Correctly configure and maintain Apache Web Server Security

Source: Internet
Author: User
Tags apache error log apache log password protection
In the current Internet era, homepage has become an important means to establish a company image and display itself. It is especially important to configure a powerful and secure Web server. Among many Web Server products, Apache is the most widely used product and a very secure program. However, Apache also has security defects like other applications. This article describes in detail how to correctly configure and maintain the security of Apache Web server.

1. Introduction to Apache server

Apache server is one of the most widely used web server software on the Internet. The Apache server is originated from the Web server project of the National super technology Computing Application Center (NCSA. At present, it has assumed a leading position in the Internet. The Apache server must be carefully configured before it can adapt to high-load, high-throughput Internet work. Quick and reliable. with Simple API extensions, the PERL/Python interpreter can be compiled into the server, and is completely free of charge and fully open to source code. If you need to create a web server that is accessible to millions of people every day, Apache may be the best choice.

Ii. Main security defects of the Apache server

As we mentioned in the preface, although the Apache server is the most widely used, it is designed to be a very secure program. However, Apache also has security defects like other applications. After all, it is the full source code. The security defect of Apache server is mainly the denial of service (Denial of Service) attacks using HTTP), buffer overflow attacks, root permissions granted by attackers, and the latest malicious attackers initiate DoS attacks. Reasonable network configuration can protect Apache servers from multiple attacks. Let's introduce the main security defects:

(1) security defects of Denial of Service attacks using HTTP

In this way, attackers can use some methods to make the server refuse to respond to HTTP requests. This will increase Apache's demand for system resources (CPU time and memory), resulting in a slowdown or even complete paralysis of the Apache system.

(2) security defects of Buffer Overflow

In this method, attackers use some defects in programming to make the program deviate from the normal process. The program uses the static allocated memory to store request data. attackers can send an ultra-long request to overflow the buffer. For example, some Perl gateway scripts for processing user requests. Once the buffer zone overflows, attackers can execute malicious commands or shut down the system.

(3) security defects caused by attackers to gain root privileges

This security defect is mainly caused by the fact that Apache servers generally run with the root permission (parent process), through which attackers can obtain the root permission to control the entire Apache system.

(4) security defects caused by DoS attacks by malicious attackers

This latest vulnerability found in June 17 mainly exists in Apache's Chunk encoding, which is an HTTP protocol-Defined Function for receiving data submitted by web users. Hackers can launch effective attacks on Apache servers running on FreeBSD 4.5, OpenBSD 3.0/3.1, and NetBSD 1.5.2.

All said that the use of the highest and latest Security versions is essential to enhance the security of Apache Web servers. Ask the majority of Apache server administrators to go to http://www.apache.org/dist/httpd/download the patch program to ensure the security of their webserver!

3. correctly maintain and configure the Apache server

Although Apache server developers pay great attention to security, due to the huge project of Apache server, there will inevitably be security risks. It is important to correctly maintain and configure the Apache Web server. Notes:

(1) Apache server configuration file

The Apache web server has three configuration files, which are located in the/usr/local/Apache/conf directory. The three files are:

Httpd. Con -----> main configuration file

SRM. conf ------> Add Resource file

Access. conf ---> set Object Access Permissions

Note: Specific configuration can refer to: http://httpd.apache.org/docs/mod/core.html

(2) log files of the Apache server

We can use the log format command to control the information of log files. Use the logformat "% A % L" command to record the IP address and Host Name of the browser sending an HTTP request to the log file. For the sake of security, we should know at least the web users who failed the verification in the log, and add the logformat "% 401u" command in the HTTP. conf file to achieve this purpose. This command has many other parameters. You can refer to the Apache documentation. In addition, the Apache error log file is also very important to the system administrator. The error log file contains the server startup, stop, CGI execution failure, and other information. For more information, see Apache Log Series 1-5.

(3) Directory Security Authentication for Apache servers

In Apache server,. htaccess is allowed for Directory Security protection. to read the protected directory, you must first enter the correct user account and password. This can be used as a directory for specialized management of web page storage or as a Member area.

