Apache Security - Ivan Ristic [13]
As a rule of thumb, if you are building a high profile web server—public or not—always go for a highly secure installation.
Though the purpose of this chapter is to be a comprehensive guide to Apache installation and configuration, you are encouraged to read others' approaches to Apache hardening as well. Every approach has its unique points, reflecting the personality of its authors. Besides, the opinions presented here are heavily influenced by the work of others. The Apache reference documentation is a resource you will go back to often. In addition to it, ensure you read the Apache Benchmark, which is a well-documented reference installation procedure that allows security to be quantified. It includes a semi-automated scoring tool to be used for assessment.
The following is a list of some of the most useful Apache installation documentation I have encountered:
Apache Online Documentation (http://httpd.apache.org/docs-2.0/)
Apache Security Tips (http://httpd.apache.org/docs-2.0/misc/security_tips.html)
Apache Benchmark (http://www.cisecurity.org/bench_apache.html)
"Securing Apache: Step-by-Step" by Artur Maj (http://www.securityfocus.com/printable/infocus/1694)
"Securing Apache 2: Step-by-Step" by Artur Maj (http://www.securityfocus.com/printable/infocus/1786)
Installation
The installation instructions given in this chapter are designed to apply to both active branches (1.x and 2.x) of the Apache web server running on Linux systems. If you are running some other flavor of Unix, I trust you will understand what the minimal differences between Linux and your system are. The configuration advice given in this chapter works well for non-Unix platforms (e.g., Windows) but the differences in the installation steps are more noticeable:
Windows does not offer the chroot functionality (see the section Section 2.4) or an equivalent.
You are unlikely to install Apache on Windows from source code. Instead, download the binaries from the main Apache web site.
Disk paths are different though the meaning is the same.
Source or Binary
One of the first decisions you will make is whether to compile the server from the source or use a binary package. This is a good example of the dilemma I mentioned at the beginning of this chapter. There is no one correct decision for everyone or one correct decision for you alone. Consider some pros and cons of the different approaches:
By compiling from source, you are in the position to control everything. You can choose the compile-time options and the modules, and you can make changes to the source code. This process will consume a lot of your time, especially if you measure the time over the lifetime of the installation (it is the only correct way to measure time) and if you intend to use modules with frequent releases (e.g., PHP).
Installation and upgrade is a breeze when binary distributions are used now that many vendors have tools to have operating systems updated automatically. You exchange some control over the installation in return for not having to do everything yourself. However, this choice means you will have to wait for security patches or for the latest version of your favorite module. In fact, the latest version of Apache or your favorite module may never come since most vendors choose to use one version in a distribution and only issue patches to that version to fix potential problems. This is a standard practice, which vendors use to produce stable distributions.
The Apache version you intend to use will affect your decision. For example, nothing much