Ubuntu
apache2 package

link in default index.html should be HTTPS

Asked by Chris Murray

Hi folks,

When running the Hardenize (https://www.hardenize.com) tool against my web server, it picked up that on the default Apache2 web page (located at /var/www/html/index.html) has an insecure link. Upon further investigation, it's the "Document Roots" section, where it says "By default, Ubuntu does not allow access through the web browser to any file outside of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications)."; public_html is a link to the apache docs page for mod_userdir (https://httpd.apache.org/docs/2.4/mod/mod_userdir.html) but it's being serverd as a http:// link. IMO this should be updated to be https. Should a bug be filed against the ubuntu package, the debian package, or directly against apache?

All the best,

Chris 8-)

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu apache2 Edit question
Assignee:
No assignee Edit question
Solved by:
Chris Murray
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

That page mentions "Ubuntu", so it's for sure an Ubuntu-provided addition, and the right addressee for a change request is apache2 on Ubuntu. I suggest that you create a bug report.

Remarks:
1. The contents of the file state: "You should <b>replace this file</b> (located at <tt>/var/www/html/index.html</tt>) before continuing to operate your HTTP server."
If you are eager to have a safe setup, why haven't you already done this?

2. As far as I can see the current Debian version has the same weakness. In Debian's index.html I see
"By default, Debian does not allow access through the web browser ...
... href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" ..."
So It does make sense to create a similar bug report also in Debian's bug tracker for the version in Debian.

Revision history for this message
Chris Murray (chris18890) said : 		#2

THanks for the advice @m-hampl, I'll get a bug report raised :)

Re your remarks:
1: I don't replace it, but I use a new vhost for each site, leaving the default page there as a quick way to test (either manually or using monitoring tools doing a http get request) that the server itself is alive. Plus, i often scan tthe default site with tools like hardenize, securityheaders.com ssllabs.com etc once the server is built but before deploying any other workloads on it to ensure I'm starting from as stable/updated/secure base as possible :)

2: Thanks for checking this, I'd not had time to look at the Debian, or any of the RHEL-based, versions yet :)