HomeApache Page 11 - Secure Installation and Configuration
Configuration - Apache
This chapter provides Apache downloading steps and cautionary tips. Mobily recommends compiling most of the modules dynamically, and leaving the main server stripped to the bones. He covers the free tool Nikto and how to use it. Also see why he says to disable the TRACE method. (From the book Hardening Apache by Tony Mobily, Apress, 2004, ISBN: 1590593782.)
For simplicityís sake, I will place all the SSL directives in a different file. Normally, they would reside in the main httpd.conf file, inside <VirtualHost> directives. In this example, I will place an include directive in the httpd.conf file:
You can now set your ssl.conf file. Here is an example:
# Some mime types AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl
You can choose a different server key and certificate for each virtual server you manage. Also, note that Apache will ask you to key in the server.keyís pass-phrase every time it starts.
Remember that this is only a basic configuration, and shouldnít be used in a production server. For more detailed information about configuring mod_ssl, please read Chapter 3 of the official documentation at http://www.modssl.org/docs/2.8/ssl_reference.html. In this section I explained briefly how to install and configure mod_ssl. I didnít get into details mainly because the available documentation is excellent.
Obtain the Apache package from a secure source (such as http://httpd.apache.org), or your distributionís FTP site or CD-ROM.
Check the integrity of the package you obtain (using GnuPG, MD5, or using the tools provided by your distribution).
Be aware of exactly what each directive does, and what possible consequences the directives have for your serverís security. You should configure Apache so that httpd.conf contains only the directives you actually need.
Apply all the basic security checks on your configuration: file permissions, protection of rootís home page, deletion of any default files, disabling of any extra information on your server, and disabling of the TRACE method.
Make sure that you have protected important files (such as .htaccess) using mod_access; and make sure that you need to make minimal modifications to your httpd.conf file (uncomment specific, prewritten lines) to block a particular IP address.
Learn a little about mod_rewrite, and use it to prevent people from using your web siteís images.
Install and configure SSL (when required) using the latest SSL implementation available; obtain a valid certificate from a Certificate Authority.
Test your installationís strength using an automatic auditing program (such as Nikto, Nessus, SAINT, or SARA).
This chapter is from Hardening Apache, by Tony Mobily. (Apress, 2004, ISBN: 1590593782). Check it out at your favorite bookstore today. Buy this book now.