Friday, July 17, 2009

How to harden your iMac Apache Web Server

Note: I am running Leopard 10.5.6 and Apache 2.2. Other versions of OS X and/or Apache may work differently.

A few months ago I started Apache Web Server on my iMac and today I’m going to apply the “minimum necessary” configuration to Apache, so it is more secure. In a future posts, I plan to write about putting your Apache Web Server "in Jail," and enabling DDNS ... so that your hardened iMac will be a web host on the Internet.

When I first bought my iMac, I secured it using Apple’s Security Configuration as a guide. If you buy your iMac at Best Buy, you can also pay Geek Squad $40 to do this for you. If you’re looking for an abridged version, this guide is also good - Also, Apple puts out an audit tool with lots of other security tips -

The first thing to do before securing your Apache Web Server is to decide on the functionality you want from Apache. I decided on some very basic items:

  1. Only static HTML pages will be served.
  2. Ok, I’m adding SSI (
  3. The server must support the virtual hosting mechanism.
  4. The server must log all web requests (including information about web browsers).
Configure Apache
To apply these configurations, you have to edit the web server configuration file

Open a terminal: Finder->Applications->Utilities->Terminal
Edit the configuration file: sudo bbedit /private/etc/apache2/httpd.conf

bbedit is a text editor that I bought. You can use any text editor here, even TextEdit which came pre-installed on my iMac.

You do not need to enable root password for this. If you are logged in as an Administrator User you can sudo and execute this command. My finished configuration is as follows (in the interest of space, I removed comments normally found in

ServerRoot "..."
Listen 80
LoadModule authz_host_module libexec/apache2/
LoadModule include_module libexec/apache2/
LoadModule log_config_module libexec/apache2/
LoadModule expires_module libexec/apache2/
LoadModule mime_module libexec/apache2/
LoadModule dir_module libexec/apache2/

User www
Group www

ServerAdmin esuyer at gmail dot com
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
DocumentRoot ".../www"
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0

Options None
AllowOverride None
Order deny,allow
Deny from all

Options +Includes
Order allow,deny
Allow from all

DirectoryIndex index.htm

Order allow,deny
Deny from all
Satisfy All

Order allow,deny
Deny from all
Satisfy All

Order allow,deny
Deny from all
Satisfy All

ErrorLog "/private/var/log/apache2/error_log"
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio

CustomLog "/private/var/log/apache2/access_log" common

ScriptAliasMatch ^/cgi-bin/((?!(?i:webobjects)).*$) "/Library/WebServer/CGI-Executables/$1"

DefaultType text/plain

TypesConfig /private/etc/apache2/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

Include /private/etc/apache2/extra/httpd-vhosts.conf

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Compared to the default configuration file, the following important changes have been made:

  • The number of enabled modules has been reduced to minimum.
  • Apache's processes (except for the root process) are set to be executed with unique regular user/group privileges.
  • Apache discloses the least information about itself as possible.
  • Access rights to the website's content are set to be more restrictive.

No comments:

Post a Comment