User Tools

Site Tools


sysadmin_misc:apache_basic_security

Apache basic security

I like to keep all those settings in a separate file called security.conf which I include from httpd.conf.

A wildcard SSL certificate would be configured globally here too. If you have multiple certificates (for example if you switched to the wonderful https://letsencrypt.org/ you will have to define these for each domain name you serve in your vhosts :

SSLCertificateFile    /etc/ssl/apache2/*.adyxax.org.cert
SSLCertificateKeyFile /etc/ssl/apache2/*.adyxax.org.key

The following is the cleanest workaround I could find to cope with old crap :

BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

File system protection comes next. I disable access to the entire file system except for the directories that are explicitely allowed later :

<Directory />
    AllowOverride None
    Order Deny,Allow
    Deny from all
</Directory>

The following don't directly affect security but prevent the leakage of information that an attacker could take advantage of :

ServerTokens Prod
ServerSignature Off
TraceEnable Off
sysadmin_misc/apache_basic_security.txt · Last modified: 2018/09/25 15:00 (external edit)