# IHS config snippets

This document provides longer-form configuration examples that have no
simple solutions.





## Security related configuration examples <!-- {#security} -->

### Blocking unrecognized hostnames <!-- {#unknownhost} -->

By default, IHS responds to requests with any hostname in the HTTP/1.1
Host: header. When no virtual hosts are used, the main server
configuration responds to any request. When virtual hosts are used, the
first-listed virtual host matching the interface and port of the
underlying connection becomes the default.

To prevent this, we must configure the server to do one of the
following:

#### Force all requests to use a Host: header defined by the server

1. Make sure `mod_headers` is loaded
2. Use `RequestHeader set Host example.com early` to override the supplied 
Host: header. 

#### Limiting requested hostnames without virtual hosts

Add the following stanza to the end of httpd.conf. If you have other
RewriteRules, this recipe should precede them.  You may need to uncomment
the `LoadModule` for `modules/mod_rewrite.so` if you are not usin mod_rewrite
already.

``` 
  RewriteEngine ON
  RewriteCond %{HTTP_HOST} !=www.example.com
  RewriteCond %{HTTP_HOST} !=example.com
  ...
  RewriteRule .* - [F]
```

Note: If you use `ErrorDocument 403` with a path as the argument, you must add additional `RewriteCond`
entries where the ellipsis is shown to make sure the 403 document can be served.  For example:

```
  RewriteCond %{REQUEST_URI} !^/error/403.html$
```

#### Limiting requested hostnames for configuration with virtual hosts

  - 9.0.0.11 and later: Just set `StrictHostCheck ON` at the bottom of httpd.conf. Every hostname the server should tolerate
    must be specified as a ServerName/ServerAlias in the scope that handles the request (usually VirtualHost)

  - Prior releases / service levels, continue on.

  - Run `apachectl -S` to see a summary of all existing virtual hosts.
    Each address and port combination is listed along the left side.
    
        VirtualHost configuration:
        *:443                  is a NameVirtualHost
                 default server 127.0.1.1 (/opt/IHS/conf/httpd.conf:951)
                 port 443 namevhost 127.0.1.1 (/opt/IHS/conf/httpd.conf:951)
                 port 443 namevhost 127.0.1.1 (/opt/IHS/conf/httpd.conf:958)
        *:80                   127.0.1.1 (/opt/IHS/conf/httpd.conf:965)

  - For each address:port combination in the first column of the output,
    duplicate the opening and closing \<VirtualHost\> tags. In the empty
    entry that now comes first, add the following stanza:
    
    `RewriteEngine ON`  
    `RewriteRule .* - [F]`

  - If the duplicated entry was not initially listed as a "default
    server", such as httpd.conf:965 in the sample above, add the
    `NameVirtualHost` parameter before the newly duplicated VirtualHost.
    The argument to `NameVirtualHost` should match exactly the arguments
    inside of \<VirtualHost\>.
    
    NameVirtualHost \*:80

  - Review the `Listen` directives in httpd.conf and make sure each
    address:port combinations is covered by the apachectl -S output. If
    a combination is not covered, requests for any hostname will still
    be handled by the base server configuration.
    
    You must either add additional virtual hosts, or use the recipe in
    the preceding section for "Limiting requested hostnames without
    virtual
hosts".

## Miscellaneous configuration examples <!-- {#misc} -->

### DirectoryIndex: Show and allow access to specific file types <!-- {#dirindextypes} -->

Allowing specific file types to be displayed in a generated directory
index can be done by blocking access to all files and then allowing
access to the desired types. In addition to allowing access to the
desired types, it is necessary to allow access to both the directory
itself and to whatever DirectoryIndex is set to (index.html by default
and index.html.var). Access to the file specified by DirectoryIndex is
necessary because mod\_dir will bail if a 403 (access forbidden) is
found instead of a 404 (not found) or 200 (OK). Later releases of Apache
have an option "DirectoryIndex disabled" to disable the directory index
instead. Unfortunately, this option is not available in IHS 8.5 and
below.

```
    # A sample configuration to allow access to only certain image files
    <Directory "/path/to/directory/">
        Options +Indexes
        IndexOptions FancyIndexing NameWidth=*
        IndexIgnore ..
    
        # Deny all files
        <Files "*">
            Order allow,deny
            Deny from all
        </Files>
    
        # Allow root folder
        <Files ".">
            Order deny,allow
            Allow from all
        </Files>
    
        # Need DirectoryIndex to fail with a 404 rather than a 403.
        # Later Apache releases have "DirectoryIndex disabled" to avoid 
        # searching altogehter.
        <Files "index.html*">
            Order deny,allow
            Allow from all
        </Files>
    
        # Allow access to image files
        <FilesMatch "\.(jpg|gif|png)$">
             Order deny,allow
             Allow from all
        </FilesMatch>
    </Directory>
```