Re: secure alternative for Apache

From: jose nazario (jose_at_monkey.org)
Date: 08/10/04


Date: 10 Aug 2004 14:20:13 -0700


"Crypto Ron" <crypto@luistert.nl> wrote in message news:<411152a4$0$30031$e4fe514c@dreader13.news.xs4all.nl>...

> For a project we want to build a *very* secure server based on OpenBSD. For
> management we need a very simple but secure webserver. I think Apache has
> had to many problems. Is there a serious alternative we should look into?

the Apache installed as a part of base OpenBSD has been audited some
and has some features included and enabled by default, including a
chroot(2) to the ServerRoot path. this dramatically improves security
in the event of a compromise. in the case of CGI programs or other
dynamic content, you can set up an environment with the needed
elements as we described in our book "Secure Architectures with
OpenBSD". basically you have to identify which pieces need to be in
the jail and offer no more than this. combined with mount options on
your ServerRoot path and restrictive permissions for other stuff
(often enabled by default in OpenBSD), you're further along than you
realize.

hope this helps,

--------
jose nazario
co-author, "Secure Architectures with OpenBSD"