Apache Installation and Configuration (
Page 1 of 4 )
Apache is the most popular web server on the Internet, partly because it is open source. This popularity means that security is very important. Securing the application starts with the way you configure it. This article, the first of six parts, is excerpted from chapter two of Apache Security, written by Ivan Ristic (O'Reilly; ISBN: 0596007248). Copyright © 2006 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.
Installation is the first step in making Apache functional. Before you begin, you should have a clear idea of the installation’s purpose. This idea, together with your paranoia level, will determine the steps you will take to complete the process. The system-hardening matrix (described in Chapter 1) presents one formal way of determining the steps. Though every additional step you make now makes the installation more secure, it also increases the time you will spend maintaining security. Think about it realistically for a moment. If you cannot put in that extra time later, then why bother putting the extra time in now? Don’t worry about it too much, however. These things tend to sort themselves out over time: you will probably be eager to make everything perfect in the first couple of Apache installations you do; then, you will likely back off and find a balance among your security needs, the effort required to meet those needs, and available resources.
As a rule of thumb, if you are building a high profile web server—public or not—always go for a highly secure installation.
Though the purpose of this chapter is to be a comprehensive guide to Apache installation and configuration, you are encouraged to read others’ approaches to Apache hardening as well. Every approach has its unique points, reflecting the personality of its authors. Besides, the opinions presented here are heavily influenced by the work of others. The Apache reference documentation is a resource you will go back to often. In addition to it, ensure you read the Apache Benchmark, which is a well-documented reference installation procedure that allows security to be quantified. It includes a semi-automated scoring tool to be used for assessment.
The following is a list of some of the most useful Apache installation documentation I have encountered:
- Apache Online Documentation (http://httpd.apache.org/docs-2.0/)
- Apache Security Tips (http://httpd.apache.org/docs-2.0/misc/security_tips.html)
- Apache Benchmark (http://www.cisecurity.org/bench_apache.html)
- “Securing Apache: Step-by-Step” by Artur Maj (http://www.securityfocus.com/ printable/infocus/1694)
- “Securing Apache 2: Step-by-Step” by Artur Maj (http://www.securityfocus.com/ printable/infocus/1786)
