Sysop:ApacheHardening
With a few configuration tweaks we can harden apache more, to not disclosure too much information, as well as to make unused stuff inaccessible. Maybe you will not need all of these tweaks and some may even break your setup, however, it is good to be aware of all of this.
This wiki page is not complete nor can you be sure that these tweaks will make your apache completly secure. However, if you know or get to learn additional tweaks, come across mistakes etc. please feel free to add, change and correct them. Thanks!
Global options
These options should be set globally and not within any VirtualHost or Directory directives
Server Signature
ServerSignature Off
Prevents server from giving version info on error pages.
ServerTokens
ServerTokens Prod
Prevents server from giving version info in HTTP headers
user / group
User foo Group foo
drop priviledges to these UID and GID. This should be included per default.
UserDir
UserDir disabled
This will disable any foo.bar/~$user access requests.
On older Apache versions this is a module which can be deactivated altogether.
directories
Let apache only access the files it should have access to. First we have to disable access to the root file system.
<Directory />
Order deny,allow
Deny from all
</Directory>
and then we let apache only access our webroot (for example: /var/www/) with very restrictive settings, you can change them late per directory where needed:
<Directory "/var/www/"> Options FollowSymLinks -Includes -Indexes -MultiViews AllowOverride None Order allow,deny Allow from all </Directory>
manual
remove the manual alias as this would disclosure too much infos and isn't needed.
Alias /manual (remove)
VirtualHost
the following settings should be set in any VirtualHost-Directive
trace/track
To deny trace and track requests add the following:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
htpasswd
redirect any authentication to an ssl-secured VirtualHost. You can ensure this by using the Redirect directive in your VirtualHost:
Redirect permanent /secure/ https://secure.foo.bar/secure/
SSL / https
The following things are for ssl-secure VirtualHosts
certificate storage
As for practical reasons you might not protect your certifcate private key by a password (logrotation etc.) You should therefore store it on a encrypted harddisk as if it might get stolen any traffic ever secured by this certificate can get disclosured. For example see Autistici / Inventati Crackdown
To create encrypted harddisks, please have a look at the EcnryptedHD pages for Linux or OpenBSD
ssl cipher suite
To avoid that unsecure protocols or keylengths are used add the following in your VirtualHost-setting:
SSLCipherSuite HIGH:MEDIUM:!ADH:-SSLv2
More
This was about to secure your Apache installation. However you should still look forward to secure your web-applications with mod_security, and for example PHP with the PHP-Hardening Guide.
Maybe also have a look at these Apache-Modules: