cacti/cacti-httpd.conf

#
# Cacti: An rrd based graphing tool
#

# Change the following ACLs to open up Cacti to other network devices.
# For example:
# On httpd 2.4, change "Require host localhost" to "Require all granted".
# On httpd 2.2, change "Allow from localhost" to "Allow from all".

Alias /cacti    /usr/share/cacti

<Directory /usr/share/cacti/>
	<IfModule mod_authz_core.c>
		# httpd 2.4
		Require host localhost
	</IfModule>
	<IfModule !mod_authz_core.c>
		# httpd 2.2
		Order deny,allow
		Deny from all
		Allow from localhost
	</IfModule>
</Directory>

<Directory /usr/share/cacti/install>
	# mod_security overrides.
	# Uncomment these if you use mod_security.
	# allow POST of application/x-www-form-urlencoded during install
	#SecRuleRemoveById 960010
	# permit the specification of the rrdtool paths during install
	#SecRuleRemoveById 900011
</Directory>


# These sections marked "Require all denied" (or "Deny from all")
# should not be modified.
# These are in place in order to harden Cacti.
<Directory /usr/share/cacti/log>
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order deny,allow
		Deny from all
	</IfModule>
</Directory>
<Directory /usr/share/cacti/rra>
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
	<IfModule !mod_authz_core.c>
		Order deny,allow
		Deny from all
	</IfModule>
</Directory>
auto-import cacti-0.8.6h-4 on branch devel from cacti-0.8.6h-4.src.rpm 2006-02-07 01:42:50 +00:00			`#`
			`# Cacti: An rrd based graphing tool`
			`#`
block HTTP access to log and rra directories (BZ #609856) 2011-10-27 22:44:43 +00:00
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`# Change the following ACLs to open up Cacti to other network devices.`
			`# For example:`
			`# On httpd 2.4, change "Require host localhost" to "Require all granted".`
			`# On httpd 2.2, change "Allow from localhost" to "Allow from all".`
block HTTP access to log and rra directories (BZ #609856) 2011-10-27 22:44:43 +00:00
auto-import cacti-0.8.6h-4 on branch devel from cacti-0.8.6h-4.src.rpm 2006-02-07 01:42:50 +00:00			`Alias /cacti /usr/share/cacti`

			`<Directory /usr/share/cacti/>`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`<IfModule mod_authz_core.c>`
			`# httpd 2.4`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`Require host localhost`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`</IfModule>`
			`<IfModule !mod_authz_core.c>`
			`# httpd 2.2`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`Order deny,allow`
			`Deny from all`
			`Allow from localhost`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`</IfModule>`
tweak mod_security rules Unfortunately, when Apache includes conf.d/*, the "c" in cacti.conf comes before "m" in mod_security.conf. This means we can't use the IfModule directive here to detect the installation of mod_security. Remove the IfModule section, and just provide instructions to users. Users will have to manually un-comment the two mod_security overrides. (Better than nothing.) 2011-12-12 18:39:07 +00:00			`</Directory>`

			`<Directory /usr/share/cacti/install>`
			`# mod_security overrides.`
			`# Uncomment these if you use mod_security.`
			`# allow POST of application/x-www-form-urlencoded during install`
			`#SecRuleRemoveById 960010`
			`# permit the specification of the rrdtool paths during install`
			`#SecRuleRemoveById 900011`
auto-import cacti-0.8.6h-4 on branch devel from cacti-0.8.6h-4.src.rpm 2006-02-07 01:42:50 +00:00			`</Directory>`

block HTTP access to log and rra directories (BZ #609856) 2011-10-27 22:44:43 +00:00
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`# These sections marked "Require all denied" (or "Deny from all")`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`# should not be modified.`
			`# These are in place in order to harden Cacti.`
block HTTP access to log and rra directories (BZ #609856) 2011-10-27 22:44:43 +00:00			`<Directory /usr/share/cacti/log>`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`<IfModule mod_authz_core.c>`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`Require all denied`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`</IfModule>`
			`<IfModule !mod_authz_core.c>`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`Order deny,allow`
			`Deny from all`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`</IfModule>`
block HTTP access to log and rra directories (BZ #609856) 2011-10-27 22:44:43 +00:00			`</Directory>`
			`<Directory /usr/share/cacti/rra>`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`<IfModule mod_authz_core.c>`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`Require all denied`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`</IfModule>`
			`<IfModule !mod_authz_core.c>`
Adjust ACLs to support httpd 2.4. 2012-03-27 02:14:52 +00:00			`Order deny,allow`
			`Deny from all`
Adjust httpd ACL conditionals to test the presence of mod_authz_core (as discussed on fedora-devel) 2012-04-06 15:59:08 +00:00			`</IfModule>`
block HTTP access to log and rra directories (BZ #609856) 2011-10-27 22:44:43 +00:00			`</Directory>`