A few months ago I started Apache Web Server on my iMac and today I’m going to apply the “minimum necessary” configuration to Apache, so it is more secure. In a future posts, I plan to write about putting your Apache Web Server "in Jail," and enabling DDNS ... so that your hardened iMac will be a web host on the Internet.
Prerequisite
When I first bought my iMac, I secured it using Apple’s Security Configuration as a guide. If you buy your iMac at Best Buy, you can also pay Geek Squad $40 to do this for you. If you’re looking for an abridged version, this guide is also good - http://www.macshadows.com/kb/index.php?title=Hardening_Mac_OS_X. Also, Apple puts out an audit tool with lots of other security tips - http://support.apple.com/downloads/Common_Criteria_Tools_for_10_4.
The first thing to do before securing your Apache Web Server is to decide on the functionality you want from Apache. I decided on some very basic items:
- Only static HTML pages will be served.
- Ok, I’m adding SSI (http://httpd.apache.org/docs/2.2/howto/ssi.html)
- The server must support the virtual hosting mechanism.
- The server must log all web requests (including information about web browsers).
To apply these configurations, you have to edit the web server configuration file
Open a terminal: Finder->Applications->Utilities->Terminal
Edit the configuration file: sudo bbedit /private/etc/apache2/httpd.conf
bbedit is a text editor that I bought. You can use any text editor here, even TextEdit which came pre-installed on my iMac.
You do not need to enable root password for this. If you are logged in as an Administrator User you can sudo and execute this command. My finished configuration is as follows (in the interest of space, I removed comments normally found in
ServerRoot "..."
Listen 80
LoadModule authz_host_module libexec/apache2/mod_authz_host.so
LoadModule include_module libexec/apache2/mod_include.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule expires_module libexec/apache2/mod_expires.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule dir_module libexec/apache2/mod_dir.so
User www
Group www
ServerAdmin esuyer at gmail dot com
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
DocumentRoot ".../www"
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
Options None
AllowOverride None
Order deny,allow
Deny from all
Options +Includes
Order allow,deny
Allow from all
DirectoryIndex index.htm
Order allow,deny
Deny from all
Satisfy All
Order allow,deny
Deny from all
Satisfy All
Order allow,deny
Deny from all
Satisfy All
ErrorLog "/private/var/log/apache2/error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
CustomLog "/private/var/log/apache2/access_log" common
ScriptAliasMatch ^/cgi-bin/((?!(?i:webobjects)).*$) "/Library/WebServer/CGI-Executables/$1"
DefaultType text/plain
TypesConfig /private/etc/apache2/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Include /private/etc/apache2/extra/httpd-vhosts.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
Compared to the default configuration file, the following important changes have been made:
- The number of enabled modules has been reduced to minimum.
- Apache's processes (except for the root process) are set to be executed with unique regular user/group privileges.
- Apache discloses the least information about itself as possible.
- Access rights to the website's content are set to be more restrictive.
No comments:
Post a Comment