> -----Original Message----- > From: David Southwell [mailto:da...@vizion2000.net] > Sent: 29 December 2009 16:23 > To: mailman-users@python.org > Cc: Mark Sapiro; Steff Watkins > Subject: Re: [Mailman-Users] Archive access Forbidden
> OK guys -- thank you everyone BUT BUT > Alias /pipermail "/usr/local/mailman/archives/public" > <Directory "/usr/local/mailman/archives/public/"> > Options FollowSymLinks ExecCGI > AllowOverride None > Order allow,deny > Allow from all > Options Indexes MultiViews > AddDefaultCharset Off > DirectoryIndex index.html > </Directory> Errm... suggestion... tidy up! :) AFAIK Apache doesn't allow you to just sequently "add" Options lines together. If I've read it correctly, the "Options Indexes MultiViews" would cancel the "Options FollowSymLinks ExecCGI" as it is a later instruction.. I could be wrong on that, been a while since I went grubbing around in Apache's mechanics. My own setup for this looks like: Alias /pipermail/ "/usr/local/mailman/archives/public/" <Directory "/usr/local/mailman/archives/public"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> No Indexes, no Multiviews and definitely No ExecCGI. Something just makes me feels queasy about making a web archive of a public mailing list in a way that it might be possible to have someone include a script in the mail that may have an ever so slight chance of executing. You're not running SSIs, are you? Really, make life as easy as possible for yourself. K.I.S.S... Kiss It Simple, Sunshine! As simple as you can possibly get away with. One other problem with this is that we only see the "relevent" part of the httpd.conf file. I am not knocking you for that, security minded people work on the idea of least-disclosed the better. Problem is that there may be a directive in some other part of the httpd.conf file which totally banjaxs your mailman setup. Are you in a position to run a test instance of the webserver, say on something like port 8080 with a totally plain-vanilla stock httpd.conf file? You could then inject the mailman configuration into that and see what is needed to make it work. If you then inject those changes into your standard (port 80) httpd.conf and they still fail, you would at least know that there was some directive in the original webserver setup that was playing havok with your mailman setup. Regards, S Watkins ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org http://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: http://mail.python.org/mailman/options/mailman-users/archive%40jab.org