apache httpd setup security php5

[TOC]

07nov08 updated 19feb09 / 2010-04-30

Check what is already installed

dpkg --get-selections > installed-software.txt
apt-get autoremove

dpkg --set-selections < installed-software.txt
dselect                     //allow to unselect packages?

Ubuntu (apt-get)

apt-get install apache2.2-common

Centos (yum)

yum install apache

Downloading it again if you need to see the defaults

OR IF YOU REALLY SCREW THINGS UP :), you can restore the default settings too!

mkdir /test
apt-get download apache2.2-common
dpkg -x apache2.2-common*.deb /test
cp /test/etc/apache2/* /etc/apache2/*

If required you can remove & install apache2-common again

apt-get purge apache2-common
cd /etc/apache2 
rm -R *         //be careful that you really are in /etc/apache2!!!!
cd ..
rmdir apache2

http://doc.ubuntu.com/ubuntu/serverguide/C/httpd.html

http://httpd.apache.org/docs/trunk/configuring.html

Configuring and Starting and Stopping Apache Web Server

To modify any file from bash shell command prompt or ssh, use vi filename or nano filename

The configuration file is at (Ubuntu) /etc/apache2/apache2.conf

Loglevel warn           //You can configure how much logging and where to log
LogFormat

ports.conf (Ubuntu) contains the configuration of what port(s) to listen to

Listen 80
Listen 8080

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Log files at /var/log/apache2/access.log (error.log)

Whenever you modify a configuration file you will have to run the following commands (ubuntu specific)

/etc/init.d/apache2 stop
/etc/init.d/apache2 start

Optionally and alternatively run the following (NOTE that reload may give a result FAILED if apache/httpd isn't yet running) /etc/init.d/apache2 reload /etc/init.d/apache2 restart (combines stop & start commands)

To see the changes... or a slightly "nicer" command is to use the Apache control command:

/usr/sbin/apache2ctl directive   e.g. sudo apache2ctl graceful

Directives: start / stop / graceful (restarts w/ aborting connections) / restart / status /

SECURITY

The user running apache should not be root

ENSURE APACHE IS NOT BEING RUN AS ROOT (if an attacker controls apache, they can modify the whole system)

ps aux          //shows you all processes from all users, is /usr/sbin/apache2 running from root?
                //in Centos the httpd web server has user "apache"


groupadd www-data 
useradd -g www-data www-data

In /etc/apache2/apache2.conf change to "User www-data Group www-data" (not root!)

AND ENSURE THAT ONLY ROOT CAN ACCESS APACHE CONFIGURATION & BINARY/EXECUTABLE FILES

chown -R root:root /usr/sbin/apache2
chmod -R o-rwx /usr/sbin/apache2

chown -R root:root /etc/apache2
chmod -R o-rwx /etc/apache2

e.g. ServerTokens Full to Server Tokens Prod

ServerSignature Off 
UseCanonicalName Off

Less Info is more Secure

REDUCE THE AMOUNT OF INFO YOU GIVE WITH HTTP HEADERS (SERVERTOKENS)

/etc/apache2/apache2.conf

nano /etc/httpd/conf/httpd.conf

Change your ServerTokens Full to Server Tokens Prod

#ServerTokens Prod  //most restrictive, response -> Server: Apache 
#ServerTokens Major //response -> Server: Apache/2 
#ServerTokens Minor //response -> Server: Apache/2.0 
#ServerTokens Min   //response -> Server: Apache/2.0.55 
#ServerTokens Os        //response -> Server: Apache/2.0.55 (Ubuntu) 
#ServerTokens Full  //response -> Server: Apache/2.0.55 (Ubuntu) PHP/5.1.4-1.dotdeb.2 mymod1/X.Y mymod2/W.Z

ALSO,

ServerSignature Off 
UseCanonicalName Off

#Default: on 
#Server config, virtual host, directory, .htaccess

#If UseCanonical-Name is on (the default), then the hostname and port used in the redirect 
#will be those set by ServerName and Port. If it is off, then the name and port used will be 
#the ones in the original request.

