This is a small checklist of how to secure the Apache webserver. I wrote this mostly for my own personal use, but I hope it proves useful for others, too. For any suggestions or comments, please feel free to contact me.
Note: This is work in progress. More content will be added as time permits.
The checklist:
- First step: Secure the operating system. On an insecure operating system, you can't have a secure webserver.
- Run Apache under a distinct user and group (e.g. www-data:www-data). Do not run it as root:root or nobody:nogroup!
User www-data
Group www-data
- Only enable those Apache modules (using the AddModule directive) which are absolutely necessary. Disable all others.
These are the minimum requirements for a basic Apache install:- httpd_core - Core Module
- mod_access - For Allow, Deny and Order directives
- mod_auth - For HTTP Basic Authentication
- mod_dir - For using index files like index.html
- mod_log_config - For logging
- mod_mime - For character set, content-encoding, content-language, and MIME types of documents
Especially dangerous modules which should be disabled: mod_autoindex and mod_info.
- Don't display more information about the webserver, its version and configuration than absolutely necessary:
ServerSignature Off
ServerTokens Prod
- First, deny access to everything. Then, explicitly allow access for only those directories you need to.
<Directory />
Order deny,allow
Deny from all
</Directory>
<Directory "/var/www/www.example.com">
Order allow,deny
Allow from all
</Directory>
- If you're paranoid, don't run Apache on port 80, but choose another port. Problem: Your users must know the port.
- If possible, run Apache in a chroot.
Further Readings
Source: Uwe Hermann
License: Creative Commons - Share Alike