Apache Security Configuration and apache configuration
1 Security Policy 1.1 Security directory
. Htaccess is used for Directory Security protection. to read this protected directory, you must first press the correct user account and password. This can be used as a directory for specialized management of web page storage or as a Member area.
AllowOverride All
LoadModule rewrite_module modules/mod_rewrite.so
Create the. htaccess text in the automatically authenticated directory (in windows, save notepad as the created one)
1.1.1. htaccess Configuration:
(The. htaccess file can be equivalent to the httpd. conf configuration of the current directory. Pay special attention to the access permission of the. htaccess file during the setting to avoid malicious modification by people who are interested, and the consequences are unimaginable)
AuthName hihihihi indicates the prompt message when you enter the user name and password.
AuthType Basic indicates the required authentication type
AuthUserFile c: \ ss refers to the file location (. htpasswd) for saving the user name and password. In this example, it refers to the. htpasswd file, which is in the same location as our. htaccess file.
Require valid-user specifies that only valid users in the. htpasswd file can access the service.
1.1.2. htpasswd Configuration
User name: Password
Aaa: aaa
Not necessarily in. the configuration in the htaccess file can also be found in httpd. conf (Master configuration) to improve the efficiency of apache. Otherwise, Apache will search for the client to access the Web in every directory. the htaccess file reduces Apache efficiency. it is dangerous to modify htaccess.
1.2 error page
ErrorDocument 500 "The server made a boo ."
ErrorDocument 404/missing.html
ErrorDocument 404 "/cgi-bin/missing_handler.pl"
ErrorDocument 402 http://www.js.com/subscription_info.html
2. Security Risks: 2.1 directory Leakage
<Directory "/usr/local/apache/htdocs">
Options-Indexes FollowSymLinks
AllowOverrride None
Order allow, deny
Allow from all
</Directory>
Add-or remove before Indexes
2.2 symbolic Connection Tracing
<Directory "/usr/local/apache/htdocs">
Options Indexes-FollowSymLinks
AllowOverrride None
Order allow, deny
Allow from all
</Directory>
Add or remove FollowSymLinks
2.3 Listen instruction
Httpd. conf contains a "Listen 80" command. Change it to a specified IP address. If you have multiple IP addresses, pay special attention
Version 2.4 Leakage
Add the following in httpd. conf:
ServerTokens ProductOnly
ServerSignature Off
2.5 run permission
The default running permission of Apache in windows is the system permission. If a hacker finds a vulnerability, the whole service can be controlled. Therefore, the Apache running permission must be minimized to avoid security incidents.
2.6 clear the default comments in httpd. conf
Only a small part of the 400 lines is the actual Apache commands, and the rest is only to help users properly place command comments in httpd. conf. Based on the author's experience, these annotations sometimes play a negative role, and even store Dangerous commands in files. On many Apache servers managed by the author, the httpd. conf file is copied to other files, such as httpd. conf. orig, and redundant comments are cleared completely. Files become easier to read, so as to better solve potential security problems or misconfigure files.
2.7 spoofing attackers
Revised version name:
Modify system name:
2.8 apache parsing vulnerability:
<FilesMatch ". (php. | php3.)">
Order Allow, Deny
Deny from all
</FilesMatch>
2.9 apache does not have the execution permission to set the upload directory
Disable php parsing in the/www/home/upload path:
<Directory "/www/home/upload">
<Files ~ ". Php">
Order allow, deny
Deny from all
</Files>
</Directory>
2.10 apache restricted directory
Php_admin_value open_basedir/var/www
2.11 http Request Method Security
The OPTIONS method can detect the methods that can be requested by the current resource and disable the configuration of this method:
<Location/>
<Limit OPTIONS>
Deny from all
</Limit>
</Location>
2.12 access to the specified extension is not allowed
<Files ~" \. Inc $ ">
Order allow, deny
Deny from all
</Files>
2.13 prohibit access to some specified directories
<Directory ~ "^/Var/www/(. +/) * [0-9] {3}">
Order allow, deny
Deny from all
</Directory>
2.14 prohibit using file matching
<FilesMatch \.(? I: gif | jpe? G | png) $>
Order allow, deny
Deny from all
</FilesMatch>
2.15 prohibit access to relative URLs
<Location/dir/>
Order allow, deny
Deny from all
</Location>
3. Other security configurations: 3.1 Options
The meaning of the Options Parameter
ALL users can do anything in this directory.
ExecCGI allows CGI script execution in this directory
FollowSymLinksSever can use symbolic link to link files or directories not in this directory
IndexesSever can generate a list of files in this directory
Includes provides SSI Functions
IncludesNOEXEC can use the SSI function, but the # exec and # include CGI functions are canceled.
MultiViews allows different files to be obtained through conversations. For example, a webpage in the French version can be sent as requested by a browser'
None security does not allow access to this directory
SymLinkslfOwnerMatch allows access to the Directory of the symbolic links link, but only the owner of this directory
3.2 AllowOverride
AllowOverride None indicates that the. htaccess document is not read.
AllowOverride AuthConfig allows basic user name and password verification.
AllowOverride Allall indicates that the original access permission is changed based on The. htaccess content.
3.3 Location
# <Location/server-status> restrict <Location> is similar to <Directory>, but it is used to restrict URLs.
# SetHandler server-status
# Order deny, allow
# Deny from all
# Allow from. your_domain.com
# </Location>
# <Location/server-info> Configure the service program settings in this block. It must be added to the mod_info.c module.
# SetHandler server-info
# Order deny. allow
# Deny from all
# Allow from. your_domain.com
# </Location>
# <Location/cgi-bin/phf *> This block is blocked because of bugs in earlier versions of Apache, which may be exploited by some users.
# Deny from all: Enable this block to direct it to the webpage specified by ErrorDocument.
# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi
# </Location>
3.4 from
Allow from all allow all users to access
# Allow from flag.com.tw allow only allow access from flag.com.tw domain, but "deny from all" must be used to deny access from other places
# Deny from 203.74.205 reject from 203.74.205
3.5 reduce CGI and SSI risks
Reduce the Risk of SSI scripts. If you run external programs using commands such as exec, there will also be risks similar to CGI scripts. In addition to internal program debugging, you should use
Disable the option command:
Option IncludesNOEXEC
To use CGI or SSI, you can use suEXEC for configuration.
3.6 use ssl to reinforce Apache link