04 Sep 2006
Securing OS X’s Personal Web Sharing
I recently covered getting the Mac’s built-in web server running nicely and mentioned how switching it on also forces the firewall to open port 80, which isn’t a great idea for a standalone development server.
Assuming you’re using a setup similar to the one I described configuring, a quick’n’dirty fix to keep out prying eyes is to edit
/private/etc/httpd/httpd.conf (e.g. with
sudo pico /private/etc/httpd/httpd.conf ), changing all instances of
Order allow,deny Allow from all
Order deny,allow Deny from all Allow from localhost
Drop into the
users subfolder and do the same for each user’s
.conf file, then stop and restart sharing.
Your web server will still be reachable, so it’s no substitute for a full firewall block, but external browsers will be denied access to your files (alternatively, you can alter the settings so that the web server doesn’t listen on port 80, but I wanted a fix that wouldn’t clash with Headdress, which seems to include
Listen 80 in its block of settings).
You can also add a touch of extra security-through-obscurity by going into
httpd.conf again and setting
Off, reducing the amount of information Apache gives away.