CentOS Installation apache-2.4.10+ Security Configuration

Note: All of the following operations are done under the CentOS 6.5 x86_64 bit system.

#准备工作 #

Before installing Nginx, make sure that you have installed the various base components using Yum, and that you have configured the WWW users and user groups, as described in the CentOS installation nginx-1.6.2+ security configuration.

There are also several components that need to be installed first:

1, installation Sqllite:

wget http://www.sqlite.org/2014/sqlite-autoconf-3080704.tar.gztar zxf sqlite-autoconf-3080704. Tar . gz# CD sqlite-autoconf-3080704#. /configure--prefix=/usr/local/sqlite-3.8. 7.4  make makeinstall

2. Install Apr:

tar zxf apr-1.4. 5. Tar . gz# CD Apr-1.4. 5 # . /configure--prefix=/usr/local/apr-1.4. 5  make makeinstall

3, installation Apr-util:

tar zxf apr-util-1.3. . Tar . gz# cd Apr-util-1.3.  A # . /configure--prefix=/usr/local/apr-util-1.3.  --with-apr=/usr/local/apr-1.4. 5  make makeinstall

#Apache的安装 #

To begin downloading Apache and compiling the installation:

# cd/usr/local/src#wgethttp//Mirrors.hust.edu.cn/apache//httpd/httpd-2.4.10.tar.gz#TarZXF httpd-2.4.Ten.Tar. gz# CD httpd-2.4.Ten# ./configure--prefix=/usr/local/apache-2.4.Ten--with-apr=/usr/local/apr-1.4.5--with-apr-util=/usr/local/apr-util-1.3. A--enable-dav--enable-so--enable-maintainer-mod--enable-rewrite--with-sqlite=/usr/local/sqlite-3.8.7.4#  Make&& Make Install# CP/usr/local/apache-2.4.Ten/conf/httpd.conf/usr/local/apache-2.4.Ten/conf/httpd.conf.default#LN-s/usr/local/apache-2.4.Ten//usr/local/apache

Then modify the http.conf configuration file:

# vim/usr/local/apache-2.4. /conf/8888User wwwgroup wwwloadmodule dav_module modules/mod_ Dav.soloadmodule dav_fs_module Modules/mod_dav_fs.soloadmodule rewrite_modulemodules/mod_rewrite.so

Note: Here we configure its listening port to be 8888, and open the DAV module and the rewrite module.

Then save the file and turn on the Apache service:

#/usr/local/apache/bin/apachectl Start

Note the new version of Apache has forbidden to start Apache as root, as follows:

#PSAux |grephttpdwww10087  0.0  0.5 221664  2960? Sl the: A   0:xx/usr/local/apache-2.4.Ten/BIN/HTTPD-k startwww10088  0.0  0.5 221664  2964? Sl the: A   0:xx/usr/local/apache-2.4.Ten/BIN/HTTPD-k startwww10089  0.0  0.7 287200  3528? Sl the: A   0:xx/usr/local/apache-2.4.Ten/BIN/HTTPD-k startwww10171  0.0  0.5 221664  2968? Sl the: A   0:xx/usr/local/apache-2.4.Ten/BIN/HTTPD-k Startroot12966  0.0  0.7  98588  3872? Ss the   0: the/usr/local/apache-2.4.Ten/BIN/HTTPD-k Startroot10331  0.0  0.1 103252   836pts/0S+ the: the   0:xx grephttpd

Note: Here is a httpd process is root, this is normal, because the root will fork out after the start of the process of WW permissions, the user's request by the WWW permission process processing.

This time open the browser access address http://youripaddress:8888/should be able to see:

At this point, Apache has been installed and successfully started.

#Apache的安全配置 #

1, Apache default is to allow directory browsing, if the directory does not have an index file will be a directory browsing vulnerability, so it is necessary to close directory browsing. Here you directly select global shutdown:

# vim/usr/local/apache/conf/httpd.conf"/usr/local/apache-2.4.10/htdocs">     Options Indexes followsymlinks    Require all granted</Directory>

Note: The original Indexes changed to-indexes, you can also choose to disable the feature in the. htacess file, or delete the Indexes line directly.

2, Apache default output of banner will leak key information, such as Server OS type, Apache version. You can disable the output of this information:

# vim/usr/local/apache/conf/httpd.confserversignature offservertokens Prod

Note: Add content directly to the end of the file.

3. Open the Access log and configure its path correctly (default is on):

# vim/usr/local/apache/conf/httpd.conf<ifmodule log_config_module>    "  Logs/access_log"  common</IfModule>

4, to ensure that the directory security, because it is the WWW user to start Apache, so you can set the Web directory and the owner of the file is the root user, the Web directory unified set permissions for the 755,web file permissions unified set to 644 (CGI file if required to perform can be set to 755), Only the upload directory requires read-write permission set to 777.

chown -Rroot:root/data/www/chmod755 /data/www/chmod 777 /data/www/upload

In addition, in order to prevent hackers from uploading executable scripts into the 777 directory, the directory must be set up to be unable to execute or access scripts such as:

# vim/usr/local/apache/conf/httpd.conf"/usr/local/apache/htdocs/yourpath" >    Options none    allowoverride none    Order deny,allow    deny    from all"\ . (jpg|jpeg|gif|png) $">    Order deny,allowallow from all </ Filesmatch></directory>

5, set the Access IP list limit to the management directory, for example:

# vim/usr/local/apache/conf/httpd.conf"/usr/local/apache/htdocs/admin">  11.12. 23.0/24</Directory>

6. Remove the Userdir function (default is OFF).

CentOS Installation apache-2.4.10+ Security Configuration