IBM HTTP Server Configuration examples

This document provides longer-form configuration examples that have no simple solutions.

Provide feedback on the IBM HTTP Server forum on IBM developerWorks.

Security related configuration examples

Blocking unrecognized hostnames

By default, IHS responds to requests with any hostname in the HTTP/1.1 Host: header. When no virtual hosts are used, the main server configuration responds to any request. When virtual hosts are used, the first-listed virtual host matching the interface and port of the underlying connection becomes the default.

To prevent this, we must either check the requested hostnames with mod_rewrite or setup "catch-all" virtual hosts that match all unrecognized hostnames.

Limiting requested hostnames without virtual hosts

Add the following stanza to the end of httpd.conf. If you have other RewriteRules, this recipe should precede them.

  RewriteEngine ON
  RewriteCond %{HTTP_HOST} !=www.example.com
  RewriteCond %{HTTP_HOST} !=example.com
  ...
  RewriteRule .* - [F]

Limiting requested hostnames for configuration with virtual hosts

Miscellaneous configuration examples

DirectoryIndex: Show and allow access to specific file types

Allowing specific file types to be displayed in a generated directory index can be done by blocking access to all files and then allowing access to the desired types. In addition to allowing access to the desired types, it is necessary to allow access to both the directory itself and to whatever DirectoryIndex is set to (index.html by default and index.html.var). Access to the file specified by DirectoryIndex is necessary because mod_dir will bail if a 403 (access forbidden) is found instead of a 404 (not found) or 200 (OK). Later releases of Apache have an option "DirectoryIndex disabled" to disable the directory index instead. Unfortunately, this option is not available in IHS 8.5 and below.

# A sample configuration to allow access to only certain image files
<Directory "/path/to/directory/">
    Options +Indexes
    IndexOptions FancyIndexing NameWidth=*
    IndexIgnore ..

    # Deny all files
    <Files "*">
        Order allow,deny
        Deny from all
    </Files>

    # Allow root folder
    <Files ".">
        Order deny,allow
        Allow from all
    </Files>

    # Need DirectoryIndex to fail with a 404 rather than a 403.
    # Later Apache releases have "DirectoryIndex disabled" to avoid 
    # searching altogehter.
    <Files "index.html*">
        Order deny,allow
        Allow from all
    </Files>

    # Allow access to image files
    <FilesMatch "\.(jpg|gif|png)$">
         Order deny,allow
         Allow from all
    </FilesMatch>
</Directory>