Web|web Service
As mentioned in the previous section, Apache has a flexible setting. All Apache security features must be carefully designed and planned for careful configuration to be implemented. The security configuration of the Apache server includes many levels, including operating environment, authentication and authorization settings, and establishing secure electronic transaction links.
1, the Apache installation configuration and operation
(1) to nobody the user to run under normal circumstances, Apache is installed and run by root. If the Apache server process has root privileges, it poses a significant threat to the security of the system and should ensure that the Apache server process runs with the most likely user privileges. By modifying the following options in the httpd.conf file, nobody the user to run Apache for relative security purposes.
User Nobody
group#-1
(2) Permissions of the ServerRoot directory
To ensure that all configurations are appropriate and secure, it is necessary to strictly control the access rights of the Apache home directory so that non-superuser users cannot modify the contents of the directory. The Apache home directory corresponds to the server root control of the Apache server configuration file httpd.conf, which should be:
Server Root/usr/local/apache
(3) Configuration of SSI
The includesnoexec option is added to the options directive in the configuration file access.conf or httpd.conf to disable the execution functionality in Apache Server. To avoid the user directly execute the Apache server execution program, resulting in the public server system.
<Directory/home/*/public_html>
Options Includes noexec
</Directory>
(4) Prevent users from modifying system settings
The following settings are made in the Apache server configuration file to prevent users from creating, modifying, and htaccess files to prevent users from exceeding the defined system security features.
<directory/>
Allowoveride None
Options None
Allow from all
</Directory>
The appropriate configuration is then made to the specific directory separately.
(5) Apache server does province access characteristics
Apache's default settings guarantee only a certain degree of security, if the server can find the file through the normal mapping rules, then the client will get the file, such as Http://local host/~ root/will allow users to access the entire file system. Add the following in the server file:
<directory/>
Order Deny,ellow
Deny from all
</Directory>
Default access to the file system is blocked.
(6) Security Considerations for CGI scripts
A CGI script is a series of programs that can be run through a Web server. To ensure the security of the system, it should be ensured that the CGI author is trustworthy. In the case of CGI, it is best to limit it to a specific directory, such as Cgi-bin, for ease of management, and to ensure that the files in the CGI directory are not writable and that some deceptive programs reside or are involved; If you can provide a security-friendly CGI program module as a reference, It may reduce the number of unnecessary problems and security risks, and remove all the non-business application scripts in the CGI directory to prevent abnormal information leaks.
These commonly used measures can give Apache Server a basic safe operating environment, obviously in the implementation of the further refinement of the decomposition, to develop a practical application of the Security Configuration scheme.