Apache Web Server Security Configuration full Introduction _linux

Source: Internet
Author: User
As the most popular Web server, Apache server provides better security features that enable it to respond to possible security threats and information leaks.

   the security features of the Apache server

1, the use of selective access control and mandatory access control security policy

From the Apache or Web perspective, the Selective access control DAC (discretionary access controls) is still based on the user name and password, and the mandatory access control MAC (mandatory access Control) is defined based on the IP address of the requesting client or the domain number in which it is issued. For DAC methods, such as input errors, then the user has the opportunity to correct, the new input the correct password; If the user does not pass the Mac level, then the user will be prohibited to do further operations, unless the server makes security policy adjustments, otherwise the user's any effort will not help.

2, the Apache security module

One of the advantages of Apache is its flexible modular structure, which is also designed around the concept of a module (Modules). The security module is an extremely important part of Apache server. These security modules are responsible for providing access control and authentication, authorization, and a range of critical security services for Apache server.

The Mod_access module can control access to the Apache server based on the visitor's IP address (or domain name, host name, etc.) and call it host-based access control.

The Mod_auth module is used to control authentication authorizations (authentication) for users and groups. The username and password are stored in a plain text file. The mod_auth_db and MOD_AUTH_DBM modules store user information (such as name, group, password, etc.) in a small database of berkeley-db and dbm, which is easy to manage and improve the application efficiency.

The Mod_auth_digest module uses MD5 digital signature to authenticate the user, but it needs the support of the clients accordingly.

The function of the Mod_auth_anon module is similar to that of the mod_auth, except that it allows anonymous logons and the user-entered e-mail address as the password.

SSL (Secure Socket Lager), the Secure Sockets Layer protocol supported by Apache, provides secure transaction services on the Internet, such as a security measure in E-commerce. To prevent the leakage of sensitive information by encrypting the traffic byte stream. However, this support for Apache is based on an API extension to Apache that is equivalent to an external module that provides secure online transaction support through a combination of third-party programs.

   Security Configuration for Apache servers

Apache has the flexibility to set up, all Apache security features must be carefully designed and planned for careful configuration to achieve. The security configuration of Apache Server includes many aspects, such as operating environment, authentication and authorization settings. The Apache installation configuration and running examples are as follows:

1, to nobody users to run

In general, Apache is installed and run by root. If the Apache server process has root privileges, it poses a significant threat to the security of the system and should ensure that the Apache server process runs with the most likely user privileges. By modifying the following options in the httpd.conf file, nobody the user to run Apache for relative security purposes.

User Nobody

group#-1

2, the ServerRoot directory permissions

To ensure that all configurations are appropriate and secure, it is necessary to strictly control the access rights of the Apache home directory so that non-superuser users cannot modify the contents of the directory. The Apache home directory corresponds to the server root control of the Apache server configuration file httpd.conf, which should be:

Server Root/usr/local/apache

3. SSI Configuration

The includes NO exec option is added to the options directive in the configuration file access.conf or httpd.conf to disable executive function in Apache Server. To avoid the user directly execute the Apache server execution program, resulting in the public server system.

  

Options Includes noexec

4. Prevent users from modifying system settings

The following settings are made in the Apache server configuration file to prevent users from creating, modifying, and htaccess files to prevent users from exceeding the defined system security features.

  

Allowoveride None

Options None

Allow from all

  

The appropriate configuration is then made to the specific directory separately.

5, change the Apache server really province access characteristics

Apache's default settings guarantee only a certain degree of security, if the server can find the file through the normal mapping rules, then the client will get the file, such as Http://local host/~ root/will allow users to access the entire file system. Add the following in the server file:

  

Order Deny,ellow

Deny from all

  

Default access to the file system is blocked.

6. Security Considerations for CGI scripts

A CGI script is a series of programs that can be run through a Web server. To ensure the security of the system, it should be ensured that the CGI author is trustworthy. In the case of CGI, it is best to limit it to a specific directory, such as Cgi-bin, for ease of management, and to ensure that the files in the CGI directory are not writable and that some deceptive programs reside or are involved; If you can provide a security-friendly CGI program module as a reference, It may reduce the number of unnecessary problems and security risks, and remove all the non-business application scripts in the CGI directory to prevent abnormal information leaks.

