Differences

This shows you the differences between two versions of the page.

Link to this comparison view

apache_security [2014/02/14 16:07] (current)
Line 1: Line 1:
 +====== Apache Security ======
 +
 +  * [[Apache]]
 +  * [[Apache Server Info]]
 +  * [[Apache SSL]]
 +  * [[Apache suExec]]
 +  * [[CentOS Apache Security]]
 +
 +Some ways to increase security using Apache 2.2.
 +
 +  * [[http://​httpd.apache.org/​security/​vulnerabilities_22.html|Apache httpd 2.2 vulnerabilities]]
 +
 +==== mod_core ====
 +
 +== Minimal server info ==
 +
 +<​code>​
 +# ServerTokens
 +# This directive configures what you return as the Server HTTP response
 +# Header. The default is '​Full'​ which sends information about the OS-Type
 +# and compiled in modules.
 +# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
 +# where Full conveys the most information,​ and Prod the least.
 +ServerTokens Prod
 +</​code>​
 +
 +== Lower timeout ==
 +
 +The default values (CentOS: 120, Gentoo: 300) are high, and can be reduced to help mitigate a denial of service, unintentional or otherwise.
 +
 +<​code>​
 +# Timeout: The number of seconds before receives and sends time out.
 +Timeout 45
 +</​code>​
 +
 +== Disable trace behavior ==
 +
 +<​code>​
 +# TraceEnable
 +# This directive overrides the behavior of TRACE for both the core server and
 +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
 +# which disallows any request body to accompany the request. TraceEnable off
 +# causes the core server and mod_proxy to return a 405 (Method not allowed)
 +# error to the client.
 +# For security reasons this is turned off by default. (bug #240680)
 +TraceEnable off
 +</​code>​
 +
 +== Disable server signature ==
 +
 +<​code>​
 +# Optionally add a line containing the server version and virtual host
 +# name to server-generated pages (internal error documents, FTP directory
 +# listings, mod_status and mod_info output etc., but not CGI generated
 +# documents or custom error documents).
 +# Set to "​EMail"​ to also include a mailto: link to the ServerAdmin.
 +# Set to one of:  On | Off | EMail
 +ServerSignature Off
 +</​code>​
 +
 +== Disable range headers ==
 +
 +<​code>​
 +RequestHeader unset Range
 +</​code>​
 +
 +Note that this may break certain clients - such as those used for e-Readers and progressive/​http-streaming video.
 +
 +Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:
 +
 +<​code>​RequestHeader unset Request-Range</​code>​
 +
 +== Disable FileEtag ==
 +
 +<​code>​FileEtag None</​code>​
 +
 +== Ignore client requests with indexes ==
 +
 +<​code>​IndexOptions IgnoreClient</​code>​
 +
 +== Message digests ==
 +
 +  * [[http://​httpd.apache.org/​docs/​2.2/​mod/​core.html#​contentdigest|ContentDigest]]
 +
 +Adds an integrity check useful for proxies and clients. ​ This will only work with files sent by mod_core (static files like HTML, images, downloads) and not any modules (PHP).
 +
 +<​code>​
 +ContentDigest On
 +</​code>​
 +