Timeouts

Lower the Timeout Value (seconds) to mitigate the effects of any Denial Of Service attacks Timeout 45

Limit the size of a request (again mitigating DoS) to whatever you allow file uploads to be.

LimitRequestBody 1048576 //uploads/requests at most at 1 MB

APACHE2, If you are running mod_dav (used with Subversion)

LimitXMLRequestBody 10485760 //uploads at 10 MB

PERMISSIONS

This is where most people hate Linux. It's the most stable and most secure BECAUSE you have to work hard to set the permissions right... but it isn't easy.

The root html serving directory is usually around:

/var/www/html

DON'T FORGET, YOUR APACHE/HTTPD USER MUST HAVE PERMISSIONS (execute permission for a directory allows opening/traversing it)

sudo chown -R root:apache /var/www/html
sudo chmod -R 550 /var/www/html

(This removes the default permission of "everyone" being able to read/execute)

Prevent browsing root and file folders

/etc/apache2/sites-available/default (ubuntu / apache2)
/etc/httpd/conf/httpd.conf

Ensure files outside of the web root are not shared

<Directory />
  Order Deny,Allow
  Deny from all
  Options None
  AllowOverride None
</Directory>

<Directory /web>
  Order Allow,Deny
  Allow from all
</Directory>

#Directory does not appear to support  AuthType the same as Location

Turn off default options:

Options -Indexes -Includes -ExecCGI -FollowSymLinks -Multiviews

Indexes=Directory Browsing, Includes=ServerSideIncludes(.shtml, .stm, .shtm), ExecCGI=CGI execution,
FollowSymLinks=FollowingSymbolicLinks, 
Multiviews=if address is /dirname but it doesn't exist, it will find a matching dirname.htm or .php

(Or if you don't need anything, "Options None")

Example of applying some security tips

mkdir /var/www/html/web
touch /var/www/html/web/file1.html 
touch /var/www/html/web/file2.html

chgrp root:apache /var/www/html/web/*
chmod 440 /var/www/html/web/*

nano /etc/httpd/conf/httpd.conf     (add the Virtual Host area?)

<Directory /web>
    Options Indexes FollowSymLinks
    Order Allow,Deny
    Allow from all
</Directory>

browse to http://example.com/web

Note that if you use http://example.com/ you will get a FORBIDDEN error as Root browsing is off (-Indexes)

PREVENT UNNEEDED MODULES FROM LOADING

Look in httpd.conf for LoadModule. To disable a module you can add a # at the beginning (comment it out). To search for modules run:grep LoadModule httpd.conf

Some typically enabled but unneeded: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex. http://httpd.apache.org/docs/2.0/mod/

mod_proxy A forward proxy provides access to internal clients that are restricted by a firewall, or improves caching A reverse proxy

PER DIRECTORY / LOCATION PERMISSIONS (through the main config file)

http://httpd.apache.org/docs/2.0/sections.html

When applying directives to objects that reside in the filesystem, use or .

sections operate completely outside the filesystem.

An exception is , which is an easy way to apply a configuration to the entire server."

Since several different URLs may map to the same filesystem location, such access controls may by circumvented.

The URL may use wildcards In a wild-card string, '?' matches any single character, and '*' matches any sequences of characters.

Apache 1.2 and above: Extended regular expressions can also be used, with the addition of the ~ character. For example:

would match URLs that contained the substring "/extra/data" or "/special/data"

is identical to Location but takes a regular expression as an argument instead of a simple string...

NOTE: the following example uses regular expressions...

<LocationMatch "/projects/[^/]+/login">
       AuthType Basic
       AuthName "Trac Environment"          //this name appears on the popup box
       AuthUserFile /projects/projects.password //file of authorized users, htpasswd --help
       Require valid-user               //requires any user to be authenticated
</LocationMatch>

NOTE YOUR APACHE USER, E.G. WWW-DATA, MUST HAVE READ ACCESS TO THE PASSWORD FILE!!!!!

