Simple configuration and security policy of Apache server

In the previous analysis of the weevely backdoor, there was a reference to the use of Apache's configuration file. htaccess to hide the PHP backdoor. About the purpose of the. htaccess file, in this connection with the specific configuration of the Apache server to make a detailed explanation, also considered their own learning notes ...

The building of an Apache server

See the previous blog post: CentOS 6.0 Phpvod Build tutorial (LAMP+PHPVOD)

Global configuration of two httpd.conf files

1. ServerRoot sets the absolute path to the server directory, which is the installation and configuration file of the Apache server. Generally in the/ETC/HTTPD directory, there is also under the/usr/local/apache (specific installation method)

2. Listen specifies the IP and port to bind, typically 80 ports: Listen 192.168.1.100::80, and can also listen to multiple IPs and ports simultaneously

3. Users and groups set the user ID and group ID, and the server will use them to process requests, usually by default: Daemon,daemon, (also known as Www-data or Apache), which are system accounts, which can be viewed in/etc/passwd files. , you can find that these accounts are not logged in, and the permissions are relatively low, the reason for such a setup, is also in security considerations, which is also reflected in the Linux system restrictions on the strict. Although, the launch of Apache requires root authority (of course, this is not necessarily, you can configure/etc/ sudoers file modification), but when the Apache server is started, it will move its processes to run under this specified general user right, thus reducing the risk to the server.

4. ServerAdmin set the address of the server administrator, usually email or alias. Sometimes when the page error occurs, you will see an English explanation, carefully read the address, which is easy to contact the webmaster.

5. ServerName is the hostname and should be a fully restricted domain name. In a Domain name network system (DNS), you can easily manage your servers by adding aliases.

6. DocumentRoot sets the virtual directory of the Web site (that is, the root directory of the Web site), typically under/var/www/html/. When you access http://127.0.0.1/index.php, you actually access/var/www/html/ Under the index.php file.

7. Userdir Define User Directory

8. DIRECTORYINDEX Specifies the file name of the directory index, this is very important, many sites are improperly set up, there will be a problem with the directory explosion, because there is no set (or improper) the index. Specifically, when the requested URL is a directory type (for example, http:// www.server.com/includes/), the server returns a file by default, typically index.php,index.html,index.jsp, and so on. A setup example is: DirectoryIndex index Index.html index.cgi

9. Timeout sets the network time-out, in seconds.

10.KeepAlive and KeepAliveTimeout set the duration of each session, which enables many requests to be sent over the same TCP connection, saving network resources, for example:

KeepAlive on

KeepAliveTimeout 5

11.MaxKeepAliveRequests the maximum number of requests per connection, when the number of simultaneous requests reaches the setpoint, no longer responds to the new request, the "Denial of Service Request". From the perspective of the entire server, the number of server response connections is also limited, when too many requests, Will no longer respond to new requests, and powerful DDoS attacks are the basis of this basic principle, by forging a large number of false requests, causing the server to deny normal client requests and to paralyse the server.

Startservers sets the number of idle child processes waiting to accept requests after Apache starts.

Maxspareservers sets the maximum number of idle processes in Apache, and when the specified number is exceeded, Apache kills unnecessary processes and saves system resources

MaxClients Setting the maximum number of Apache connections

The. Include file contains one of the highlights of the Apache server is its simple and powerful configuration. In the httpd.conf file, you can also extend its associated configuration options through this simple file inclusion. This is also easy to manage.

　　

Three access restriction policies

Configuration instructions for 1.Apache servers

Order directives: Used to specify the sequence in which access control rules are to be enforced or denied. The precedence of allow or deny sets the access rights for the domain name or IP address of the client, which has a coverage effect. The following examples illustrate:

Example1:
All hosts in the ppp.org domain are allowed access to this web site, and the Allow statements later overwrite the Deny statement
Order Deny,allow Deny from Allallow from ppp.org

Example2:
Order Deny,allow
Deny from all
Allow from 192.168.1.
Allow from 127.
Allow from ppp.org

2. Using the. htaccess file for access control

About the. htaccess file: http://www.cnblogs.com/adforce/archive/2012/11/23/2784664.html

Any configuration directives in the Http.conf configuration file may be applied to the. htaccess file. This file is used to control access to a single directory. The accessfilename instruction can be set in the httpd.conf file. Accessfilename. Htaccess

<files ~ "^\.htaccess" >
Order Allow,deny
Deny from all
</Files>

To limit the content that the. htaccess file can overwrite, you need to use the AllowOverride Directive. The directive can be set globally or configured for individual files. To configure the default options, you can use the Options directive. The following is the/var/www/ Access control for the icons directory:

<directory "/var/www/icons" >    Options indexs multiviews    allowoverride None    Order allow,deny    Allow from all</directory>

