+++ Horde Security Tips
+++++ The content of this page is mainly derived from the security-section in the Horde documentation. It is aimed at system administrators who want to add some extra security to their Horde installations (or for those who are a bit paranoid ;) )
++++ Introduction
The configuration examples here have been tested by me on a Fedora Core 1 system running Apache 2.0.51 with mod_ssl.
My httproot is {{/var/www}} and I made Horde store its stuff in {{/var/cache}} and {{/var/log}}.
I'd like to here some opinions from administrators of other systems...
++++ Filesystem Permissions
chown -R apache.apache /var/www/html/horde
If your Apache shipps with suexec, Horde will be started with the permissions of your webserver from now on.
++++ Apache/PHP Configuration
The Horde documentation is suggesting an awfull lot of
<Directory "/var/www/html/horde/">
php_admin_flag safe_mode off
php_admin_value include_dir "/usr/share/pear"
php_admin_value open_basedir "/var:/usr"
php_admin_flag expose_php off
php_admin_flag display_errors off
php_admin_flag log_errors on
php_admin_flag register_globals off
<DirectoryMatch "^/var/www/html/horde/(./)?(config|lib|locale|po|scripts|templates)(/.)?">
order deny,allow
deny from all
This way you can safely switch {{php_safe_mode}}globaly on and still have Horde working. Please notice that you might need to modify the {{open_basedir}} directive. It includes {{/var}} in this example because there are a lot of important things in {{/var}} on my server (i.e. the cache and the logfile for Horde),
The
Interesting read:
Guide on [http://www.regular-expressions.org RegularExpressions]
Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directory
Apache 2.0 documentation on the [http://httpd.apache.org/docs-2.0/mod/core.html#directorymatch