Ubuntu/apache2
(→Hardening) |
|||
(4 intermediate revisions by one user not shown) | |||
Line 57: | Line 57: | ||
</nowiki> | </nowiki> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
==mod_authz_host== | ==mod_authz_host== | ||
Line 99: | Line 94: | ||
==Hardening== | ==Hardening== | ||
Hardening is a must.<br> | Hardening is a must.<br> | ||
+ | |||
+ | ====Disable options through virtual site conf==== | ||
All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors: | All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors: | ||
*Directory browsing | *Directory browsing | ||
Line 107: | Line 104: | ||
<Directory /var/www/mysite.com/> | <Directory /var/www/mysite.com/> | ||
Options -Indexes -Includes -ExecCGI -FollowSymLinks | Options -Indexes -Includes -ExecCGI -FollowSymLinks | ||
+ | </Directory></nowiki> | ||
+ | *Or disable ALL options: | ||
+ | <nowiki>i.e. | ||
+ | <Directory /var/www/mysite.com/> | ||
+ | Options None | ||
+ | </Directory></nowiki> | ||
+ | |||
+ | ====Disable SSLv2/3==== | ||
+ | Add the following to your apache virtual site config. I added mine right below the other SSL Entries specifying the engine, cert file and key file. | ||
+ | <nowiki>#Disable SSLv3 | ||
+ | SSLProtocol All -SSLv2 -SSLv3</nowiki> | ||
+ | |||
+ | ====Hide Apache Version Number==== | ||
+ | <nowiki>i.e. | ||
+ | <Directory /var/www/mysite.com/> | ||
+ | ServerSignature Off | ||
+ | </Directory></nowiki> | ||
+ | |||
+ | ====Prevent directive inheritance==== | ||
+ | Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site. | ||
+ | <nowiki>i.e. | ||
+ | <Directory /var/www/mysite.com/> | ||
+ | AllowOverride None | ||
+ | </Directory></nowiki> | ||
+ | |||
+ | ====Limit Body request size==== | ||
+ | Good primarily for limiting upload size requests, but you can also use it when there is no option to upload and help mitigate some DOS attacks.<br> | ||
+ | Really not sure how to calculate what size to put if you're not allowing uploading, so I tried setting the size to the largest file size served to clients and it seems to load everything in the site fine. | ||
+ | <nowiki>i.e. | ||
+ | <Directory /var/www/mysite.com/> | ||
+ | LimitRequestBody 1021933 | ||
</Directory></nowiki> | </Directory></nowiki> |
Latest revision as of 23:03, 20 January 2016
Contents |
[edit] Basic Info
- apache2 is the most popular web hosting application on the market today
start|stop|restart apache2
sudo /etc/init.d/apache2 start|stop|restart
OR
sudo service apache2 start|stop|restart
apache2 enable site
a2ensite [site config file name] i.e. a2ensite default-ssl
apache2 disable site
a2dissite [site config file name] i.e. a2dissite default-ssl
apache2 enable module
a2enmod [module] i.e. a2enmod mod_ssl
apache2 disable module
a2dismod [module] i.e. a2dismod mod_ssl
disable indexing
~$ sudo a2dismod autoindex Module autoindex disabled. To activate the new configuration, you need to run: service apache2 restart
[edit] mod_rewrite
very power, very confusing tool.
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
http://httpd.apache.org/docs/current/rewrite/remapping.html
[edit] enabling
was not enabled by default for my ubuntu 14.04 vm.
sudo a2enmod rewrite
[edit] redirect
Request: redirect all traffic from a domain, including any subpage, to the landing/index page of another domain
Condition: mod_rewrite is enabled. virtual hosts are used
Resolution:
<VirtualHost *:80> RewriteEngine on RewriteCond %{REQUEST_URI} !^/index.html$ RewriteRule .* http://newdomain.com/? [R=302,L] ServerName olddomain1.com ServerAlias olddomain2.com Redirect permanent / http://newdomain.com/ </VirtualHost> <VirtualHost *:80> ServerName newdomain.com ServerAdmin [email protected] DocumentRoot /var/www/newdomain.com TransferLog /var/log/apache2/newdomain.com-access_log ErrorLog /var/log/apache2/newdomaincom-error_log </VirtualHost>
[edit] mod_authz_host
Great tool for restricting access to a virtual site, easy to read and understand. Add options to the <Directory> settings in the site conf file.
ie. <Directory /var/www/mysite.com/> Order Deny,Allow Deny from all Allow from 10.1.1.50 </Directory>
[edit] listen on non-standard port
On ubuntu 14.04, it is done by adding this:
~$ sudo vi /etc/apache2/ports.conf Listen 80 Listen 8080
[edit] Troubleshooting
[edit] AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
- Ubuntu 14.04
~$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf ~$ sudo a2enconf fqdn
[edit] SSL Error: Invalid method in request \x16\x03\x01
I only started having SSL issues after moving to CloudFlare as a proxy so that they would provide me with a free SSL cert. I found that this issue appeared to be due to the fact my Virtual Host site conf was setup as such:
(snippet) <VirtualHost https://wiki.r00tedvw.com:443> Servername https://wiki.r00tedvw.com
I changed it to this:
<VirtualHost *:443> Servername https://wiki.r00tedvw.com
Apparently, it is redundant and will cause issues if you list the hostname in the VirtualHost. In this instance, I only have (1) site live on the server, so this may not be the correct solution for a multi-tenant setup.
[edit] Hardening
Hardening is a must.
[edit] Disable options through virtual site conf
All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:
- Directory browsing
- Server side Includes
- CGI execution
- Symbolic links
i.e. <Directory /var/www/mysite.com/> Options -Indexes -Includes -ExecCGI -FollowSymLinks </Directory>
- Or disable ALL options:
i.e. <Directory /var/www/mysite.com/> Options None </Directory>
[edit] Disable SSLv2/3
Add the following to your apache virtual site config. I added mine right below the other SSL Entries specifying the engine, cert file and key file.
#Disable SSLv3 SSLProtocol All -SSLv2 -SSLv3
[edit] Hide Apache Version Number
i.e. <Directory /var/www/mysite.com/> ServerSignature Off </Directory>
[edit] Prevent directive inheritance
Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site.
i.e. <Directory /var/www/mysite.com/> AllowOverride None </Directory>
[edit] Limit Body request size
Good primarily for limiting upload size requests, but you can also use it when there is no option to upload and help mitigate some DOS attacks.
Really not sure how to calculate what size to put if you're not allowing uploading, so I tried setting the size to the largest file size served to clients and it seems to load everything in the site fine.
i.e. <Directory /var/www/mysite.com/> LimitRequestBody 1021933 </Directory>