The allowoverride directive can specify options that are overwritten by the. htaccess file. Each directory can be set. Its setting options can be: all,none,option,fileinfo,authconfig,indexes and limit options , Specific features:

  option//files can have options listed for the directory that do not have a listing in the option directive
FileInfo  //.htaccess file contains instructions for modifying document type information
Authconfig  //.htaccess files may contain validation directives
The Allow,deny,order directive that the Limit//.htaccess file may contain
Indexes  //Control directory List mode
None  //Prohibit processing. htaccess file
All//means to read all of the above instruction contents

The. htaccess file is a configuration for a single directory that is placed under the Web page directory and is used to control the access control policy for that directory and its subdirectories. Starting this control policy requires that the allowoverride in the master configuration file of Apache be set to all. To say the last word, Although the. htaccess file strengthens the security of the Apache server, the. htaccess file is also insecure in the previous blog post (http://www.cnblogs.com/lingerhk/p/4009073.html) The backdoor of a Trojan horse for. htaccess files. So, no absolute security!

Four use authentication and authorized access

User authentication is a very important means in network security. After user authentication is enabled, the browser pops up a user authentication box when the user first accesses it, only the correct user name and password can be entered.

There are two common types of authentication: Basic Authentication (Basic, user name and password Authentication) and Digest authentication (Digest, which uses a challenge information authentication for the client). This setting can be written in the httpd.conf file, It is also possible but written in a separate. htaccess file, the relevant directives are:

AuthName is used to define the name of the protected zone AuthType the authentication method used by the user, including the two modes described above authgroupfiles to specify the location of the authentication group file Authuserfiles The user specifies the location of the authentication password file

There are three ways to authorize users:

(1) Authorization to one or more of the specified users

(2) authorization to one or more of the specified users

(3) Authorization to all users in the specified password file

Create an authentication file (note: the password file created must be placed outside the web directory to avoid leaks): for example/etc/httpd/passwd_auth

~# htpassswd-c/etc/httpd/passwd_auth Linger//-c said, delete the contents of the original file and re-write, if it is added, you can not use this option

Use the Master profile to configure user authentication and authorization in the following form:

<directory "/var/www/html/test" >
allowoverride None  //disable. htaccess file
AuthType Basic  //Use Basic Authentication Mode
AuthName "Test"  //Display field content
   Authuserfiles/etc/httpd/passwd_auth  //Read the address of the password file
   Require user Linger  //Allow access to username, multiple users separated by spaces
</Directory>

Of course, in addition to using the master configuration file for user authentication, you can also use the. htaccess file:

(1) Enable user authentication support:

<directory "/var/www/html/test" >
    AllowOverride authconfig
<Directory>

(2) Add the following statement to the. htaccess file:

AuthType Basic
AuthName "Please Login:"
Authuserfiles/etc/httpd/passwd_auth
Require User Linger

Settings for five virtual directories

A virtual directory is an alias relative to a relative or absolute path to the Apache home directory. The setting of the virtual directory increases the security of the Web server to some extent, and when the Webshell is generated by the method of database backup, it is necessary to know the absolute path of the Web directory. This will allow normal access to the resulting webshell, but at some point, due to misconfiguration, or Web source error, resulting in exposing the absolute path of the Web server, it is necessary to test your own site at all times. Here's a little bit more, generally in Linux under the Web server, has a default web directory address, which undoubtedly leaves a security risk, so it is recommended to change its absolute path, that is, to change the DocumentRoot entry for the httpd.conf configuration file. The following is a simple virtual directory of the relevant configuration:

httpd.conf
<ifmode alias_module>
Alias/phpmyadmin "/home/linger/phpmyadmindir"
scriptalias/cgi-bin/"/usr/local/apache/cgi-bin/"
</IfModule>
<directory "/usr/local/apache/cgi-bin/" >//Set Cgi-bin directory properties
AllowOverride NOne
Options  execcgi
Reguire all granted
</Directory>

VI Setting up a virtual host

Apache server is the first Web server to implement virtual host, the advantage of setting up a virtual host is that a physical server can run multiple Web services at the same time, now most of the virtual host tenants are this function to achieve multi-domain access. Virtual host can be divided into two kinds, IP-based and domain-based virtual master: IP-based is a physical server with multiple network cards (can be hardware or software), when access to these different IP, although the packet reached the same physical server, but according to the customer request of the IP is different, The Apache server returns different data from the customer. Domain-based virtual host, which is the Apache server based on the client's different domain name requests (these in http-headers), to find a different web directory, and then return to the client. Due to the current IPv4 shortage, And the domain name is relatively good to remember, so based on the domain name of the virtual host is more popular, the following is a domain-based virtual host configuration:

Set up the first virtual host
<virtualhost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/server1"
ServerName server1.com
Serveralias www.server1.com
Errorlog "Logs/server1_error_log"
Customlog "Logs/server1_access_log" common
</VirtualHost>

