Apache webserver configuration and security - Part#1

As Internet grows so does the different threats you can be exposed to, especially if you like me are running your own Internet services. I will not claim that I'm an IT-security expert in anyway, but there are a few things I still would like to share. The worlds leading webserver today is Apache. Apache runs under different Linux distros and Windows. Together with PHP and MySQL you have a powerful platform to build your own webapplications on. To develop web solutions on Apache is one thing, but putting them to work in the real world is another thing. Apache´s default security settings are pretty robust and installing the server is fairly straight, so if you are going to use the Apache web server out of the box you are quite safe. In this chapter I will try to explain the basic configuration of the Apache web server. 

When the Apache web server is started it looks for its configuration files in the ServerRoot directory. The ServerRoot directory can be declared in different ways. By default Apache looks in the current working directory, but you can also tell the Apache webserver deamon to look for the ServerRoot and it's config files elsewhere with a command parameter. If you build your own Apache distro from source you can hardcompile the location of the ServerRoot into the distro itself. In the ServerRoot directory the Apache server looks for the httpd.ini file which contains the default server configuration. A common setup is to have a /conf.d/ directory under the ServerRoot directory which contains different setup files for different modules and functions in Apache. The files in the /config.d/ directory is processed by the Apache server after the httpd.ini file which makes it suitable to leave the httpd.ini file untouched and instead override these settings with custom config files. To ensure that other config files are processed and to point to their location we must find or add the following row in the httpd.ini:

Include conf.d/*.conf
Directory listing conf.d
Example of/conf.d/ directory. The directory itself can contain any files but it is only
the *.conf that treated as configuration content by Apache.

Make sure to place the Include directive at the bottom of the httpd.ini file to ensure that all settings can be overriden. When this is done we can save and close the httpd.ini file. Then we step into our /conf.d/ directory and create a default.config file where we will put our default settings. As I mentioned earlier the Apache webserver is quite robust and secure out of the box but there are some configuration settings that you might want to consider.  

General settings

Listen - defines which ports your Apache server should be listening to. The default port is 80. You can add multiple ports here separated by a comma.

ServerAdmin - Can be both an e-mail address or another website. The ServerAdmin directive is used in case there is any error when serving pages to a user. Apache then uses this address as a contact and ads it to the errorpage.

ServerName - The servername directive is used to determine the hostname of your webserver. It should be followed by the port number. (webserver.granberg.local:80). If you omit the ServerName directive Apache tries to determine the name of the server host and use that name. If you have just one website on your Apache server this directive can be omitted without any bigger issues, however you might get a startup error if Apache can't determine your servers name since only the IP will be used as ServerName. When working with multiple websites either Virtual hosts or by homedirectory it is essential to set the ServerName directive. When working with Virtual hosts the ServerName directive is set on a per host basis. 

DocumentRoot - tells your Apache server where to find the files that should be served. This can be anywhere on your system as long as the apache user has read and execution (r-x) rights to the directory and files within.  

Listen 80, 8080, 443
ServerAdmin mikael@famgra.se
ServerName webserver.famgra.se
DocumentRoot /var/www/htm

Besides these basic settings there are a few other settings that impact the peroformance of your server, the default user and group used as system account for the Apache deamon, etc. For now we will leave these settings untouched as they are configured in the httpd.ini file by default and are suitable for most use cases. 

Controlling the Apache webserver 

Basically there are two things that control the functionality of the Apache webserver, the modules and the corresponding configuration directives. First there is the Apache executable which provides the core webserver functionality. Built together with the Apache core is a module called mod_so.so. This module enables support for loading other modules. These modules or DSO's (Dynamic Shared Object) provides additional functionality to the Apache webserver and can be configured to load from httpd.ini or a *.config file. As an example we have the mod_cache.so module which provides support for memory or disk caching. Then we have a whole set of different directives that controls how the Apache server serves it contents and how the modules are used. The first and most basic directive is the <Directory> directive. The <Directory> directive can either point to physical location on the servers hard drive, but it can also be a directory relative to the webserver domain. The default base <Directory "..."> should be the same as the DocumentRoot directory setting. Every <Directory> has a closing tag: </Directory>. Between these tags we put all the directives that control how our Apache server serves content from that directory. 

After the DocumentRoot (/var/www/htm) path is defined in the default configuration, the relative root directory "/" of the webserver is defined, ie www.example.com"/". This is a relative directory and controls how Apache serves content from the document root. 

Options FollowSymLinks
AllowOverride None

By default Apache serves all content in a <Directory />...</Directory>. The AllowOverride None directive means that for the document root "/" no overrides of directives is allowed (If override is permitted, then certain configuration directives can be set on a per directory basis using a file usually named .htaccess stored in the directory itself.) The  Options directive tells Apache which different options that should be enabled for the root directory. The following options are available for a <Directory>:

  • ExecCGI - It is allowed to execute CGI Scripts from this directory. (Requires that module mod_cgi is loaded).
  • FollowSymLinks - Apache will follow symbolic links in this directory. (Enabled by default).
  • Includes - Server side includes are allowed in this directory. (Requires that module mod_include is loaded).
  • IncludesNOEXEC - Server side includes are allowed, but #exec directive and the #exec cgi directives are disabled.
  • Indexes - Shows the directory listing of this directory if just the path to this directory is provided.  
  • MultiViews - "MultiViews" are allowed in this directory. (Requires that module mod_negotiation is loaded).
  • SymLinksIfOwnerMatch - Apache will follow symbolic links, if the link target file or directory is owned by the same user id as the link itself.
  • All - means all of the above options are enabled, except for the  MultiViews option.

Now that we have talked about the basic settings of the Apache server we will look into how one can control access to a <Directory>...</Directory>. As mentioned before Apache by default serves all pages witin a directory. In order to restrict access to a directory we can use the Require all denied directive.

<Directory "/var/www/html/mysecret">
        AllowOverride None
        Require all denied 

This will prevent anyone from accessing the "mysecret" directory. The Require arguments are executed in the order they appear. So if you want to allow access to the "mysecret" directory to all users and computers on your LAN you would want to use the following directives:

<Directory "/var/www/html/mysecret">
        AllowOverride None
        Require all denied 

You can also use the same method to block users that for some reason are unwanted. The following directives will allow everyone to access the root directory, except users coming from and badguys.com.

<Directory />
        AllowOverride None 
        Require all granted
        Require not ip 
        Require not host badguys.com

Remeber to restart the Apache server each time you change your config file so it will be re-read.