Secure Apache Web Server

Posted By admin  On 02.05.21



  1. Apache Sslciphersuite Recommended
  2. How To Secure Apache Web Server On Windows
  3. Hardening Apache Web Server

According to the survey from, the Apache HTTP Server (Apache) is the world's most widely-used Web server. Developed by the Apache Software Foundation , it is available for most operating systems. OpenSUSE® Leap includes Apache version 2.4. As Apache is an active open-source, the easiest way to improve the security of Apache Web Server is to keep the latest version. New fixes and security patches are added in every release. Always upgrade to the latest stable version of Apache. Finally, the Apache web server is configured to listen on port 443 (https). Conclusion PKI is a critical component in the IT world and it is integrated with many applications.

SSL is currently on of the standards of web security. Learn how to implement an SSL certificate on an Apache Web Server to keep your data safe.

Join the DZone community and get the full member experience.

Join For Free

Before you start the installation process, please make sure that a CSR Code is generated, all validations are met, and the SSL Certificate is issued and downloaded.

Secure Apache Web Server

To Install an SSL Certificate, Perform the Following Steps:

  • Copy the certificate into the shell text editor and name the file “mydomain.crt”

Note: Copy the contents of the certificate from (and including) the -----BEGIN CERTIFICATE---- line to the ---END CERTIFICATE--- line.

  • Copy the certificate to the Apache Server Directory in which you plan to store your certificates (by default: /usr/local/apache/conf/ssl.crt/ or /etc/httpd/conf/ssl.crt/)

Note: - If you have a custom installation, please locate the server directory.

  • Open the Apache Configuration file in a text editor. Apache configuration files are usually found in /etc/httpd. The main configuration file is usually named httpd.conf. In most cases, the <VirtualHost> blocks will be at the bottom of this httpd.conf file. Sometimes you will find <VirtualHost> blocks in a separate file in a directory like /etc/httpd/sites/ or in a file called ssl.conf.
  • Locate the SSL VirtualHost associated with your certificate. Verify that you have the following two directives within this virtual host. Please add them if they are not present.
    • SSLCertificateFile /usr/local/apache/conf/ssl.crt/domainname.crt (or server.crt)
    • SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domainname.key (or server.key)

Note: Some instances of Apache will store Virtual Host information in an ssl.conf file. If your httpd.conf contains no Virtual Host information then you will need to locate and amend the ssl.conf as performed above.

  • Save the changes and exit the shell editor.
  • Start or Restart your Apache web server using one of the following commands:

    • By default:

    /usr/local/apache/bin/apachectl startssl

    or

    /usr/local/apache/bin/apachectl restart

    ssl certificate,apache web server,security,web security

    Published at DZone with permission of Kalpesh Patel. See the original article here.

    Opinions expressed by DZone contributors are their own.

    Popular on DZone

    Table of Contents

    Introduction

    Apache is one of the most widely-used and popular web servers. It is also one of the most secure web servers available. In this article, I will explain some tips and tricks that will secure your Apache server.

    Requirements

    • A server running CentOS v. 7 with Apache installed
    • A static IP address for your server
    • Firefox browser with the Firebug add-on installed (for testing)

    Hide the Apache version

    Visit your web server in Firefox. Activate Firebug by clicking the Firebug icon on the top right side.

    If you check the HTTP response headers in Firebug, it will show the Apache version along with your operating system name and version, as shown in this screenshot:

    To hide this information from browsers, you will need to make some changes in Apache's main configuration file.

    You can do this by editing the httpd.conf file:

    Add the following line at the end of file:

    Save the file and restart the Apache service to reflect these changes:

    Now, open Firefox and access your web server. Check the HTTP response headers in Firebug, You can see that setting ServerSignature to Off has removed the version information from Server.

    Turn off directory listing

    Directory listing in the absence of an index file is enabled by default in Apache. Directory listing displays all the files from the Apache web root directory. If this is enabled, then a hacker can easily view any file, analyze it, and obtain sensitive information about an application of your Apache server.

    Here is an example of the directory listing of your Apache web root directory:

    You can turn off this setting by using the Options directive in the Apache configuration file for a specific web directory.

    Find the section that begins with Directory /var/www/html and add -Indexes in the Options directive:

    Save the file and restart Apache service to reflect these changes.

    Next, try to visit your website in a browser. You will get a 'Forbidden' error as shown in the image below.

    Disable unnecessary modules

    By default Apache comes with lots of unnecessary installed modules. It is a good policy to disable any unnecessary modules that are not in use.

    You can list all enabled modules on your server using the following command:

    From the enabled modules in 00-base.conf file, some modules like mod_info, mod_userdir, mod_autoindex are enabled but not needed.

