4.4. HTTP Server Configuration

The Bugzilla Team recommends Apache when using Bugzilla, however, any web server that can be configured to run CGI scripts should be able to handle Bugzilla. No matter what web server you choose, but especially if you choose something other than Apache, you should be sure to read Section 5.6.

The plan for this section is to eventually document the specifics of how to lock down permissions on individual web servers.

4.4.1. Apache httpd

As mentioned above, the Bugzilla Team recommends Apache for use with Bugzilla. You will have to make sure that Apache is properly configured to run the Bugzilla CGI scripts. You also need to make sure that the .htaccess files created by ./checksetup.pl (shown in Example 4-1 for the curious) are allowed to override Apache's normal access permissions or else important password information may be exposed to the Internet.

Many Apache installations are not configured to run scripts anywhere but in the cgi-bin directory; however, we recommend that Bugzilla not be installed in the cgi-bin, otherwise the static files such as images and JavaScript will not work correctly. To allow scripts to run in the normal web space, the following changes should be made to your httpd.conf file.

To allow files with a .cgi extension to be run, make sure the following line exists and is uncommented:


AddHandler cgi-script .cgi
        

To allow .htaccess files to override permissions and .cgi files to run in the Bugzilla directory, make sure the following two lines are in a Directory directive that applies to the Bugzilla directory on your system (either the Bugzilla directory or one of its parents).


Options +ExecCGI 
AllowOverride Limit
        

Note

For more information on Apache and its directives, see the glossary entry on Apache.

Example 4-1. .htaccess files for Apache

$BUGZILLA_HOME/.htaccess

# don't allow people to retrieve non-cgi executable files or our private data
<FilesMatch ^(.*\.pl|.*localconfig.*|processmail|runtests.sh)$>
  deny from all
</FilesMatch>
<FilesMatch ^(localconfig.js|localconfig.rdf)$>
  allow from all
</FilesMatch>
          

$BUGZILLA_HOME/data/.htaccess

# nothing in this directory is retrievable unless overriden by an .htaccess
# in a subdirectory; the only exception is duplicates.rdf, which is used by
# duplicates.xul and must be loadable over the web
deny from all
<Files duplicates.rdf>
  allow from all
</Files>
          

$BUGZILLA_HOME/data/webdot

# Restrict access to .dot files to the public webdot server at research.att.com 
# if research.att.com ever changed their IP, or if you use a different
# webdot server, you'll need to edit this
<FilesMatch ^[0-9]+\.dot$>
  Allow from 192.20.225.10
  Deny from all
</FilesMatch>

# Allow access by a local copy of 'dot' to .png, .gif, .jpg, and
# .map files
<FilesMatch ^[0-9]+\.(png|gif|jpg|map)$>
  Allow from all
</FilesMatch>

# And no directory listings, either.
Deny from all
          

$BUGZILLA_HOME/Bugzilla/.htaccess

# nothing in this directory is retrievable unless overriden by an .htaccess
# in a subdirectory
deny from all
          

$BUGZILLA_HOME/template/.htaccess

# nothing in this directory is retrievable unless overriden by an .htaccess
# in a subdirectory
deny from all
          

4.4.2. Microsoft Internet Information Services

If you need, or for some reason even want, to use Microsoft's Internet Information Services or Personal Web Server you should be able to. You will need to configure them to know how to run CGI scripts, however. This is described in Microsoft Knowledge Base article Q245225 for Internet Information Services and Q231998 for Personal Web Server.

Also, and this can't be stressed enough, make sure that files such as localconfig and your data directory are secured as described in Section 5.6.

4.4.3. AOL Server

Ben FrantzDale reported success using AOL Server with Bugzilla. He reported his experience and what appears below is based on that.

AOL Server will have to be configured to run CGI scripts, please consult the documentation that came with your server for more information on how to do this.

Because AOL Server doesn't support .htaccess files, you'll have to create a TCL script. You should create an aolserver/modules/tcl/filter.tcl file (the filename shouldn't matter) with the following contents (change /bugzilla/ to the web-based path to your Bugzilla installation):


ns_register_filter preauth GET /bugzilla/localconfig filter_deny
ns_register_filter preauth GET /bugzilla/*.pl filter_deny
ns_register_filter preauth GET /bugzilla/localconfig filter_deny
ns_register_filter preauth GET /bugzilla/processmail filter_deny
ns_register_filter preauth GET /bugzilla/syncshadowdb filter_deny
ns_register_filter preauth GET /bugzilla/runtests.sh filter_deny

proc filter_deny { why } {
    ns_log Notice "filter_deny"
    return "filter_return"
}
      

Warning

This doesn't appear to account for everything mentioned in Section 5.6. In particular, it doesn't block access to the data or template directories. It also doesn't account for the editor backup files that were the topic of bug 186383, Bugtraq ID 6501, and a partial cause for the 2.16.2 release.