Securing Apache: step-by-step
This article shows in a step-by-step fashion, how to install and configure the Apache 1.3.x Web server in order to mitigate or avoid successful break-in when new vulnerabilities in this software are found.
Before we start securing Apache, we must specify what functionality we expect from the server. Variety of Apache's use makes it difficult to write a universal procedure to secure the server in every case. That's why in this article we'll base on the following functionality:
- The Web server will be accessible from the Internet; and,
- Only static HTML pages will be served
- the server will support name-based virtual hosting mechanism
- specified Web pages can be accessible only from selected IP addresses or users (basic authentication)
- the server will log all the Web requests (including information about Web browsers)
It is worth emphasizing that the above model doesn't support PHP, JSP, CGI or any other technologies that make it possible to interact with Web services. The use of such technologies may pose a large security threat, so that even a small, inconspicuous script can radically decrease the server's security level. Why? Primarily, ASP/CGI applications may contain security vulnerabilities (e.g. SQL injection, cross-site-scripting). Secondarily, the technology itself can be dangerous (vulnerabilities in PHP, Perl modules etc.). That's why I strongly recommend using such technologies only when an interaction with a Web site is absolutely necessary.
[ Read more ]
For all your Apache information needs, visit the Apache outside articles section of HNS.
- Review: Apache Server 2.0: The Complete Reference (2 May 2003)
- Article: Interview with Scott Hawkins, author or "Essential Apache for Web Professionals" (15 April 2003)
- Review: Essential Apache for Web Professionals (3 April 2003)
- Review: Apache Administrator's Handbook (16 January 2003)
- Article: Apache Chunk Handling Roundup (18 June 2002)