FNAL Apache Web Server Baseline
Overview
The Apache Web Server software is available on UNIX and Windows platforms to serve Web content over the Internet. Service on the default ports 80 and 443 for Web servers is limited to on-site access unless an exemption is applied for and granted from Computer Security. Otherwise port 80 and 443 traffic is blocked by the border router. To receive and exemption for offsite access to default ports:
The Web service must be offered from a static IP address for the server.
At least one sysadmin must be registered for the machine.
The machine must have passed a recent "external" Nessus scan.
The request must be made via the Web server permit request form.
Regardless of whether the Web server is accessible off-site, due diligence must be taken to maintain the Web server and all related Web applications in a secure manner. This includes keeping server and software components up-to-date in security patches,
configuring them in a secure way, writing scripts/code in a secure way, and restricting content and editing access appropriately for content.
The Computing Division offers a centrally-supported load-balanced Web service cluster which groups are encouraged to use when appropriate instead of supporting their own individual Web servers. Security for operating system and central Apache software configuration are covered for the Web authors using the central Web cluster, thus reducing their work load for security.
| 