Put an archive in the protected directory named. htaccss

Authname "member Zone"

Authtype "Basic"

Authuserfile "/var/tmp/xxx. PW" -----> put the password out of the website

Require valid-user

Go to the Apache/bin directory and create the password file.

%./Htpasswd-C/var/tmp/xxx. Pw username1 -----> the parameter "-c" must be used for the first File Creation"

%./Htpasswd/var/tmp/xxx. Pw username2

In this way, the contents in the directory can be protected and valid users can be used for access.

Note: The modules attached to Apache are used. You can also add the following to httpd. conf:

Options indexes followsymlinks

AllowOverride authconfig

Order allow, deny

Allow from all

(4) Apache server access control

We need to look at the third file in the three configuration files, namely the access. conf file, which contains instructions to control which users are allowed to access the Apache directory. Set deny from all as the initialization command, and then use the allow from command to open the access permission.

Order deny, allow

Deny from all

Allow from safechina.net

Allows access from a domain, IP address, or IP address segment.

(5) password protection for Apache servers

We then use the. htaccess file to grant the access permission of a directory to a user. The system administrator needs to use the accessfilename command in the httpd. conf or SRM. conf file to open the access control of the directory. For example:

Authname privatefiles

Authtype basic

Authuserfile/path/to/httpd/users

Require Phoenix

# Htpasswd-C/path/to/httpd/users Phoenix

4. Set the web and file servers of the Apache server

We store web server files on the Apache server for user access, and set the/home/FTP/pub directory as the file storage area. Use http://download.your.com/pub/to prepare the file. Set Apache reverse proxy technology on the firewall for access by the firewall proxy.

(1) Apache server settings

The default configuration is used for the Apache server. The main directory is/home/httpd/html, the host domain name is phoenix.your.com, And the alias is in www.your.com. The definition of setting SRM. conf and adding an alias is as follows:

Alias/pub/home/FTP/pub/

The definition of changing the default application type is as follows:


Defaulttype application/octet-stream at the end of/etc/httpd/CONF/access. add a definition in conf to options indexes AllowOverride authconfig order allow and deny allow from all. Note: Options indexesallows listing directories and files without finding the index.html file. AllowOverride authconfig allows you to perform basic user name and password verification. In this case, put it in the/home/FTP/pub directory. htaccess, content: [root @ shopu pub] # more. htaccess authname Branch Office Public Software Download Area authtype basic authuserfile/etc /. usrpasswd require valid-user # htpasswd-C/etc /. usrpasswd user1 creates different external usernames and passwords that are allowed to access the file service in/pub.

(2) Configure reverse proxy technology on the firewall.


In/etc/httpd/CONF/httpd. add namevirtualhost XXX in Conf. xxx. xxx. xxx # XXX. xxx. xxx. xxx -----> is the permanent IP address servername www.your.com errorlog/var/log/httpd/error_log transferlog/var/log/httpd/access_log rewriteengine on proxyrequests off UseCanonicalName off ^/ (. *) $ http://xxx.xxx.xx.x/$1 the IP address of the Apache server. Servername http://download.your.com/pub/ errorlog/var/log/httpd/download/error_log transferlog/var/log/httpd/download/access_log rewriteengine on proxyrequests off UseCanonicalName off rewriterule ^ /(. *) $ http://xxx.xxx.xx.x/1121 is the same as the IP address of the Apache server.

Set the DNS on the firewall so that both download.your.com and www.your.com point to the firewall's external network address XXX. Visit the home page with a http://www.your.com and use the Download Area of the public file http://download.your.com/pub.

Note: you also need to create the directory/var/log/httpd/download/on the Apache server host; otherwise, an error will occur. In addition, you can set the/home/httpd/html/index.html attribute on the firewall host to 750 to block access, this is the http://www.your.com that prevents external users from accessing the Apache server on the firewall.

Summary: Apache server is a very good and awesome server. As long as you correctly configure and maintain the Apache server, you will feel the benefits of Apache server, I also hope that you can read this article to achieve the goal of both theory and practice. Thank you.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.