You can also create a groups file and if it is required in the above "default" or vhosts.conf then it will only allow users access to the resource if they are in the group, and if they are the user/password combination as in the password file.

HANDLER

YOU WILL HAVE TO ENSURE THAT YOUR "LOCATION" refers to some content, a "handler"

http://httpd.apache.org/docs/2.0/handler.html

Handlers can either be built into the server or included in a module, or they can be added with the Action directive

default-handler: Send the file using the default_handler(), which is the handler used by default to handle static content. (core)

send-as-is: Send file with HTTP headers as is. (mod_asis)
cgi-script: Treat the file as a CGI script. (mod_cgi)
imap-file: Parse as an imagemap rule file. (mod_imap)
server-info: Get the server's configuration information. (mod_info)
server-status: Get the server's status report. (mod_status)
type-map: Parse as a type map file for content negotiation. (mod_negotiation)

.HTACCESS

The purpose of .htaccess files is to provide a means to configure Apache for users who cannot modify the main configuration file (usually httpd.conf)

.htaccess is a Unix/Linux based file for Apache web servers that allows you to change access permissions on a per directory basis.

When an .htaccess file is in the root directory, it will affect all directories below it.

If you place it in a subdirectory it will affect all the files of that directory (and below).

NOTE: any .htaccess file in the root directory will override those in subdirectories.

Allowing .htaccess files will make Apache look for them upon every access to your server.

Since parent directories are searched as well, this will take some (small) amount of time, and can impact your server's performance.

You must place the .htaccess file in the directory where you want it to take effect.

Example: /var/www/html/www.example.com/admin/.htaccess

AuthType Basic
AuthName "Authentication Required"
AuthUserFile /etc/htpasswds/.htpasswd.example.com
Require valid-user

Order deny,allow

Most servers have this option disabled, however, some do not. This could leave to a security risk.

Most of the time a directory list will appear if you do not have a Default index file in it.

.htaccess examples

to hide everything IndexIgnore *

to hide images IndexIgnore .gif .jpg .png .swf

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*

prevent directory listings Options -Indexes

show directory listings Options +Indexes

to hide/prevent access to the .htaccess file order allow,deny deny from all

<Limit GET POST>
    order deny,allow
    deny from all
    allow from all
</Limit>

<Limit PUT DELETE>
    order deny,allow
    deny from all
</Limit>

HOW CAN I DISABLE .HTACCESS TO IMPROVE PERFORMANCE OF APACHE?

AllowOverride is valid only in sections specified without regular expressions, not in , or sections.

Syntax: AllowOverride All|None|directive-type [directive-type] ... 
Default: AllowOverride All

Ubuntu / apache2 keeps this file in /etc/apache2/sites-available/default

In your server config modify the top-level block:

<Directory /var/www/html>
     ... other directives

    AllowOverride None
</Directory>

ACCESS ALLOWED ONLY TO A SPECIFIC SUBNET (or ip address)

Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

Note that for Parallels (Virtuozzo?) Virtual Servers they have virtual hosts - after you configure your domains (which will give you ftp access to the www files):

/var/www/vhosts/<domain-name>/conf/

you will have to create a vhost.conf file that when you run the management script will be included via an include statement (therefore your vhosts.conf should NOT include a /Virtual directory clause)

PRODUCT_ROOT_D/admin/sbin/websrvmng --reconfigure-vhost --vhost-name=<domain_name>
/usr/local/psa/admin/sbin/websrvmng -u --vhost-name=<domainname>

Restart your server and then type: "more /etc/www/hosts//conf/httpd.include" To see the "include vhosts.conf" line at the end...