    You can disable this modules by editing the 00-base.conf file:

    Insert a # at the beginning of the following lines to disable the modules:

    Save the file and restart Apache service to reflect these changes.

    Disable Apache's FollowSymLinks

    By default Apache follows symbolic links (symlinks). Turning this off is recommended for security.

    To do this, you need to edit httpd.conf file:

    Find the section that begins with Directory /var/www/html. Add -FollowSymLinks in option directive:

    Now restart Apache to reflect changes.

    Turn off server-side includes (SSI) and CGI execution

    Server-side includes (SSI) are directives present on Web applications that are placed in HTML pages. An SSI attack allows a web application to be exploited by remotely executing arbitrary codes. The attacker can access sensitive information like password files, and execute shell commands. It is recommended that you disable server side includes and CGI execution if they are not needed.

    To do this, edit the main Apache config file:

    Find the section that begins with Directory /var/www/html, Add -ExecCGI and -Includes in option directive:

    Now restart Apache to reflect the changes.

    You can also do this for specific web directories. For example, to turn off Includes and CGI file executions for /var/www/html/www.vhost1.com directory:

    Add the following line:

    Save the file and restart Apache.

    Limit request size

    By default Apache has no limit on the size of the HTTP request. This can allow hackers to send large number of data.

    You can limit the requests size by using the Apache directive LimitRequestBody in combination with the Directory tag. This can help protect your web server from a denial of service (DOS) attack.

    Suppose you have a site (www.example.com), where you allow uploads, and you want to limit the upload size on this site.

    You can set value from 0 (unlimited) to 2147483647 (2GB) in the main Apache config file.

    For example, to limit the request size for the /var/www/html/www.example.com directory to 200K:

    Add the following line:

    Save the file and restart Apache.

    Disallow browsing outside the document root

    Unless you have a specific need, it is recommended to restrict Apache to being only able to access the document root.

    You can secure the root directory / with Allow and Deny options in the httpd.conf file.

    Add/edit the following line:

    Save the file and restart Apache:

    • Options None : This will turn off all options
    • Order deny,allow : The order in which the allow and deny commands are applied
    • Deny from all : This will deny request from all to the root directory

    Keep Apache up to date

    The Apache Server has a good record for security. New Apache updates will contain patches that will reduce vulnerability of your Apache server. You should always be using the most recent version of Apache server.

    You can update your Apache to the most recent version by running the following command:

    Secure Apache from clickjacking attacks

    Clickjacking, also known as 'User Interface redress attack,' is a malicious technique to collect an infected user's clicks. Clickjacking tricks the victim (visitor) into clicking on an infected site.

    To avoid this, you need to use X-FRAME-OPTIONS to prevent your website from being used by clickjackers.

    You can do this by editing the httpd.conf file:

    Add the following line:

    Save the file and restart Apache:

    Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should see X-Frame-Options as shown in below image:

    Disable ETag

    ETags (entity tags) are a well-known point of vulnerability in Apache web server. ETag is an HTTP response header that allows remote users to obtain sensitive information like inode number, child process ids, and multipart MIME boundary. ETag is enabled in Apache by default.

    You can see ETag by checking HTTP response headers in Firebug: Photo editing software free. download full version mac.

    To prevent this vulnerability, disabling ETag is recommended.

    You can do this by editing httpd.conf file:

    Add the following line:

    Save the file and restart Apache:

    Now, open Firefox and visit your website. When you check the HTTP response headers in Firebug, you should not see Etag listed.

    HTTP request methods

    Apache support the OPTIONS, GET, HEAD, POST, CONNECT, PUT, DELETE, and TRACE method in HTTP 1.1 protocol. Some of these may not be required, and may pose a potential security risk. It is a good idea to only enable HEAD, POST, and GET for web applications.

    You can do this by editing the httpd.conf file:

    Find the section that begins with Directory /var/www/html. Add the following lines under this section:

    Save the file and restart Apache:

    sudo apachectl restart

    Secure Apache from XSS attacks

    Cross-site scripting (XSS) is one of the most common application-layer vulnerabilities in Apache server. XSS enables attackers to inject client-side script into web pages viewed by other users. Enabling XSS protection is recommended.

    You can do this by editing the httpd.conf file:

    Add the following line:

    Save the file and restart Apache to reflect changes.

    Now, open Firefox and visit your website. When you check HTTP response headers in Firebug, you should see that XSS Protection is enabled and mode is blocked.

    Protect cookies with HTTPOnly flag

    You can protect your Apache server from most of the common Cross Site Scripting attacks using the HttpOnly and Secure flags for cookies.

    You can do this by editing the httpd.conf file:

    How To Secure Apache Web Server On Windows

    Add the following line:

    Hardening Apache Web Server

    Save the file and restart Apache to reflect changes.