diff options
author | Vishant Gautam <gautamvishant@gmail.com> | 2014-08-15 08:11:18 +0200 |
---|---|---|
committer | Simon Green <sgreen@redhat.com> | 2014-08-15 08:11:18 +0200 |
commit | b67291634e79ae6eb2571d38ec27854e275775a6 (patch) | |
tree | b90561a5ffccbd347a637e98a675d03f07397069 | |
parent | 7e1bdaae6b5da5daf52d5c3615b4d0c446842f23 (diff) | |
download | bugzilla-b67291634e79ae6eb2571d38ec27854e275775a6.tar.gz bugzilla-b67291634e79ae6eb2571d38ec27854e275775a6.tar.xz |
Bug 1019290 - Add instructions to remove query strings from Apache log
r=sgreen, a=glob
-rw-r--r-- | docs/en/rst/installation.rst | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/en/rst/installation.rst b/docs/en/rst/installation.rst index ef7423d2d..ca69667f4 100644 --- a/docs/en/rst/installation.rst +++ b/docs/en/rst/installation.rst @@ -748,6 +748,29 @@ Without this directive, Apache will not follow symbolic links to places outside its own directory structure, and you will be unable to run Bugzilla. +Apache *httpd * log files with bugzilla +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +For security reasons it is recommended to prevent Apache from logging +query strings. + +For example: +When external systems interact with Bugzilla via webservices (REST/XMLRPC/JSONRPC) +they include the user's credentials as part of the URL (query-string). For security +reasons we recommend configuring Apache to not include the query-string in its log +files to avoid storing passwords in clear text on the server. + +#. Load :file:`httpd.conf` or :file:`apache2.conf` in your editor. + In most of the Linux distributions this file is found in :folder:`/etc/httpd/conf/httpd.conf` + or in :folder:`/etc/apache2/apache2.conf`. + +#. Find the following line in the above mentioned file. + LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined. + +#. Replace \"%r\" with \"%m %U\". + +#. Now restart Apache. + .. _http-apache-mod_perl: Apache *httpd* with mod_perl |