Basic Auth

htpasswd /usr/local/apache/passwd/passwords username

AuthType Basic
AuthName "By Invitation Only"
AuthUserFile /usr/local/apache/passwd/passwords
Require user firstuser seconduser

this will prompt them with a box saying "By Invitation Only" and will lookup the response in the passwords file - only allowing users first/second

create a group file (example of the contents)

authors: rich daniel allan

AuthType Basic
AuthName "Apache Admin Guide Authors"
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group authors

Note that in addition to specifically listing the users to whom you want to grant access, you can specify that any valid user should be let in. This is done with the valid-user keyword:

Require valid-user

• http://httpd.apache.org/docs/1.3/howto/auth.html#basic
• http://www.petefreitag.com/item/505.cfm

Virtual Hosts

httpd.conf, or create your own virtual host section

In the first line, change ip.address.of.host.some_domain.com to your server's IP address. Change the ServerName to a valid DNS name

<VirtualHost ip.address.of.host.some_domain.com>
#    ServerAdmin webmaster@host.some_domain.com
#    DocumentRoot /www/docs/host.some_domain.com
#    ServerName host.some_domain.com
#    ErrorLog logs/host.some_domain.com-error_log
#    CustomLog logs/host.some_domain.com-access_log common
#</VirtualHost>

#NameVirtualHost 12.34.56.78:80
#NameVirtualHost 12.34.56.78

<VirtualHost ip_address_of_your_server:12331>

Listen 12331

SLIGHT OPTIMIZATIONS

/etc/apache2/apache2.conf

Max number of Concurrent Requests

MaxClients= max # of child processes to serve requests (each uses RAM & VSZ) MaxSpareServers MaxRequestsPerChild ThreadsPerChild ServerLimit MaxSpareThreads

Random Notes

You may need to ensure that the DAV is on for apache, a2enmod dav_fs //installs the dav_fs module in apache

DAV On

STATISTICS AND PERFORMANCE

apt-get install apache2.2-common
apt-get install apache2

df -h goes from 450MB to 461MB

DEFAULT: free returns 118MB used

ps -aux
    USER    PID     CPU  MEM    VSZ     RSS TTY         START           COMMAND
    root      4417  0.0  0.6  10472  2584 ?        Ss   15:30   0:00 /usr/sbin/apache2 -k start
    www-data  4418  0.0  0.4  10244  1780 ?        S    15:30   0:00 /usr/sbin/apache2 -k start
    www-data  4420  0.0  0.6 231808  2396 ?        Sl   15:30   0:00 /usr/sbin/apache2 -k start
    www-data  4424  0.0  0.6 231808  2400 ?        Sl   15:30   0:00 /usr/sbin/apache2 -k start

VSZ is a decimal integer, the size in kilobytes of the process in virtual memory.

VSZ includes RSS... Virtual memory usage of entire process = VmLib + VmExe + VmData + VmStk

RSS is real memory (resident set) size of the process in pages in 1KB units

Thus VSZ for apache2 = 231,808 KB x 2 = 500KB...

Dynamically loaded modules: code is loaded when the module is required

Static mode comes at a price - the more modules, the more memory you use. Thus, a forked multi-processing module can have a significant effect on the machine's memory requirements.

MPM WORKER versus PREFORK

Multi-Processing Module with PHP... http://brian.moonspot.net/2008/02/13/apache-worker-and-php/

mpm_prefork_module

each apache/php process allocates it's own memory, at ~15MB per process x 50 = 750MB RAM

Having a prefork Apache/PHP process that has 15MB of RAM allocated serve a 10k jpeg image or some CSS file is a waste of resources.

mpm_worker_module

each worker process can have 5 child processes with 10 threads BUT they can reuse memory from 
other threads in the same process

YOU cannot use radical php extensions ...

ADDING PHP TO CENTOS 5 APACHE 2.2 (HTTPD)

yum search php

apt-cache search php

Please follow the best practice of only installing what you need. If you want to learn/practice with php you'd be better off not using a "production" web server.
Additionally only install the PHP modules you need - installing unnecessary software introduces more places for there to be a backdoor or security hole.