====== Apache Security ====== * [[Apache]] * [[Apache Server Info]] * [[Apache SSL]] * [[Apache suExec]] * [[CentOS Apache Security]] Some ways to increase security using Apache 2.2. * [[http://httpd.apache.org/security/vulnerabilities_22.html|Apache httpd 2.2 vulnerabilities]] ==== mod_core ==== == Minimal server info == <code> # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minor | Minimal | Major | Prod # where Full conveys the most information, and Prod the least. ServerTokens Prod </code> == Lower timeout == The default values (CentOS: 120, Gentoo: 300) are high, and can be reduced to help mitigate a denial of service, unintentional or otherwise. <code> # Timeout: The number of seconds before receives and sends time out. Timeout 45 </code> == Disable trace behavior == <code> # TraceEnable # This directive overrides the behavior of TRACE for both the core server and # mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, # which disallows any request body to accompany the request. TraceEnable off # causes the core server and mod_proxy to return a 405 (Method not allowed) # error to the client. # For security reasons this is turned off by default. (bug #240680) TraceEnable off </code> == Disable server signature == <code> # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail ServerSignature Off </code> == Disable range headers == <code> RequestHeader unset Range </code> Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video. Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add: <code>RequestHeader unset Request-Range</code> == Disable FileEtag == <code>FileEtag None</code> == Ignore client requests with indexes == <code>IndexOptions IgnoreClient</code> == Message digests == * [[http://httpd.apache.org/docs/2.2/mod/core.html#contentdigest|ContentDigest]] Adds an integrity check useful for proxies and clients. This will only work with files sent by mod_core (static files like HTML, images, downloads) and not any modules (PHP). <code> ContentDigest On </code>
Trace:
Article
Show pagesource
Old revisions
Log In
Navigation
[
Please fill or disable this placeholder (:wiki:navigation)
]
Search
Toolbox
What links here
Recent Changes
Site index
Printable version
QR Code
