Bug#822323: apache2 start on default with cgi disabled
Package: apache2
Version: 2.4.10-10+deb8u4
Severity: wishlist
Tags: newcomer
On document root when access localhost on initial configuration not say about
cgi module is disabled say only this
By default, Debian does not allow access through the web browser to any file
apart of those located in /var/www, public_html directories (when enabled) and
/usr/share (for web applications). If your site is using a web document root
located elsewhere (such as in /srv) you may need to whitelist your document
root directory in /etc/apache2/apache2.conf.
The default Debian document root is /var/www/html. You can make your own
virtual hosts under /var/www. This is different to previous releases which
provides better security out of the box.
Please add here this remark "Cgi is disabled on default and must enabled on
order to access /usr/share"
More info here https://bugs.launchpad.net/ubuntu/+source/dwww/+bug/1243839
-- Package-specific info:
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages apache2 depends on:
ii apache2-bin 2.4.10-10+deb8u4
ii apache2-data 2.4.10-10+deb8u4
ii apache2-utils 2.4.10-10+deb8u4
ii dpkg 1.17.26
ii lsb-base 4.1+Debian13+nmu1
ii mime-support 3.58
ii perl 5.20.2-3+deb8u4
ii procps 2:3.3.9-9
Versions of packages apache2 recommends:
ii ssl-cert 1.0.35
Versions of packages apache2 suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii iceweasel [www-browser] 38.7.1esr-1~deb8u1
ii w3m [www-browser] 0.5.3-19
Versions of packages apache2-bin depends on:
ii libapr1 1.5.1-3
ii libaprutil1 1.5.4-1
ii libaprutil1-dbd-sqlite3 1.5.4-1
ii libaprutil1-ldap 1.5.4-1
ii libc6 2.19-18+deb8u4
ii libldap-2.4-2 2.4.40+dfsg-1+deb8u2
ii liblua5.1-0 5.1.5-7.1
ii libpcre3 2:8.35-3.3+deb8u4
ii libssl1.0.0 1.0.1k-3+deb8u4
ii libxml2 2.9.1+dfsg1-5+deb8u1
ii perl 5.20.2-3+deb8u4
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages apache2-bin suggests:
pn apache2-doc <none>
pn apache2-suexec-pristine | apache2-suexec-custom <none>
ii iceweasel [www-browser] 38.7.1esr-1~deb8u1
ii w3m [www-browser] 0.5.3-19
Versions of packages apache2 is related to:
ii apache2 2.4.10-10+deb8u4
ii apache2-bin 2.4.10-10+deb8u4
-- Configuration Files:
/etc/apache2/apache2.conf changed:
Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /usr/share>
AllowOverride None
Require all granted
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
LogLevel debug
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
-- no debconf information
Reply to: