Apache HTTP server, installing
From NAS-Central Buffalo - The Linkstation Wiki
(port from linkstationwiki.org) |
|||
| Line 169: | Line 169: | ||
16. Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd. | 16. Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd. | ||
| + | |||
| + | [[Category:Debian]] | ||
Revision as of 23:05, 25 June 2006
1. Install Apache and it's related packages. Use the command:
apt-get install apache apache-common
2. If you want Perl support, install the following packages:
apt-get install libapache-mod-perl libapache-ssi-perl
3. If you want PHP support, install the following packages:
apt-get install libapache-mod-php4 php4 php4-common
4. Then configure PHP:
cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini
5. Next edit /etc/php4/apache/php.ini and enable zlib compression and configure some security settings:
zlib.output_compression = On disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system
6. You should install the following packages too:
apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security
7. Mod_security allows you to set custom security rules for Apache (highly recommended). Mod_choke is a rate limiter for Apache. Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half.
8. If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command:
pico /etc/apache/modules.conf
9. Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are:
LoadModule security_module /usr/lib/apache/1.3/mod_security.so LoadModule choke_module /usr/lib/apache/1.3/mod_choke.so LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so
10. Now let's edit /etc/apache/httpd.conf and configure the modules. A good base mod_gzip configuration:
<IfModule mod_gzip.c> #Turn mod_gzip on@ mod_gzip_on yes@ #Allow mod_gzip to eliminate the HTTP header and join the chunks to one (compressable) packet mod_gzip_dechunk yes #Count HTTP header size as part of total output size mod_gzip_add_header_count yes #Send a vary HTTP header mod_gzip_send_vary yes #Require at least HTTP 1.0 protocol mod_gzip_min_http 1000 #Compress both GET and POST methods mod_gzip_handle_methods GET POST mod_gzip_keep_workfiles No mod_gzip_temp_dir /tmp #Minimum file size required for gzip to compress (in bytes) mod_gzip_minimum_file_size 1000 #Maximum file size required for gzip to compress (in bytes) mod_gzip_maximum_file_size 500000 #Types to compress mod_gzip_item_include file \.htm$ mod_gzip_item_include file \.html$ mod_gzip_item_include file \.pl$ mod_gzip_item_include file \.cgi$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^httpd/unix-directory$ mod_gzip_item_include handler proxy-server mod_gzip_item_include handler ^cgi-script$ #Types to exclude (PHP uses internal zlib compression) mod_gzip_item_exclude mime ^application/x-httpd-php mod_gzip_item_exclude file \.php$ mod_gzip_item_exclude file \.phps$ mod_gzip_item_exclude file \.phtml$ mod_gzip_item_exclude file "\.css$" mod_gzip_item_exclude file "\.js$" mod_gzip_item_exclude mime ^image/ </IfModule>
11. A sample mod_choke configuration:
<IfModule mod_choke.c> #Turn mod_choke on Choke On #Set the choke rate ChokeRate 10k ChokeRateEnv CHOKE_RATE #Allow full rate for this many bytes ChokeBurst 10k ChokeBurstEnv CHOKE_BURST ChokeSummary Off #Set the maximum connections GlobalMaxConnectionsPerIP 2 GlobalMaxConnectionsPerUser 2 </IfModule>
12. And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works:
<IfModule mod_security.c>
#Start engine configuration - Scan dynamic content, POST method, and URL encoding
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:406"
#End engine configuration
#Prevent OS specific keywords - Prevent remote execution
SecFilter /etc/passwd
SecFilter /bin/sh
SecFilterSelective ARGS_NAMES 777
#Prevent operating system command execution
SecFilterSelective ARGS "bin/"
SecFilter /bin/ls
#Prevent path traversal
SecFilter "\.\./"
#Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
#Forbid uncommon encoding types
SecFilterSelective "HTTP_Content-Type" "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"
#Start filter to prevent SQL injection attacks
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*select.+from[^<]*</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*delete.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*insert.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*update.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*drop.+from[^<]*</\s*id\s*>" "deny,status:406"
#End filter
#Forbid file upload
SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
#Forbid chunked transfer encoding requests
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#Require HTTP_USER_AGENT and HTTP_POST headers in every request
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#Enable normalize cookie names and values
SecFilterNormalizeCookies On
#Prevent XSS attack via PHP
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
#Prevent fatal information leak
SecFilterSelective OUTPUT "Fatal error:"
#Filter meta characters (helps prevent SQL attacks and information leaks)
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.{6,}</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.+['\"%][^<]*</\s*id\s*>" "deny,log,status:406"
</IfModule>
13. Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing /etc/apache/httpd.conf and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see Articles/DebianWebmin). If you installed perl support, then you must add ExecCGI to the <Directory /var/www/> section for your scripts to run. I also recommend the following entries for increased security:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
ServerTokens - Prod
14. Restart the Apache server to apply your changes. Use the command:
apachectl restart
15. Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security:
cd /usr/share/mod-security/tests ./run-test.pl localhost:yourportnumber *.test
16. Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd.
