Secure Installation and Configuration

When you install a piece of software, you can usually just follow the instructions provided by the README or the INSTALL file. In a way, Apache is no exception. However, Apache is a very complex program, and needs to be compiled and installed with particular care, to make sure that it’s reasonably secure in the short and in the long term.

In this chapter I will show you:


 

• How to download Apache making sure that you have a “genuine” package; I will also take the opportunity to describe how encryption works.

• The commands I used to install both Apache 1.3. x and Apache 2. x. I included this section mainly because I will use those installations throughout the book.

• How to test your installation with an automatic testing tool.

• How to configure Apache more securely.

• How to block particular requests and IP addresses.

• How to configure Apache 1.3. x and 2. x with Secure Sockets Layer (SSL).

There are two major “branches” of Apache that are still fully supported: 1.3. x and 2.0. x (the latest ones at the time of writing are 1.3.29 and 2.0.48). Remember that by the time this book goes to print the versions will probably have been updated. You have two options for downloading Apache:

• Download the Apache source from http://httpd.apache.org. This is the only option available for maximum control.

• Use a package from your favorite distribution. In this case, you are bound to what your distribution gives you in terms of version and compiling options.

In this book I will only cover downloading and installing the “official” Apache server source distributed by the Apache Software Foundation.

The very first step in installing Apache is downloading the Apache package from http://httpd.apache.org/download.cgi.

Downloading Apache is very straightforward. Unfortunately, there are dangerous conditions: the Apache web site (or, more possibly, one of its many mirror sites) might have been hacked, and a maliciously modified version of Apache might have replaced the real distribution file. This fake version could do exactly what it was supposed to do, plus open a back door on the server that was running it (and maybe somehow notify the person who originally wrote the code for the back door).

The Apache Software Foundation is well aware of this problem, so it signs its own packages. It is up to you to check that the signature of the package you downloaded is correct. In this section I will show you how to do that step by step.

Every official Apache package comes with a digital signature, aimed at ensuring that your package is genuine.

To sign a file, as well as verify the validity of an existing signature, you can use GnuPG (http://www.gnupg.org), a free clone of Pretty Good Privacy (PGP). If you are security-conscious, it’s probably worth your while to study how GnuPG works.

In the next section, I will introduce the basic concepts behind cryptography, while showing what commands you can use to verify your Apache package. I will refer to these concepts to make sure that you know exactly what each command does.