Every server program comes with a prepackaged configuration file that can often be left nearly intact (think of FTP or Sendmail). Apache is different; its configuration is rather complicated. The standard configuration file provided with it is meant to show most of its capabilities, rather than a perfectly configured server. Many (if not most) system administrators only apply minor changes to the standard http.conf file; therefore, capabilities such as WebDav and multi-language support (for example) are often found in English-only sites, which have no intention of offering WebDav functionalities. I will now show you an alternative approach to Apache configuration.A Basic httpd.conf File
The idea is to configure Apache starting from an empty httpd.conf file, and add only the modules that are strictly necessary. In this example I 1will cover Apache 2. x running on Linux, but the same concepts can be applied to Apache 2. x and Apache 1.3. x on any platform.
To do this, you should create a backup copy of the default httpd.conf file first, which can be used as a reference in the future. You should then delete all the module-dependent MPM options that donít apply to you. MPM stands for Multi-Processing Module, and is a mechanism used by Apache to manage multiple threads accepting connections at the same time. Your Apache server will need at least one MPM module. A list of available modules is available at http://httpd.apache.org/docs-2.0/mod/ in the ďCore Features and Multi-Processing ModulesĒ section. Normally, newly installed servers use the standard and well-established prefork MPM. If you are not sure what MPM you are using, you can use the httpd -l command, like this:
[root@merc root]# /usr/local/apache2/bin/httpd -l
You can delete from your httpd.conf file entries such as:
You can also delete all the <IfModule prefork.c>
You should then:
The goal should be to have a clear, easily readable httpd.conf file that is fully understandable and easy to maintain, by you and by the system administrators who will change it in the future. Apacheís documentation is a very precious aid. These links are especially useful: http://httpd.apache.org/docs-2.0/mod/ and http://httpd.apache.org/docs-2.0/mod/directives.html. You should use this as an opportunity to fully understand what each option does, and why you should keep it on your server. When you are deciding whether to keep something or not, remember that the shorter your file is, the better it is, and that you can always copy lines over from the backup httpd.conf file.
This is what your httpd.conf file should look like after all the trimming (remember that you can, and should, add more comments for clarity):
# This is a prefork server
#LoadModule access_module modules/mod_access.so
# Change the server's owner
# Server info
# Minimal permissions for any directory
# More permissive options for sub-directories.
# Security filters, saves .htaccess files
# Mime types information
# Info given out. It can be Full,OS,Minor,Minimal,Major,Prod
# CGI SCRIPTS
# Set the default charset, prevents XSS
# Ugly but important hacks
This file as it is wonít work. When you try to restart Apache, you will get a message like this:
[root@merc htdocs]# /usr/local/apache2/bin/apachectl start
The reason is simple: Apache is lacking the module that is responsible for making Order an acceptable configuration directive.
You can find Order at http://httpd.apache.org/docs2.0/mod/directives.html, and after clicking on it you are taken to a page that will tell you what module defines it. In this case, you can read
You then have to uncomment the following line:
# LoadModule access_module modules/mod_access.so
You will need to repeat this process a number of times. Eventually, you will probably uncomment the following lines:
LoadModule access_module modules/mod_access.so
Finally, you should also uncomment the following line to enable mod_rewrite, an important module for security:
LoadModule rewrite_module modules/mod_rewrite.soOther Recommendations
It is hard to summarize in a few points what to do to make your Apache configuration more secure. The most important advice is to carefully read the available documentation, find out exactly what each directive does, and simply do not use anything unless itís necessary.
In this section I will highlight configuration options that you should be aware of to keep your Apache server more secure. Some of them are from the page http://httpd.apache.org/docs2.0/misc/security_tips.html.
blog comments powered by Disqus