Install, Configure and Secure
Environment
Fresh install of CentOS-6.3-x86_64-minimal with the latest updates yum update -y
# uname -sro Linux 2.6.32-279.22.1.el6.x86_64 GNU/Linux
I used nano as the text editor, but you can just as easily use vi
yum install -y nano
Prerequisites
Configure Firewall
Make sure you add any other rules not listed here which you are using.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Install
Install Apache (httpd)
yum install -y httpd mod_ssl
Tune and Secure
Apache Configuration Files – A quick explanation
When Apache starts, it reads one or more configuration files to see what settings it should have. The first file it normally reads is/etc/httpd/conf/httpd.conf
which it processes line by line overwriting any previously set variables. For example, if you had on line 6 ‘fruit apple’ and then on line 10 ‘fruit orange’, then when Apache has finished reading all configuration files, the value of fruit would be orange as it was the last value for fruit that was read.
There is a special line in a configuration file that tells Apache to pause reading the current file and to read one or more other configuration files before continuing; this line starts with Include
such as Include conf.d/*.conf
which tells Apache to read all the files ending in ‘.conf’ in the directory ‘/etc/httpd/conf.d/’, and is the normal procedure on a standard install.
If you also had a value for ‘fruit’ in one of the included configuration files, then that value would overwrite the current value for ‘fruit’, however, the final value of ‘fruit’ is only determined once Apache has finished reading to the bottom of it’s initial configuration file, which as mentioned before, is normally /etc/httpd/conf/httpd.conf
, so if on the last line of ‘httpd.conf’ you had fruit none
, then the final value Apache uses would be ‘none’.
Creating a Global config file
The best way to manage Apache’s settings is to create your own configuration files in /etc/httpd/conf.d/
. This way you can easily see what changes you have made to the system should something need changing, and you can easily revert the system back should something go wrong.
By default, Apache reads /etc/httpd/conf/httpd.conf
as mentioned earlier. Part way through this file, is an Include
line which instructs Apache to read all configuration files in the directory ‘/etc/httpd/conf.d/’. So a good place to create a global configuration file would be inside the ‘/etc/httpd/conf.d/’ directory. As Apache reads files in alphanumeric order, we will prefix characters that will ensure it is read first.
Inside this file, add the following which I will explain further on:
SetOutputFilter DEFLATE BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary Header append Vary Accept-Encoding <filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$"> Header set Cache-Control "max-age=604800, public" </filesMatch> Header always append X-Frame-Options SAMEORIGIN TraceEnable off ServerTokens Minimal
Modify main config file
The following settings appear after the Include conf.d/*.conf
line in the /etc/httpd/conf/httpd.conf
file and therefore can’t be set in our Global config file, as explained earlier.
ServerSignature Off
The following line is inside the <Directory "/var/www/html">
around line 331.
Options -Indexes FollowSymLinks
Explanation
Compress Content
This configures Apache to compress content if the web browser supports it. Images and PDF’s are already compressed so are excluded. [Click here to learn more]
SetOutputFilter DEFLATE BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary Header append Vary User-Agent env=!dont-vary
Vary: Accept-Encoding
Header append Vary Accept-Encoding
This configures Apache to tell web browsers that content could come in different formats such as compressed and uncompressed but to treat it the same. [Click here to learn more]
Cache-Control
<filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$"> Header set Cache-Control "max-age=604800, public" </filesMatch>
This configures Apache to tell web browsers to cache certain types of files for a specified period of time [Click here to learn more]
Prevent ClickJacking
Header always append X-Frame-Options SAMEORIGIN
This protects visitors to your web server from being redirected to malicious sites [Click here to learn more]
Disable HTTP TRACE
TraceEnable off
This stops a very basic attack whereby a person can see the response of a server request. [Click here to learn more]
Reduce advertised information
ServerTokens Minimal ServerSignature Off
These two settings reduce the amount of information your server advertises. Not really a major security concern but the less someone knows about your server, the better in my opinion. [Click here to learn more]
Disable directory browsing
Options -Indexes FollowSymLinks
This setting prevents the server from listing files in a directory that doesn’t have a default document such as ‘index.php’. [Click here to learn more]
Test
There are many sites out there for testing but here are some of my favourite
Performance
Pingdom Tools – Tests the load time of your page and offers recommendations
Load Impact – Load testing and reporting
Blitz – Load testing and reporting
Security
Kyplex – I’ve known this company since it started and their security scanner has always proved worthwhile.
Qualys – Read through their results thoughtfully because they are a bit OTT.
Monitor
Pingdom – Uptime and performance monitoring