Re: secure alternative for Apache

From: jose nazario (
Date: 08/10/04

Date: 10 Aug 2004 14:20:13 -0700

"Crypto Ron" <> wrote in message news:<411152a4$0$30031$>...

> For a project we want to build a *very* secure server based on OpenBSD. For
> management we need a very simple but secure webserver. I think Apache has
> had to many problems. Is there a serious alternative we should look into?

the Apache installed as a part of base OpenBSD has been audited some
and has some features included and enabled by default, including a
chroot(2) to the ServerRoot path. this dramatically improves security
in the event of a compromise. in the case of CGI programs or other
dynamic content, you can set up an environment with the needed
elements as we described in our book "Secure Architectures with
OpenBSD". basically you have to identify which pieces need to be in
the jail and offer no more than this. combined with mount options on
your ServerRoot path and restrictive permissions for other stuff
(often enabled by default in OpenBSD), you're further along than you

hope this helps,

jose nazario
co-author, "Secure Architectures with OpenBSD"

Relevant Pages

  • Re: A Few Noob Questions.
    ... So it's okay to run sendmail for security reports etc? ... A fresh OpenBSD install disable these incoming connection by default unless you allow them? ... tweak the system to make it secure. ... - the base system, including external packages like httpd and named, has ...
  • Re: dynamic lib ignored even after "found" in "install_driver(Oracle) failed: Cant load..." cgi prob
    ... under /usr/lib, which is a location that apache seems to trust, as opposed to where i had originally placed this directory. ... or any of the libraries located there. ... The runtime linker categorizes a process as secure if the ... additional trusted directories applicable for secure appli- ...
  • Re: Web server with PHP setup & mod-ssl
    ... > Debian stable is considered the most secure. ... > So, yes, the version of Apache in stable is 1.3.26, which is older. ... CSFB retains and monitors electronic communications sent ...
  • Re: Newbie: RedHat 8 or OpenBSD??
    ... I've run both Redhat and OpenBSD for web servers. ... have a secure, ... you can get scripts to harden Redhat fairly well. ...
  • RE: IIS
    ... Apache is much more secure by default. ... irony I run IIS but this because I know how to harden it). ... recipient, or an employee or agent responsible for delivering this ...