no way to compare when less than two revisions

Differences

This shows you the differences between two versions of the page.


apache_security [2014/02/14 23:07] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Apache Security ======
 +
 +  * [[Apache]]
 +  * [[Apache Server Info]]
 +  * [[Apache SSL]]
 +  * [[Apache suExec]]
 +  * [[CentOS Apache Security]]
 +
 +Some ways to increase security using Apache 2.2.
 +
 +  * [[http://httpd.apache.org/security/vulnerabilities_22.html|Apache httpd 2.2 vulnerabilities]]
 +
 +==== mod_core ====
 +
 +== Minimal server info ==
 +
 +<code>
 +# ServerTokens
 +# This directive configures what you return as the Server HTTP response
 +# Header. The default is 'Full' which sends information about the OS-Type
 +# and compiled in modules.
 +# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
 +# where Full conveys the most information, and Prod the least.
 +ServerTokens Prod
 +</code>
 +
 +== Lower timeout ==
 +
 +The default values (CentOS: 120, Gentoo: 300) are high, and can be reduced to help mitigate a denial of service, unintentional or otherwise.
 +
 +<code>
 +# Timeout: The number of seconds before receives and sends time out.
 +Timeout 45
 +</code>
 +
 +== Disable trace behavior ==
 +
 +<code>
 +# TraceEnable
 +# This directive overrides the behavior of TRACE for both the core server and
 +# mod_proxy. The default TraceEnable on permits TRACE requests per RFC 2616,
 +# which disallows any request body to accompany the request. TraceEnable off
 +# causes the core server and mod_proxy to return a 405 (Method not allowed)
 +# error to the client.
 +# For security reasons this is turned off by default. (bug #240680)
 +TraceEnable off
 +</code>
 +
 +== Disable server signature ==
 +
 +<code>
 +# Optionally add a line containing the server version and virtual host
 +# name to server-generated pages (internal error documents, FTP directory
 +# listings, mod_status and mod_info output etc., but not CGI generated
 +# documents or custom error documents).
 +# Set to "EMail" to also include a mailto: link to the ServerAdmin.
 +# Set to one of:  On | Off | EMail
 +ServerSignature Off
 +</code>
 +
 +== Disable range headers ==
 +
 +<code>
 +RequestHeader unset Range
 +</code>
 +
 +Note that this may break certain clients - such as those used for e-Readers and progressive/http-streaming video.
 +
 +Furthermore to ignore the Netscape Navigator 2-3 and MSIE 3 specific legacy header - add:
 +
 +<code>RequestHeader unset Request-Range</code>
 +
 +== Disable FileEtag ==
 +
 +<code>FileEtag None</code>
 +
 +== Ignore client requests with indexes ==
 +
 +<code>IndexOptions IgnoreClient</code>
 +
 +== Message digests ==
 +
 +  * [[http://httpd.apache.org/docs/2.2/mod/core.html#contentdigest|ContentDigest]]
 +
 +Adds an integrity check useful for proxies and clients.  This will only work with files sent by mod_core (static files like HTML, images, downloads) and not any modules (PHP).
 +
 +<code>
 +ContentDigest On
 +</code>
 +
  

Navigation
QR Code
QR Code apache_security (generated for current page)