User Tools

Site Tools


Apache basic security

I like to keep all those settings in a separate file called security.conf which I include from httpd.conf.

A wildcard SSL certificate would be configured globally here too. If you have multiple certificates (for example if you switched to the wonderful you will have to define these for each domain name you serve in your vhosts :

SSLCertificateFile    /etc/ssl/apache2/*
SSLCertificateKeyFile /etc/ssl/apache2/*

The following is the cleanest workaround I could find to cope with old crap :

BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

File system protection comes next. I disable access to the entire file system except for the directories that are explicitely allowed later :

<Directory />
    AllowOverride None
    Order Deny,Allow
    Deny from all

The following don't directly affect security but prevent the leakage of information that an attacker could take advantage of :

ServerTokens Prod
ServerSignature Off
TraceEnable Off
sysadmin_misc/apache_basic_security.txt · Last modified: 2018/09/25 15:00 (external edit)