Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Apache, like nginx, is powerful and well-maintained. It has a longer history than nginx, though, and has to support some features that probably wouldn't have been implemented if the project was created more recently. One such feature is .htaccess, which makes it so an app's directory, belonging to the app's user, can configure the web server. This is a potential attack vector if the app's directory is writable (not an issue for configurations in /etc which are only writable by root). This feature can be turned off by setting AllowOverride None in /etc/apache2 (/etc/httpd on CentOS). There are other defaults that are better in nginx than apache as well. Here's a post that has the AllowOverride None suggestion and two others: https://www.jeffgeerling.com/blog/3-small-tweaks-make-apache...


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: