diff options
| -rw-r--r-- | debian/apache2.NEWS | 5 | ||||
| -rw-r--r-- | debian/config-dir/apache2.conf | 2 |
2 files changed, 6 insertions, 1 deletions
diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS index df2e464e..8e195dc3 100644 --- a/debian/apache2.NEWS +++ b/debian/apache2.NEWS @@ -20,6 +20,11 @@ apache2 (2.4.1-1) experimental; urgency=low a2dismod mpm_worker a2enmod mpm_prefork + We did change the security model for Apache in our default configuration. We + do not allow access to the file system outside /var/www, /srv and /usr/share. + If you are running virtual hosts or scripts outside these directories, you + need to whitelist them in your configuration to grant access through HTTP. + Moreover, the configuration mechanism in Debian has changed. All configurations in sites-enabled and conf-enabled need a ".conf" suffix now. The latter replaces the deprecated /etc/apache2/conf.d/ directory (which is diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf index 9411bc27..fad3af3b 100644 --- a/debian/config-dir/apache2.conf +++ b/debian/config-dir/apache2.conf @@ -145,7 +145,7 @@ Include ports.conf # Sets the default security model of the Apache2 HTTPD server. It does -# not allow access to the root filesystem outside of /usr/share and +# not allow access to the root filesystem outside of /usr/share, /srv and # /var/www. The former is used by web applications packaged in Debian, # the latter may be used for local directories served by the web server. <Directory /> |