Avatar of fredo783
fredo783
 asked on

How to secure cgi-bin under document root - or move it above document root?

Hi:

I'm migrating a site to a Hostgator shared hosting site under Linux CentOS. Security is a paramount concern.

The old website was on an Apache server that had Perl scripts in cgi-bin. The cgi-bin resided above the document root. This was excellent from a security perspective, as the cgi-bin directory is not publicly visible.

On the new server, cgi-bin lives under the document root, as in www/cgi-bin. It could be publicly visible.

I put index.html and hello_world.pl files in www/cgi-bin and changed permissions to 755. In both cases, I got an error message: Internal Server Error. This is likely Apache-generated. So perhaps the directory is already completely secure.

Support says that I could move cgi-bin above the document root, but .htaccess changes would be required and they really don't know what those changes would be. They also said that I could not move cgi-bin.  Guess the answer depends on the weather.

They also said that scripts in cgi-bin are protected by Apache and can only be accessed by the owner.

Is it reasonable to assume that the current www/cgi-bin directory is secure at this point?

Is it reasonable to move it myself to above the document root? Where might I find .htaccess rules to do so?

This thread is related to my question:
https://www.experts-exchange.com/Programming/Languages/Scripting/CGI/Q_20845090.html

Thanks very much.

Fred
Scripting LanguagesPerlApache Web Server

Avatar of undefined
Last Comment
fredo783

8/22/2022 - Mon
SOLUTION
Jan Bacher

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
fredo783

ASKER
Hi, Jesper:

There is no default .htaccess on this shared hosting site. I also do not have access to httpd.conf, nor can I modify apache.
ASKER CERTIFIED SOLUTION
Dave Baldwin

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
fredo783

ASKER
Thanks, folks. It appears that Apache is configured in this environment to protect files in the default www/cgi-bin directory.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes