Apache Security - Ivan Ristic [18]
On the other hand, you should include these modules in your installation:
mod_rewrite
Allows incoming requests to be rewritten into something else. Known as the "Swiss Army Knife" of modules, you will need the functionality of this module.
mod_headers
Allows request and response headers to be manipulated.
mod_setenvif
Allows environment variables to be set conditionally based on the request information. Many other modules' conditional configuration options are based on environment variable tests.
In the configure example, I assumed acceptance of the default module list. In real situations, this should rarely happen as you will want to customize the module list to your needs. To obtain the list of modules activated by default in Apache 1, you can ask the configure script. I provide only a fragment of the output below, as the complete output is too long to reproduce in a book:
$ ./configure --help
...
[access=yes actions=yes alias=yes ]
[asis=yes auth_anon=no auth_dbm=no ]
[auth_db=no auth_digest=no auth=yes ]
[autoindex=yes cern_meta=no cgi=yes ]
[digest=no dir=yes env=yes ]
[example=no expires=no headers=no ]
[imap=yes include=yes info=no ]
[log_agent=no log_config=yes log_forensic=no]
[log_referer=no mime_magic=no mime=yes ]
[mmap_static=no negotiation=yes proxy=no ]
[rewrite=no setenvif=yes so=no ]
[speling=no status=yes unique_id=no ]
[userdir=yes usertrack=no vhost_alias=no ]
...
As an example of interpreting the output, userdir=yes means that the module mod_userdir will be activated by default. Use the --enable-module and --disable-module directives to adjust the list of modules to be activated:
$ ./configure \
> --prefix=/usr/local/apache \
> --enable-module=rewrite \
> --enable-module=so \
> --disable-module=imap \
> --disable-module=userdir
Obtaining a list of modules activated by default in Apache 2 is more difficult. I obtained the following list by compiling Apache 2.0.49 without passing any parameters to the configure script and then asking the httpd binary to produce a list of modules:
$ ./httpd -l
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
To change the default module list on Apache 2 requires a different syntax than that used on Apache 1:
$ ./configure \
> --prefix=/usr/local/apache \
> --enable-rewrite \
> --enable-so \
> --disable-imap \
> --disable-userdir
Configuration and Hardening
Now that you know your installation works, make it more secure. Being brave, we start with an empty configuration file, and work our way up to a fully functional configuration. Starting with an empty configuration file is a good practice since it increases your understanding of how Apache works. Furthermore, the default configuration file is large, containing the directives for everything, including the modules you will never use. It is best to keep the configuration files nice, short, and tidy.
Start the configuration file (/usr/local/apache/conf/httpd.conf) with a few general-purpose directives:
# location of the web server files
ServerRoot /usr/local/apache
# location of the web server tree
DocumentRoot /var/www/htdocs
# path to the process ID (PID) file, which
# stores the PID of the main Apache process
PidFile /var/www/logs/httpd.pid
# which port to listen at
Listen 80
# do not resolve client IP addresses to names
HostNameLookups Off
Setting Up the Server User Account
Upon installation, Apache runs as a user nobody. While this is convenient (this account normally exists on all Unix operating systems), it is a good idea to create a separate account for each different task. The idea behind this is that if attackers break into the server through the web server, they will get the privileges