summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVishant Gautam <gautamvishant@gmail.com>2014-08-15 08:11:18 +0200
committerSimon Green <sgreen@redhat.com>2014-08-15 08:11:18 +0200
commitb67291634e79ae6eb2571d38ec27854e275775a6 (patch)
treeb90561a5ffccbd347a637e98a675d03f07397069
parent7e1bdaae6b5da5daf52d5c3615b4d0c446842f23 (diff)
downloadbugzilla-b67291634e79ae6eb2571d38ec27854e275775a6.tar.gz
bugzilla-b67291634e79ae6eb2571d38ec27854e275775a6.tar.xz
Bug 1019290 - Add instructions to remove query strings from Apache log
r=sgreen, a=glob
-rw-r--r--docs/en/rst/installation.rst23
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/en/rst/installation.rst b/docs/en/rst/installation.rst
index ef7423d2d..ca69667f4 100644
--- a/docs/en/rst/installation.rst
+++ b/docs/en/rst/installation.rst
@@ -748,6 +748,29 @@ Without this directive, Apache will not follow symbolic links
to places outside its own directory structure, and you will be
unable to run Bugzilla.
+Apache *httpd * log files with bugzilla
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For security reasons it is recommended to prevent Apache from logging
+query strings.
+
+For example:
+When external systems interact with Bugzilla via webservices (REST/XMLRPC/JSONRPC)
+they include the user's credentials as part of the URL (query-string). For security
+reasons we recommend configuring Apache to not include the query-string in its log
+files to avoid storing passwords in clear text on the server.
+
+#. Load :file:`httpd.conf` or :file:`apache2.conf` in your editor.
+ In most of the Linux distributions this file is found in :folder:`/etc/httpd/conf/httpd.conf`
+ or in :folder:`/etc/apache2/apache2.conf`.
+
+#. Find the following line in the above mentioned file.
+ LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined.
+
+#. Replace \"%r\" with \"%m %U\".
+
+#. Now restart Apache.
+
.. _http-apache-mod_perl:
Apache *httpd* with mod_perl