These commonly used measures can give Apache Server a basic safe operating environment, obviously in the implementation of the further refinement of the decomposition, to develop a practical application of the Security Configuration scheme.

   Apache Server host-based access control



The security configuration of Apache server by default is to deny all access. Assuming that the Apache server content is stored in the/usr/local/apache/share directory, the following instructions implement this setting:

  

Deny from all

Allow Override None

  

It is prohibited to change authentication and access control methods in any directory.

Similarly, you can use the unique command deny, allow to specify some users can access, which users do not have access to provide a certain degree of flexibility. When deny, allow, use command order to determine the order in which the Deny and allow are shared, as follows:

1. Deny access to the server by a user who rejects a class address (Deny)

such as: Deny from all

Deny from test.cnn.com

Deny from 204.168.190.13

Deny from 10.10.10.0/255.255.0.0

2, allow the user of a certain type of address to the server access rights (Allow)

such as: Allow from all

Allow from test.cnn.com

Allow from 204.168.190.13

Allow from 10.10.10.0/255.255.0.0

You can enter multiple variables after the deny and allow directives.

3. Simple Configuration Example:

Order Allow, Deny

Allow from all

Deny from www.test.com

Refers to all people who want to have access to the Apache server, but do not want any access from www.test.com.

Order Deny, Allow

Deny from all

Allow from test.cnn.com

Refer to a visit to the Test.cnn.com website that you do not want everyone to visit.

   the user authentication and authorization of Apache Sever



Generally speaking, user authentication is to verify the authenticity of the user's identity, such as whether the user account is in the database, and the corresponding password of the user account is correct; user authorization indicates whether a valid user is licensed to access a specific resource. In Apache, almost all of the security modules actually take into account these two aspects. From a security standpoint, the user's authentication and authorization is equivalent to selective access control.

It takes three steps to establish a user's authentication authority:

1, the establishment of user library

The username and password list needs to exist in either a file (Mod_auth module) or a database (MOD_AUTH_DBM module). For security reasons, the file cannot be stored in the root directory of the text block. For example, the users file stored under/USR/LOCAL/ETC/HTTPD, the format of which is similar to the UNIX password file format, but the password is stored in encrypted form. Application htpasswd can be used to add or change programs:

Htpasswd–c/usr/local/etc/httpd/users Martin

-C Indicates the addition of a new user, Martin for the newly added user name, in the process of execution, two times to enter the password answer. The user name and password are added to the users file. The resulting user file has the following form:

Martin:wru808bhqai36

Jane:iabcqfqs40e8m

Art:fadhn3w753ssu

The first domain is the user name, and the second domain is the user password.

2, configure the server protection domain

In order for the Apache server to take advantage of the user name and password information in the user's file, you need to set the protection domain (REALM). A domain is actually part of a site (such as a directory, document, and so on) or the entire site is accessible only to a subset of users. In a section of the. htaccess file or httpd.conf (acces.conf) in the related directory, authname specifies the protected domain. Authorized access to valid users of user files and specified domain protection in the. htaccess file are specified as follows:

AuthName "Restricted Stuff"

AuthType Basic

Authuserfile/usr/local/etc/httpd/users

Require Valid-user

Where authname indicates the domain name (Realm name) of the protection field. The Valid-user parameter means that all users in the user file are available. Once a user enters a valid user/password, other resources within the same domain can be accessed using the same user/password, and the same user/password can be shared with two different regions.

3, tell the server which users have access to resources

If you want to grant access to a resource to a group of customers, you can list their names after require. The best approach is to use group files. The operation of a group is similar to the concept of a standard UNIX group, and any user can belong to one and several groups. This allows you to use require in the configuration file to grant certain permissions to the group. Such as:

Require Group Staff

Require Group Staff Admin

Require User Adminuser

Specifies the access rights of a group, several groups, or a user.

It should be noted that when a large number of user accounts need to be established, the Apache server can greatly reduce efficiency by leveraging the user file database. In this case, it is best to use the database format of the account file, such as the DBM database format files. You can also take advantage of the DB format (mod_auth_db) data files as needed, or use the database directly, such as: mSQL (mod_auth_msql) or DBI compatible database (MOD_AUTH_DBI).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.