want to use apache web server only on local machine

04/09/2005, 01h54

This might sound like a dumb question, but I don't know much about
security.

I installed Apache on my Windows XP computer in order to test my PHP
web files locally before uploading to the web server. I'm worried about
my computer being more vulnerable to attack now that I am running a web
server. Is there a way to configure Apache so that I can only use it to
display webpages locally on my machine, but disallow remote users from
accessing the webserver?

Thank you.

04/09/2005, 15h10

Lee wrote:

> I installed Apache on my Windows XP computer in order to test my PHP
> web files locally before uploading to the web server. I'm worried about
> my computer being more vulnerable to attack now that I am running a web
> server. Is there a way to configure Apache so that I can only use it to
> display webpages locally on my machine, but disallow remote users from
> accessing the webserver?

Yes. However, in order to stack the odds, you should also disallow access
using a firewall, preferably an external box rather than a "software
firewall".

Thor

--
http://www.anta.net/OH2GDF

04/09/2005, 16h05

On 3 Sep 2005 17:54:54 -0700, "Lee" <craftystud-idol@yahoo.com> wrote:

>This might sound like a dumb question, but I don't know much about
>security.
>
>I installed Apache on my Windows XP computer in order to test my PHP
>web files locally before uploading to the web server. I'm worried about
>my computer being more vulnerable to attack now that I am running a web
>server. Is there a way to configure Apache so that I can only use it to
>display webpages locally on my machine, but disallow remote users from
>accessing the webserver?
>
>Thank you.

1. USE A FIREWALL, filtering port 80 / port 443.
I recommend ZoneAlarm

2. modify or add a .htpasswd file to the document root directory
Order deny,allow
Deny from all
Allow from dev.example.com, 127.0.0.1
http://httpd.apache.org/docs/2.0/howto/auth.html

--
Terry
My blog: http://www.TheNextWindow.com
My website: http://www.TerryStockdale.com
My tip site and newsletter: http://www.TerrysComputerTips.com

06/09/2005, 02h52

Lee wrote:
> This might sound like a dumb question, but I don't know much about
> security.
>
> I installed Apache on my Windows XP computer in order to test my PHP
> web files locally before uploading to the web server. I'm worried about
> my computer being more vulnerable to attack now that I am running a web
> server. Is there a way to configure Apache so that I can only use it to
> display webpages locally on my machine, but disallow remote users from
> accessing the webserver?

It should be enough to bind Apache only to the loopback connector ie.
localhost. Just adding this directive should suffice, if you also make
sure you don't have Listen directives for other IPs:

Listen 127.0.0.1

07/09/2005, 21h14

Thanks for all your replies. I just realized that it will be cumbersome
to test whether the settings work or not b/c I don't have a second
computer and internet connection to use to check the access to my
webserver. I have a dsl connection, so I suppose I could try using a
dial up modem to test it (will it work if I use the same computer but a
different internet connection?).

BTW, I'm wondering what is considered a more secure way of doing it -
using the "Listen" directive? or the "Order/Deny/Allow" directive?

Thanks.

08/09/2005, 05h03

Lee wrote:
> Thanks for all your replies. I just realized that it will be cumbersome
> to test whether the settings work or not b/c I don't have a second
> computer and internet connection to use to check the access to my
> webserver. I have a dsl connection, so I suppose I could try using a
> dial up modem to test it (will it work if I use the same computer but a
> different internet connection?).

You might go to one of the web sites that offer a "port scan" service
e.g. Steve Gibson's "Shields Up" (http://www.grc.com/default.htm).

> BTW, I'm wondering what is considered a more secure way of doing it -
> using the "Listen" directive? or the "Order/Deny/Allow" directive?

Listen is more secure, I'm sure. It allows you to control what ports are
open on what IP addresses. Using Order/Deny/Allow the port will be open,
but specific client IPs would be allowed or blocked. I think it would be
harder to get past a closed port than a software check. Of course, you
could do both.

--
Jim Patterson
Ottawa, Ont
CANADA

09/09/2005, 20h13

Thanks Jim!