Set up a second virtual host
<virtualhost *:80>
ServerAdmin [email protected]
DocumentRoot "/usr/local/apache/server2"
ServerName server2.com
Serveralias www.server2.com
Errorlog "Logs/server2_error_log"
Customlog "Logs/server2_access_log" common  //common means using normal log format
</VirtualHost>

Seven sets the Apache server log Management

Log files are a very good material for users to manage and monitor the operation of Apache servers safely. Undoubtedly, in the era of big data, Web log-based user surfing habits analysis and a variety of data mining and analysis, so that related services slowly popular. In addition, in the area of security management, the role of log is very important, In particular, troubleshoot Apache service errors and find an intrusion source. The Apache server runs with 2 standard log files: the error log (Access_log), the Access log (Error_log). In addition, the Apache server runtime generates a large number of ( GB) log files, if you do not need to save, it can be properly deleted to save hard disk space, if the server's hard disk is relatively small, this point seems more important.

There are several log-related configuration directives in Apache:

1. Errorlog specifying the path of the error log: errorlog "Logs/error_log"

2. LogLevel specifying error logs for the error register example: LogLevel warn

3. Logformat logging format naming, which uses a number of variables, easy to customize the example: Logformat "%h%l%u%t \"%r\ "%>s%b" common

4. Customlog specify the path and record format for the access log: Customlog "Logs/access_log" common

variables	meaning
%b	Send bytes, not including HTTP headers
%f	Filename
%{variable}e	Contents of environment variable VARIABLE
%h	Remote host
%a	Remote IP Address
%{header}i	header row of the header for the request sent to the server
%l	Telnet name (obtained from Identd if the value is provided)
%{note}n	The content of note notifications from another module
%{header}o	Header's contents, headers in the reply row
%p	The server serves the requested canonical port
%P	ID of the child process serving the request
%r	The first line of the request
%s	State. For an internal redirect request, the status is the initial request-and finally the%>s
%t	Time format in common log format
%{format}t	Time, formatted by format. Can be strftime (3) format
%T	The time, in seconds, that the service request took
%u	Remote user from Auth, if the returned state (%s) is 401, it may be false
%u	URL Path of the request
%v	Specification of the server serving the request ServerName

In each variable, you can set a condition in front to decide whether to display the variable. If it is not displayed, displays-. These conditions are the form of a numeric return value list. Alternatively, you can use the Customlog directive to specify the location and format of the log file. If you do not specify an absolute path to the log file, the location of the log file is assumed to be relative to ServerRoot. The following is the statement for the specified log file in the httpd.conf file:

Customlog logs/access_log Common  errorlog logs/error_log
Error logging level in Apache:

emergency
1	Emerg	an emergency condition makes the system unavailable
2	alert	conditions requiring immediate attention
3	crit	warning of dangerous situations /td>
4	error	other than the above 3 cases
5	warn< /td>	warning message
6	Notice	need attention, not as important as the 4th and 5th categories
7	Info	general messages that need to be reported
8	Debug	programs running in debug mode Generated message

The access logs in the Apache server are classified into 4 categories:

• Common log format (common Log FORMAT,CLF): Most log analysis software supports this format, and its nickname defined in Logformat designation is common;
• Referer log format: Records the user identity of the client visiting the site, whose nickname is Referer defined in the Logformat designation;
• Agent log Format: Log The requested user agent, whose nickname is the agent defined in the Logformat designation;
• Composite log format (combined log formats): This is a combination of log information in the three formats described above, with the nickname defined in Logformat specified as combined.

Because the integrated log format effectively combines the other 3 log formats and information, in the actual use process, the configuration access log can use 3 files for separate records, configured as follows:

Logformat "%h%l%u%t \"%r\ "%>s%b" common  Logformat "%{referer}i->%u" Referer logformat  "%{apache user-a Gent}i "Agent  customlog logs/access_log common  customlog logs/referer_log referer customlog  Logs/agent_ Log Agent

You can also use a comprehensive file to record it, and the corresponding configuration example is as follows:

Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{apache user-agent}i\ "" Combinedcustomlog logs/access_log Comb ined

The following is the configuration in the httpd.conf file:

httpd.conf file
Errorlog "Logs/error_log"
LogLevel warn
<ifmode log_config_module>
Logformat "%h%l%u%t \"%r\ "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "" combined
Logformat "%h%l%u%t \"%r\ "%>s%b" common
　　
<ifmodule login_module>
Logformat "%h%l%u%t \"%r "%>s%b \"%{referer}i\ "\"%{user-agent}i\ "%I%O" Combinedio
</IfModule>
　　
Customlog "Logs/access_log" common
Customlog "Logs/access_log" combined
</IfModule>

　　

　　

Simple configuration and security policy of Apache server