Secure Configuration - Apache

Every server program comes with a prepackaged configuration file that can often be left nearly intact (think of FTP or Sendmail). Apache is different; its configuration is rather complicated. The standard configuration file provided with it is meant to show most of its capabilities, rather than a perfectly configured server. Many (if not most) system administrators only apply minor changes to the standard http.conf file; therefore, capabilities such as WebDav and multi-language support (for example) are often found in English-only sites, which have no intention of offering WebDav functionalities. I will now show you an alternative approach to Apache configuration.

The idea is to configure Apache starting from an empty httpd.conf file, and add only the modules that are strictly necessary. In this example I 1will cover Apache 2. x running on Linux, but the same concepts can be applied to Apache 2. x and Apache 1.3. x on any platform.

To do this, you should create a backup copy of the default httpd.conf file first, which can be used as a reference in the future. You should then delete all the module-dependent MPM options that don’t apply to you. MPM stands for Multi-Processing Module, and is a mechanism used by Apache to manage multiple threads accepting connections at the same time. Your Apache server will need at least one MPM module. A list of available modules is available at http://httpd.apache.org/docs-2.0/mod/ in the “Core Features and Multi-Processing Modules” section. Normally, newly installed servers use the standard and well-established prefork MPM. If you are not sure what MPM you are using, you can use the httpd -l command, like this:

[root@merc root]# /usr/local/apache2/bin/httpd -l
Compiled in modules:
core.c
prefork.c
http_core.c
mod_so.c
[root@merc root]#

You can delete from your httpd.conf file entries such as:

<IfModule perchild.c>
NumServers          5
StartThreads        5
MinSpareThreads     5
MaxSpareThreads    10
MaxThreadsPerChild 20
MaxRequestsPerChild 0
</IfModule>

You can also delete all the <IfModule prefork.c> directives from your httd.conf file.

You should then:

1. Comment out all the LoadModule directives. Note that it is best to keep these directives in your httpd.conf file. You will need some of them, but for now just comment them all out and add the ones you need later.

2. Delete all the options that you are not going to use in the short term. For example: IndexOptions (and all the AddIcon directives), multi-language support (assuming that you are not going to use it), and anything else you are not likely to use.

The goal should be to have a clear, easily readable httpd.conf file that is fully understandable and easy to maintain, by you and by the system administrators who will change it in the future. Apache’s documentation is a very precious aid. These links are especially useful: http://httpd.apache.org/docs-2.0/mod/ and http://httpd.apache.org/docs-2.0/mod/directives.html. You should use this as an opportunity to fully understand what each option does, and why you should keep it on your server. When you are deciding whether to keep something or not, remember that the shorter your file is, the better it is, and that you can always copy lines over from the backup httpd.conf file.

This is what your httpd.conf file should look like after all the trimming (remember that you can, and should, add more comments for clarity):

ServerRoot "/usr/local/apache2"
# Server's options
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

# This is a prefork server

StartServers        5
MinSpareServers     5
MaxSpareServers    10
MaxClients        150
MaxRequestsPerChild 0

#LoadModule access_module modules/mod_access.so
#LoadModule auth_module modules/mod_auth.so
#LoadModule auth_anon_module modules/mod_auth_anon.so #LoadModule auth_dbm_module modules/mod_auth_dbm.so #LoadModule auth_digest_module modules/mod_auth_digest.so #LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule include_module modules/mod_include.so
#LoadModule log_config_module modules/mod_log_config.so #LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule mime_module modules/mod_mime.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule status_module modules/mod_status.so
#LoadModule autoindex_module modules/mod_autoindex.so #LoadModule asis_module modules/mod_asis.so
#LoadModule info_module modules/mod_info.so
#LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so #LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule dir_module modules/mod_dir.so
#LoadModule imap_module modules/mod_imap.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule alias_module modules/mod_alias.so
#LoadModule rewrite_module modules/mod_rewrite.so

# Change the server's owner
User nobody
Group nobody

# Server info
ServerAdmin me@mobily.com
ServerName www.server.com:80
UseCanonicalName Off

# Minimal permissions for any directory
<Directory />
   Options -FollowSymLinks
   AllowOverride None
<Directory>

# More permissive options for sub-directories.
<Directory "/usr/local/apache2/htdocs">
   AllowOverride None
   Order allow,deny
   Allow from all
</Directory>

# Security filters, saves .htaccess files
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files*gt

# Mime types information
TypesConfig conf/mime.types
DefaultType text/plain

#Logging
HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog logs/access_log common

# Info given out. It can be Full,OS,Minor,Minimal,Major,Prod
ServerTokens Prod
ServerSignature Off

# CGI SCRIPTS
ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
<Directory "/usr/local/apache2/cgi-bin">
   AllowOverride None
   Options None
   Order allow,deny
   Allow from all
&/ltDirectory>

# Set the default charset, prevents XSS
AddDefaultCharset ISO-8859-1

# Ugly but important hacks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully|
BrowserMatch "^gnome-vfs" redirect-carefully

This file as it is won’t work. When you try to restart Apache, you will get a message like this:

[root@merc htdocs]# /usr/local/apache2/bin/apachectl start
Syntax error on line 73 of /usr/local/apache2/conf
/httpd.conf:
Invalid command 'Order', perhaps mis-spelled or defined by a module not included in the server configuration
[root@merc htdocs]#

The reason is simple: Apache is lacking the module that is responsible for making Order an acceptable configuration directive.

You can find Order at http://httpd.apache.org/docs2.0/mod/directives.html, and after clicking on it you are taken to a page that will tell you what module defines it. In this case, you can read

Module: mod_access

You then have to uncomment the following line:

# LoadModule access_module modules/mod_access.so

You will need to repeat this process a number of times. Eventually, you will probably uncomment the following lines:

LoadModule access_module modules/mod_access.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule alias_module modules/mod_alias.so

Finally, you should also uncomment the following line to enable mod_rewrite, an important module for security:

LoadModule rewrite_module modules/mod_rewrite.so

It is hard to summarize in a few points what to do to make your Apache configuration more secure. The most important advice is to carefully read the available documentation, find out exactly what each directive does, and simply do not use anything unless it’s necessary.

In this section I will highlight configuration options that you should be aware of to keep your Apache server more secure. Some of them are from the page http://httpd.apache.org/docs2.0/misc/security_tips.html.