow access |
| speeds for other users (effectively, a |
| <A |
| HREF="glossary.html#gloss-dos" |
| ><I |
| CLASS="glossterm" |
| >DOS</I |
| ></A |
| > attack). If your |
| Bugzilla installation is experiencing this problem, you may install |
| the Apache module <TT |
| CLASS="filename" |
| >mod_throttle</TT |
| > which can limit |
| connections by IP address. You may download this module at |
| <A |
| HREF="http://www.snert.com/Software/mod_throttle/" |
| TARGET="_top" |
| >http://www.snert.com/Software/mod_throttle/</A |
| >. |
| Follow the instructions to install into your Apache install. |
| The command you need is |
| <B |
| CLASS="command" |
| >ThrottleClientIP</B |
| >. See the |
| <A |
| HREF="http://www.snert.com/Software/mod_throttle/" |
| TARGET="_top" |
| >documentation</A |
| > |
| for more information.</P |
| ></DIV |
| ></DIV |
| ><DIV |
| CLASS="NAVFOOTER" |
| ><HR |
| ALIGN="LEFT" |
| WIDTH="100%"><TABLE |
| SUMMARY="Footer navigation table" |
| WIDTH="100%" |
| BORDER="0" |
| CELLPADDING="0" |
| CELLSPACING="0" |
| ><TR |
| ><TD |
| WIDTH="33%" |
| ALIGN="left" |
| VALIGN="top" |
| ><A |
| HREF="security-mysql.html" |
| ACCESSKEY="P" |
| >Prev</A |
| ></TD |
| ><TD |
| WIDTH="34%" |
| ALIGN="center" |
| VALIGN="top" |
| ><A |
| HREF="index.html" |
| ACCESSKEY="H" |
| >Home</A |
| ></TD |
| ><TD |
| WIDTH="33%" |
| ALIGN="right" |
| VALIGN="top" |
| ><A |
| HREF="security-bugzilla.html" |
| ACCESSKEY="N" |
| >Next</A |
| ></TD |
| ></TR |
| ><TR |
| ><TD |
| WIDTH="33%" |
| ALIGN="left" |
| VALIGN="top" |
| >MySQL</TD |
| ><TD |
| WIDTH="34%" |
| ALIGN="center" |
| VALIGN="top" |
| ><A |
| HREF="security.html" |
| ACCESSKEY="U" |
| >Up</A |
| ></TD |
| ><TD |
| WIDTH="33%" |
| ALIGN="right" |
| VALIGN="top" |
| >Bugzilla</TD |
| ></TR |
| ></TABLE |
| ></DIV |
| ></BODY |
| ></HTML |
| > |