04/09/2005, 01h54	#1
Lee Messages: n/a Hébergeur:	want to use apache web server only on local machine This might sound like a dumb question, but I don't know much about security. I installed Apache on my Windows XP computer in order to test my PHP web files locally before uploading to the web server. I'm worried about my computer being more vulnerable to attack now that I am running a web server. Is there a way to configure Apache so that I can only use it to display webpages locally on my machine, but disallow remote users from accessing the webserver? Thank you.

04/09/2005, 15h10	#2
Thor Kottelin Messages: n/a Hébergeur:	Re: want to use apache web server only on local machine Lee wrote: > I installed Apache on my Windows XP computer in order to test my PHP > web files locally before uploading to the web server. I'm worried about > my computer being more vulnerable to attack now that I am running a web > server. Is there a way to configure Apache so that I can only use it to > display webpages locally on my machine, but disallow remote users from > accessing the webserver? Yes. However, in order to stack the odds, you should also disallow access using a firewall, preferably an external box rather than a "software firewall". Thor -- http://www.anta.net/OH2GDF

04/09/2005, 16h05	#3
Terry Stockdale Messages: n/a Hébergeur:	Re: want to use apache web server only on local machine On 3 Sep 2005 17:54:54 -0700, "Lee" <craftystud-idol@yahoo.com> wrote: >This might sound like a dumb question, but I don't know much about >security. > >I installed Apache on my Windows XP computer in order to test my PHP >web files locally before uploading to the web server. I'm worried about >my computer being more vulnerable to attack now that I am running a web >server. Is there a way to configure Apache so that I can only use it to >display webpages locally on my machine, but disallow remote users from >accessing the webserver? > >Thank you. 1. USE A FIREWALL, filtering port 80 / port 443. I recommend ZoneAlarm 2. modify or add a .htpasswd file to the document root directory Order deny,allow Deny from all Allow from dev.example.com, 127.0.0.1 http://httpd.apache.org/docs/2.0/howto/auth.html -- Terry My blog: http://www.TheNextWindow.com My website: http://www.TerryStockdale.com My tip site and newsletter: http://www.TerrysComputerTips.com

06/09/2005, 02h52	#4
Jim Patterson Messages: n/a Hébergeur:	Re: want to use apache web server only on local machine Lee wrote: > This might sound like a dumb question, but I don't know much about > security. > > I installed Apache on my Windows XP computer in order to test my PHP > web files locally before uploading to the web server. I'm worried about > my computer being more vulnerable to attack now that I am running a web > server. Is there a way to configure Apache so that I can only use it to > display webpages locally on my machine, but disallow remote users from > accessing the webserver? It should be enough to bind Apache only to the loopback connector ie. localhost. Just adding this directive should suffice, if you also make sure you don't have Listen directives for other IPs: Listen 127.0.0.1

07/09/2005, 21h14	#5
Lee Messages: n/a Hébergeur:	Re: want to use apache web server only on local machine Thanks for all your replies. I just realized that it will be cumbersome to test whether the settings work or not b/c I don't have a second computer and internet connection to use to check the access to my webserver. I have a dsl connection, so I suppose I could try using a dial up modem to test it (will it work if I use the same computer but a different internet connection?). BTW, I'm wondering what is considered a more secure way of doing it - using the "Listen" directive? or the "Order/Deny/Allow" directive? Thanks.

08/09/2005, 05h03	#6
Jim Patterson Messages: n/a Hébergeur:	Re: want to use apache web server only on local machine Lee wrote: > Thanks for all your replies. I just realized that it will be cumbersome > to test whether the settings work or not b/c I don't have a second > computer and internet connection to use to check the access to my > webserver. I have a dsl connection, so I suppose I could try using a > dial up modem to test it (will it work if I use the same computer but a > different internet connection?). You might go to one of the web sites that offer a "port scan" service e.g. Steve Gibson's "Shields Up" (http://www.grc.com/default.htm). > BTW, I'm wondering what is considered a more secure way of doing it - > using the "Listen" directive? or the "Order/Deny/Allow" directive? Listen is more secure, I'm sure. It allows you to control what ports are open on what IP addresses. Using Order/Deny/Allow the port will be open, but specific client IPs would be allowed or blocked. I think it would be harder to get past a closed port than a software check. Of course, you could do both. -- Jim Patterson Ottawa, Ont CANADA

09/09/2005, 20h13	#7
Lee Messages: n/a Hébergeur:	Re: want to use apache web server only on local machine Thanks Jim!

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email