The theory behind module selection says that the smaller the number of modules running, the smaller the chances of a vulnerability being present in the server. Still, I do not think you will achieve much by being too strict with default Apache modules. The likelihood of a vulnerability being present in the code rises with the complexity of the module. Chances are that the really complex modules, such as mod_ssl (and the OpenSSL libraries behind it), are the dangerous ones.
Your strategy should be to identify the modules you need to have as part of an installation and not to include anything extra. Spend some time researching the modules distributed with Apache so you can correctly identify which modules are needed and which can be safely turned off. The complete module reference is available at http:// httpd.apache.org/docs-2.0/mod/.
The following modules are more dangerous than the others, so you should consider whether your installation needs them:
On the other hand, you should include these modules in your installation:
In the configure example, I assumed acceptance of the default module list. In real situations, this should rarely happen as you will want to customize the module list to your needs. To obtain the list of modules activated by default in Apache 1, you can ask the configure script. I provide only a fragment of the output below, as the complete output is too long to reproduce in a book:
$ ./configure --help
As an example of interpreting the output,userdir=yesmeans that the module mod_userdir will be activated by default. Use the--enable-moduleand--disable-moduledirectives to adjust the list of modules to be activated:
$ ./configure \
Obtaining a list of modules activated by default in Apache 2 is more difficult. I obtained the following list by compiling Apache 2.0.49 without passing any parameters to the configure script and then asking the httpd binary to produce a list of modules:
$ ./httpd -l
To change the default module list on Apache 2 requires a different syntax than that used on Apache 1:
$ ./configure \
blog comments powered by Disqus