Apache Hardening
================

xCAT uses Apache HTTP Server to serve install media, postscripts, and boot
files to nodes during provisioning. The default configuration prioritizes
ease of deployment, but administrators should apply the hardening measures
below to reduce the attack surface.

Directory Indexing Disabled by Default
--------------------------------------

Starting with xCAT 2.18, directory indexing (``Options Indexes``) is disabled
by default for the ``/install`` and ``/tftpboot`` directories. This prevents
unauthenticated users from browsing directory listings and discovering file
paths. All provisioning workflows continue to work because nodes fetch files
by their known paths.

If you are upgrading from an earlier version of xCAT, update your Apache
configuration manually. Remove ``Indexes`` from the ``/install`` and
``/tftpboot`` blocks, but add explicit exceptions for the directories that
provisioning scripts crawl recursively.

**Apache 2.4** (RHEL 7+, SLES 12+, Ubuntu 16.04+)::

    # /etc/httpd/conf.d/xcat.conf
    <Directory "/tftpboot">
        Options FollowSymLinks Includes MultiViews
        AllowOverride None
        Require all granted
    </Directory>
    <Directory "/install">
        Options FollowSymLinks Includes MultiViews
        AllowOverride None
        Require all granted
    </Directory>
    <Directory "/install/postscripts">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <Directory "/install/post">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>

**Apache 2.2** (RHEL 6, SLES 11)::

    # /etc/httpd/conf.d/xcat.conf
    <Directory "/tftpboot">
        Options FollowSymLinks Includes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    <Directory "/install">
        Options FollowSymLinks Includes MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    <Directory "/install/postscripts">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>
    <Directory "/install/post">
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        Allow from all
    </Directory>

.. warning::

   Do not remove ``Indexes`` from ``/install/postscripts`` or
   ``/install/post``. xCAT provisioning scripts use recursive ``wget`` to
   download all files from these directories and depend on Apache directory
   listings to discover file paths.

Sensitive Directories
---------------------

The following directories under ``/install`` may contain sensitive data and
should be protected with restrictive filesystem permissions:

``/install/custom/``
    Custom postscripts, templates, and package lists. May contain hardcoded
    credentials or internal configuration details.

``/install/syncfiles/``
    Files synchronized to nodes. May include password files, SSL certificates,
    or application secrets.

``/install/autoinst/``
    Generated kickstart and preseed files. Contains root password hashes and
    full network configuration for each node. Nodes fetch these over HTTP
    during installation, so filesystem permissions cannot be restricted without
    breaking provisioning. Use IP-based access control (see below) to limit
    access to the management network instead.

Set restrictive permissions where possible::

    chmod 750 /install/custom
    chmod 750 /install/syncfiles

.. note::

   Do not restrict filesystem permissions on ``/install/postscripts``,
   ``/install/autoinst``, or the OS media directories (e.g.,
   ``/install/rhels9/``), as nodes require HTTP access to these during
   provisioning. Protect these paths with network-level controls instead.

Database Backups
----------------

Never store xCAT database backups under ``/install``. The database contains
BMC credentials, password table entries, and full cluster topology. Store
backups in a directory not served by Apache, for example::

    dumpxCATdb -p /root/xcat-backups

Network Binding
---------------

By default, Apache listens on all interfaces. In environments where the
management network is separate from other networks, bind Apache to the
management interface only::

    # /etc/httpd/conf/httpd.conf
    Listen 10.0.0.1:80

Replace ``10.0.0.1`` with the management node's IP on the provisioning
network.

IP-Based Access Control
-----------------------

For additional protection, restrict access to the provisioning subnet::

    # Apache 2.4+
    <Directory "/install">
        Options FollowSymLinks Includes MultiViews
        AllowOverride None
        Require ip 10.0.0.0/16
    </Directory>
    <Directory "/install/postscripts">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require ip 10.0.0.0/16
    </Directory>
    <Directory "/install/post">
        Options Indexes FollowSymLinks
        AllowOverride None
        Require ip 10.0.0.0/16
    </Directory>

Replace ``10.0.0.0/16`` with your management network CIDR in all blocks.
This ensures only nodes on the provisioning network can access install media.

.. note::

   If ``linuximage.otherpkgdir`` points to a custom path under ``/install``
   outside of ``/install/post`` (e.g., ``/install/custom/mypkgs``), add an
   additional ``<Directory>`` block for that path with ``Options Indexes``
   to allow recursive package downloads.

.. warning::

   If service nodes or hierarchical xCAT setups are in use, ensure all service
   node IPs are included in the allowed range.