Home arrow Apache arrow Page 11 - Secure Installation and Configuration

Configuration - Apache

This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)

TABLE OF CONTENTS:
  1. Secure Installation and Configuration
  2. Asymmetric Encryption and GnuPG
  3. GnuPG and Apache Signatures
  4. Checking and Installing Apache
  5. Running Apache and Testing it with Nikto
  6. Secure Configuration
  7. File Permissions
  8. Donít Give Extra Information Away
  9. Apache and SSL
  10. Generate Certificates
  11. Configuration
By: Apress Publishing
Rating: starstarstarstarstar / 31
August 17, 2004

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

You need to place the files server.crt and server.key in your conf directory:

[root@merc root]# cp server.crt server.key /usr/local/apache2/conf/

For simplicityís sake, I will place all the SSL directives in a different file. Normally, they would reside in the main httpd.conf file, inside <VirtualHost> directives. In this example, I will place an include directive in the httpd.conf file:

Include conf/ssl.conf

You can now set your ssl.conf file. Here is an example:

# Some mime types
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl        .crl

# Server-wide options
Listen 443

SSLPassPhraseDialog builti n
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

<VirtualHost _default_:443>
  DocumentRoot "/usr/local/apache2/htdocs"
  ServerName new.host.name:443 

ServerAdmin you@your.address
ErrorLog logs/error_log
TransferLog logs/access_log

# Enable SSL with specific encryption methods
SSLEngine on
SSLCipherSuite ALL:!ADH:EXPORT56:RC4+RSA:+HIGH:+MEDIUM:
+LOW:+SSLv2:+EXP: +eNULL

# Set the server's key and certificate
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key

# Set specific options
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/apache2/cgi-bin">
SSLOptions +StdEnvVars
</Directory>

# Ugly hack
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

# ssl logging
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

You can choose a different server key and certificate for each virtual server you manage. Also, note that Apache will ask you to key in the server.keyís pass-phrase every time it starts.

Remember that this is only a basic configuration, and shouldnít be used in a production server. For more detailed information about configuring mod_ssl, please read Chapter 3 of the official documentation at http://www.modssl.org/docs/2.8/ssl_reference.html. In this section I explained briefly how to install and configure mod_ssl. I didnít get into details mainly because the available documentation is excellent.

  Checkpoints
  • Obtain the Apache package from a secure source (such as http://httpd.apache.org), or your distributionís FTP site or CD-ROM.

  • Check the integrity of the package you obtain (using GnuPG, MD5, or using the tools provided by your distribution).

  • Be aware of exactly what each directive does, and what possible consequences the directives have for your serverís security. You should configure Apache so that httpd.conf contains only the directives you actually need.

  • Apply all the basic security checks on your configuration: file permissions, protection of rootís home page, deletion of any default files, disabling of any extra information on your server, and disabling of the TRACE method.

  • Make sure that you have protected important files (such as .htaccess) using mod_access; and make sure that you need to make minimal modifications to your httpd.conf file (uncomment specific, prewritten lines) to block a particular IP address.

  • Learn a little about mod_rewrite, and use it to prevent people from using your web siteís images.

  • Install and configure SSL (when required) using the latest SSL implementation available; obtain a valid certificate from a Certificate Authority.

  • Test your installationís strength using an automatic auditing program (such as Nikto, Nessus, SAINT, or SARA).  

This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.



 
 
>>> More Apache Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

APACHE ARTICLES

- Apache Unveils Cassandra 1.2
- Apache on ARM Chips? Dell and Calxeda Help M...
- The Down Side of Open Source Software
- VMware Unveils Serengeti for Apache Hadoop
- SAP Takes Steps to Improve Hadoop Integration
- Looking to Hone Apache Hadoop Skills?
- How to Install Joomla on WAMPP
- Working with XAMPP and Wordpress
- GUI Available for Apache Camel
- Reduce Server Load for Apache and PHP Websit...
- Creating a VAMP (Vista, Apache, MySQL, PHP) ...
- Putting Apache in Jail
- Containing Intrusions in Apache
- Server Limits for Apache Security
- Setting Permissions in Apache

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: