- Apache performance tuning: dynamic modules (I and II).
- Apache performance tuning: directives (I and II).
- Apache performance tuning: benchmarking (I)
In this post, I am going to talk about the points related to security, which you have to take into account when you are setting up an Apache installation.
Restrictions for the Apache user
The Apache user must not be able to log into the system. If you take a look at both passwd and shadow files, you will be able to appreciate that no shell is assigned to him (/sbin/nologin), and the field reserved for the password will contain "!!". That means that the Apache user will not be able to log on the system (he is blocked).
[root@localhost ~]# cat /etc/passwd | grep apache apache:x:48:48:Apache:/var/www:/sbin/nologin [root@localhost ~]# cat /etc/shadow | grep apache apache:!!:15490::::::
Restrictions for the system root
You have to prevent that the system root (/) is accessible through the web server. It is also better to disable all options on the root directory (Options none) and control what directives can be used in the .htaccess file by means of the AllowOverride directive.
[root@localhost ~]# cat /etc/httpd/conf/httpd.conf ... <Directory /> Order deny,allow Deny from all Options none AllowOverride none </Directory> ...
If you define the root directory with these characteristics, then you will have to add to each directory the allowed options.
Hiding a directory or a file
Perhaps you can have a directory completely indexed and in turn, it contains different subdirectories, but you do not want to make visible a concrete directory (hidden) and you desire that it is reachable only when you type its URL. For this purpose, you have to use the IndexIgnore option.
[root@localhost ~]# cat /etc/httpd/conf/httpd.conf ... <Directory "/var/www/html/data"> Options Indexes IndexIgnore status IndexIgnore *.bpm ... </Directory> ...
In the previous example, Apache will keep hidden the status directory and all files with bmp extension included in the /var/www/html/data directory.