Consider Additional Measures For Unprotected Servers - Sun Microsystems Netscape Enterprise Server Administrator's Manual

Being aware of these limitations helps you know what situations to avoid. For
example, you might acquire credit card numbers over an SSL connection, but
are those numbers stored in a secure file on the server machine? What happens
to those numbers after the SSL connection is terminated? You should be
responsible for securing any information clients send to you through SSL.
Consider Additional Measures for
Unprotected Servers
If you want to have both protected and unprotected servers, you should
operate the unprotected server on a different machine from the protected one.
If your resources are limited and you must run an unprotected server on the
same machine as your protected server, do the following.
• Assign proper port numbers. Make sure that the protected server and the
unprotected server are assigned different port numbers. The registered
default port numbers are 443 for the protected server and 80 for the
unprotected one.
• For Unix, enable the chroot feature for the document root directory. The
unprotected server should have references to its document root redirected
using chroot.
The purpose of chroot is to allow you to create a second root directory to
limit the server to specific directories. You'd use this feature to safeguard an
unprotected server. For example, you could say that the root directory is
/d1/ms. Then any time the web server tries to access the root directory, it
really gets /d1/ms. If it tries to access /dev, it gets /d1/ms/dev and so on.
This allows you to run the web server on your Unix system, without giving it
access to all the files under the actual root directory.
However, if you use chroot, you need to set up the full directory structure
that Enterprise Server needs, under the alternative root directory, as shown in
the following illustration:
Additional Server Security Considerations
Chapter 5, Working with Server Security 147