Differences
This shows you the differences between two versions of the page.
|
apache_security [2014/02/14 16:07] |
apache_security [2014/02/14 16:07] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== Apache Security ====== | ||
| + | |||
| + | * [[Apache]] | ||
| + | * [[Apache Server Info]] | ||
| + | * [[Apache SSL]] | ||
| + | * [[Apache suExec]] | ||
| + | * [[CentOS Apache Security]] | ||
| + | |||
| + | Some ways to increase security using Apache 2.2. | ||
| + | |||
| + | * [[http://httpd.apache.org/security/vulnerabilities_22.html|Apache httpd 2.2 vulnerabilities]] | ||
| + | |||
| + | ==== mod_core ==== | ||
| + | |||
| + | == Minimal server info == | ||
| + | |||
| + | <code> | ||
| + | # ServerTokens | ||
| + | # This directive configures what you return as the Server HTTP response | ||
| + | # Header. The default is 'Full' which sends information about the OS-Type | ||
| + | # and compiled in modules. | ||
| + | # Set to one of: Full | OS | Minor | Minimal | Major | Prod | ||
| + | # where Full conveys the most information, and Prod the least. | ||
| + | ServerTokens Prod | ||
| + | </code> | ||
| + | |||
| + | == Lower timeout == | ||
| + | |||
| + | The default values (CentOS: 120, Gentoo: 300) are high, and can be reduced to help mitigate a denial of service, unintentional or otherwise. | ||
| + | |||
| + | <code> | ||
| + | # Timeout: The number of seconds before receives and sends time out. | ||
| + | Timeout 45 | ||
| + | </code> | ||
| + | |||
| + | == Disable trace behavior == | ||
| + | |||
| + | <code> | ||
| + | # TraceEnable | ||
| + | # This directive overrides the behavior of TRACE for both the core server and | ||
| + | # mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616, | ||
| + | # which disallows any request body to accompany the request. TraceEnable off | ||
| + | # causes the core server and mod_proxy to return a 405 (Method not allowed) | ||
| + | # error to the client. | ||
| + | # For security reasons this is turned off by default. (bug #240680) | ||
| + | TraceEnable off | ||
| + | </code> | ||
| + | |||
| + | == Disable server signature == | ||
| + | |||
| + | <code> | ||
| + | # Optionally add a line containing the server version and virtual host | ||
| + | # name to server-generated pages (internal error documents, FTP directory | ||
| + | # listings, mod_status and mod_info output etc., but not CGI generated | ||
| + | # documents or custom error documents). | ||
| + | # Set to "EMail" to also include a mailto: link to the ServerAdmin. | ||
| + | # Set to one of: On | Off | EMail | ||
| + | ServerSignature Off | ||
| + | </code> | ||
| + | |||
| + | == Disable range headers == | ||
| + | |||
| + | <code> | ||
| + | RequestHeader unset Range | ||
| + | </code> | ||
| + | |||
| + | Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video. | ||
| + | |||
| + | Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add: | ||
| + | |||
| + | <code>RequestHeader unset Request-Range</code> | ||
| + | |||
| + | == Disable FileEtag == | ||
| + | |||
| + | <code>FileEtag None</code> | ||
| + | |||
| + | == Ignore client requests with indexes == | ||
| + | |||
| + | <code>IndexOptions IgnoreClient</code> | ||
| + | |||
| + | == Message digests == | ||
| + | |||
| + | * [[http://httpd.apache.org/docs/2.2/mod/core.html#contentdigest|ContentDigest]] | ||
| + | |||
| + | Adds an integrity check useful for proxies and clients. This will only work with files sent by mod_core (static files like HTML, images, downloads) and not any modules (PHP). | ||
| + | |||
| + | <code> | ||
| + | ContentDigest On | ||
| + | </code> | ||
| + | |||
