Correctly maintain the method of configuring Apache server to protect system security _linux

The Apache server is fast, reliable, and can be extended with a simple API, its Perl/python interpreter can be compiled into the server, and completely free, completely open source code. If you need to create a Web server that has millions of people per day, Apache may be the best choice.
Apache is one of the most popular Web server-side software available, running on almost any computer platform that is widely used. The Apache server is fast, reliable, and can be extended with a simple API, its Perl/python interpreter can be compiled into the server, and completely free, completely open source code. If you need to create a Web server that has millions of people per day, Apache may be the best choice.
first, correctly maintain and configure the Apache server
Although the Apache server's developers are very focused on security, but because of its very large project, there will inevitably be a security risk. So it's important to properly maintain and configure the Apache Web server. Some of the issues we should be aware of:
1. Apache Server configuration file
The Apache Web server has three main profiles, located under the/usr/local/apache/conf directory, and the three files are:
httpd.conf-----> main configuration files
srm.conf------> Fill in the Resource file
access.conf---> Set access rights for files
2, the Apache Server directory security certification
In Apache server is allowed to use. htaccess directory security, to read the protection directory needs to type the correct user account and password, this can be done specifically to manage the contents of the Web site or as a member area. Place a file in the protected directory with a file name of. Htaccss. % b? (5]
AuthName "Member zone"
AuthType "Basic"
AuthUserFile "/VAR/TMP/XXX.PW"-> put password outside the site, require Valid-user to Apache/bin directory, the establishment of password file%./htpasswd-c/var/ TMP/XXX.PW username1-> first file to use the parameter "-C"%/HTPASSWD/VAR/TMP/XXX.PW username2, so you can protect the contents of the directory, access to the legitimate users.
You can also add in httpd.conf:
Options Indexes FollowSymLinks
AllowOverride authconfig
Order Allow,deny
Allow from all
3. Apache Server access Control
We're going to look at the third file in three profiles, the access.conf file, which contains instruction controls that allow users to access the Apache directory. You should set the deny from all as an initialization instruction, and then use the Allow from command to open access rights.
Order Deny,allow
Deny from all
Allow from Safechina.net
Setting allows access from a domain, IP address, or IP segment.
4, the Apache Server password protection problem
We then use the. htaccess file to assign access rights to a directory to a user. The system administrator needs to open the access control of the directory using the ACCESSFILENAME directive in the httpd.conf or rm.conf file. Such as:
AuthName Privatefiles
AuthType Basic
Authuserfile/path/to/httpd/users
Require Phoenix
# htpasswd-c/path/to/httpd/users Phoenix
Two, set up the Apache server Web and file server
We store the Web server files on the Apache server for users to access, and set the/home/ftp/pub directory as the file storage area, accessed with http://download.jb51.net/pub/. Set up Apache reverse proxy technology on the firewall, which is accessed by the firewalls proxy.
1, the Apache server settings 　
The Apache server uses the default configuration. The home directory is/home/httpd/html, the host domain name is Phoenix.jb51.net, and the alias is in Www.jb51.net, and the srm.conf plus one line alias definition is set, as follows:
alias/pub/home/ftp/pub/
Changing the default application type definition is as follows:
DefaultType Application/octet-stream
Finally, add a definition to the/etc/httpd/conf/access.conf:
Options Indexes
AllowOverride authconfig
Order Allow,deny
Allow from all
Note: The Options indexes allows lists of directories/files to be listed without index.html files being found. Allowoverrideauthconfig allows for basic username and password verification, so that it needs to be placed in the/home/ftp/pub directory. htaccess, as follows:
[root@ Pub] #more. htaccess
AuthName Branch Office public Software Download Area
AuthType Basic
authuserfile/etc/.usrpasswd
Require Valid-user
With the # htpasswd-c/etc/.usrpasswd user1, create a different external user name and password that allows access to the file services under/pub.
2, on the fire wall configuration Reverse agent technology
Add namevirtualhost xxx.xxx.xxx.xxx # xxx.xxx.xxx.xxx to/etc/httpd/conf/httpd.conf, which is the permanent IP address on the Internet outside the firewall:
ServerName Www.jb51.net
Errorlog/var/log/httpd/error_log
Transferlog/var/log/httpd/access_log
Rewriteengine on
Proxyrequests off
Usecanonicalname off
Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/$1 IP address of Apache server
ServerName http://download.jb51.net/pub/
Errorlog/var/log/httpd/download/error_log
Transferlog/var/log/httpd/download/access_log
Rewriteengine on
Proxyrequests off
Usecanonicalname off
Rewriterule ^/(. *) $ http://xxx.xxx.xx.x/$1 IP address of Apache server
Set up DNS on the firewall so that both download.jb51.net and www.jb51.net point to the external network address xxx.xxx.xxx.xxx of the firewall. Use Http://www.jb51.net to access the home page and use http://download.jb51.net/pub/to access the download area of the public files.
Note: You will also need to create a directory/var/log/httpd/download/on the Apache server host, or you may have an error. Alternatively, you can set the/home/httpd/html/index.html properties on the firewall host to 750来 block access, which prevents external users from accessing the http://www.jb51.net of the Apache server on the firewall.