Apache Security · 12 September 2005, 07:42 by Admin
I rather hoped this was better than it is. Don’t get me wrong, it’s not bad, and it’s probably worth having, but it could have been a lot better.
First complaint: the index is lousy. Several times I wanted to go back and review something that I had read about in an earlier chapter, but was unable to find what I wanted with the index and had to resort to flipping through pages. Second, some of the material just is not explained well: if you are not already quite expert at Apache, you will find parts of this very confusing. Of course, that’s a bit unfair: you really can’t expect a book dedicated to Apache security to spend a lot of time explaining basics. But even given that, there were several places were I felt awash and couldn’t understand what was being discussed. I also felt that the author gave short shrift to those folks who may not be able to compile from source (people on shared web servers may be able to modify their httpd.conf but not much else)
On the other hand, this is pretty fair coverage of all Apache security aspects and gives quite a bit of attention to sharing from the viewpoint of the admin who provides web hosting for others. But as I said, it’s only fair coverage, and you will likely find yourself Googling for more information on much of what is presented. That’s not necessarily a condemnation: if the author even attempted complete, detailed coverage, this would make the big Sendmail book look thin by comparison. Probably we should look at this as an overview; something to raise our awareness of possibilities and concerns, something more detailed than http://httpd.apache.org/docs-2.0/misc/security_tips.html.
By the way, Ivan is the author of the Apache mod_security module, and he devotes twenty six pages to explaining how to use that module. The problem here is not lack of knowledge, just lack of space. As I read this over, I feel like I’m leaving the impression that this isn’t worthwhile, and that is not what I want to leave you with. It could have been better, and most especially it could have been longer and better indexed, but it is worthwhile. And parts of it are really excellent: Chapter 4, which deals with SSL and TLS is one of the best treatments I’ve ever read on this subject.