Securing Apache

Printable View

May 15th, 2003, 01:58 PM
t2k2

Securing Apache

Hey gang. I found this on Security Focus today. It seems like a pretty good guide. Let me know what you think.

Quote:

Before we start securing Apache, we must specify what functionality we expect from the server. Variety of Apache's use makes it difficult to write a universal procedure to secure the server in every case. That's why in this article we'll base on the following functionality:

-the Web server will be accessible from the Internet only static HTML pages will be served

-the server will support name-based virtual hosting mechanism

-specified Web pages can be accessible only from selected IP addresses or users (basicauthentication)

-the server will log all the Web requests (including information about Web browsers)

Get the full article here.

Enjoy.
May 15th, 2003, 02:09 PM
pwaring

It's a good article, though a lot of it is *nix-specific and I would really expect a 'securing Apache' article to apply to Windows platforms as well.
May 15th, 2003, 03:54 PM
slarty

Unfortunately it's rather idealised. Not very many people run Apache servers where they serve static content only from a chroot, they should come back into the real world :)

Slarty
May 15th, 2003, 04:07 PM
pwaring

Quote:

Originally posted here by slarty
Unfortunately it's rather idealised. Not very many people run Apache servers where they serve static content only from a chroot, they should come back into the real world :)

Slarty

Good point, and they totally ignore running Apache on other platforms (it works fine on my Win2k machine - there might be lots of vulnerabilities but that doesn't matter on a development platform).
May 15th, 2003, 04:09 PM
ammo

OpenBSD's apache comes chrooted by default since obsd3.2.
While it is slighly more complicated, it is possible to serve dynamic content from a chroot...
Many people have php & postgresql/mysql serving from a chroot apache. All (*) you need is your php binaries inside your chroot as well as perhaps /etc/hosts to resolve localhost or what ever hostname you need, and connect to your database through sockets instead of named pipes...

(Ok, I admit I haven't bothered to try it myself, but it is doable)

Ammo
May 15th, 2003, 11:15 PM
t2k2

Thanks for the insight peeps - too bad I didn't write the article to change it. ;) Maybe I can do a tut for Apache newbies like myself.

Thanks again for the responses.

t2k2