Correctly configure the Apache server to Protect System Security

Apache is one of the most popular Web server software. It can run on almost all widely used computer platforms. The Apache server is fast, reliable, and can be expanded through simple APIs. Its Perl/Python interpreter can be compiled into the server and is completely free of charge and fully open source code. If you want to create a Web server that has millions of users accessing each day, Apache may be the best choice.

1. correctly maintain and configure the Apache server

Although Apache server developers pay great attention to security, due to the huge number of projects, there will inevitably be security risks. Therefore, it is very important to correctly maintain and configure the Apache WEB server. Notes:

1. Apache server configuration file

The Apache Web server has three configuration files located in the/usr/local/apache/conf directory. The three files are:

Httpd. conf -----> main configuration file

Srm. conf ------> Add Resource file

Access. conf ---> set Object access Permissions

2. Directory Security Authentication for Apache servers

It is allowed in Apache Server. htaccess is used for Directory Security protection. to read the protected directory, you must first press the correct user account and password, which can be used to manage the directories stored on webpages or as member zones. Put an archive named. htaccss in the protected directory.

AuthName "member Zone"

AuthType "Basic"

AuthUserFile "/var/tmp/xxx. pw "-> put the password outside the website, require valid-user to the apache/bin directory, create the password file %. /htpasswd-c/var/tmp/xxx. pw username1-> the parameter "-c" %/htpasswd/var/tmp/xxx must be used for the first file creation. pw username2 to protect contents in the directory and use valid users.

You can also add the following to httpd. conf:

Options indexes followsymlinks

Allowoverride authconfig

Order allow, deny

Allow from all

3. Apache server access control

We need to look at the third file in the three configuration files, namely the access. conf file, which contains some command control and allows users to access the Apache directory. Set deny from all as the initialization command, and then use the allow from command to open the access permission.

Order deny, allow

Deny from all

Allow from safechina.net

Allows access from a domain, IP address, or IP address segment.

4. Password protection for Apache servers

We then use the. htaccess file to grant the access permission of a directory to a user. The system administrator needs to use the AccessFileName command in the httpd. conf or rm. conf file to open the access control of the directory. For example:

AuthName PrivateFiles

AuthType Basic

AuthUserFile/path/to/httpd/users

Require Phoenix

# Htpasswd-c/path/to/httpd/users Phoenix

　　

2. Set the WEB and file servers of the Apache server

We store WEB server files on the Apache server for user access, and set the/home/ftp/pub directory as the file storage area. Use http://download.your.com/pub/to prepare the file. Set apache reverse proxy technology on the firewall for access by the firewall proxy.

1. Apache server settings

The default configuration is used for the Apache server. The main directory is/home/httpd/html, the host domain name is Phoenix.your.com, the alias is www.your.com, and srm. conf is set to add a line of Alias definition, as follows:

Alias/pub/home/ftp/pub/

The definition of changing the default application type is as follows:

DefaultType application/octet-stream

Add a definition in/etc/httpd/conf/access. conf:

Options Indexes

AllowOverride AuthConfig

Order allow, deny

Allow from all

Note: Options indexesallows you to list directories and files if you cannot find the index.html file. AllowOverrideAuthConfig allows you to perform basic user name and password verification. In this case, you need to put. htaccess in the/home/ftp/pub directory. The content is as follows:

[Root @ pub] # more. htaccess

AuthName Branch Office Public Software Download Area

AuthType Basic

AuthUserFile/etc/. usrpasswd

Require valid-user

Use # htpasswd-c/etc/. usrpasswd user1 to create different external usernames and passwords that allow access to the file service in/pub.

2. Configure reverse proxy technology on the firewall

Add NameVirtualHost xxx. xxx # xxx. xxx to/etc/httpd/conf/httpd. conf, which is the permanent IP address of the firewall on the Internet:

Servername www.your.com

Errorlog/var/log/httpd/error_log

Transferlog/var/log/httpd/access_log

Rewriteengine on

Proxyrequests off

Usecanonicalname off

Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/#1 IP address of the Apache server

Servername http://download.your.com/pub/

Errorlog/var/log/httpd/download/error_log

Transferlog/var/log/httpd/download/access_log

Rewriteengine on

Proxyrequests off

Usecanonicalname off

Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/#1 IP address of the Apache server

Set the DNS on the firewall so that both download.your.com and www.your.com point to the firewall's external network address xxx. Visit the home page with a http://www.your.com and use the Download Area of the public file http://download.your.com/pub.

Note: you also need to create the directory/var/log/httpd/download/on the apache server host; otherwise, an error will occur. In addition, you can also set the/home/httpd/html/index.html attribute on the firewall host to 750 to block access, which can prevent external users from accessing the http://www.your.com of the Apache server on the firewall.