Differences between version 17 and predecessor to the previous major change of ApacheNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 17 | Last edited on Monday, October 4, 2004 2:25:11 pm | by DanielLawson | Revert |
| Older page: | version 11 | Last edited on Monday, June 7, 2004 11:19:21 am | by PerryLorier | Revert |
@@ -1,28 +1,52 @@
-[Apache] was originally the [NCSA] httpd. However this server languished, and people had patches around to extend httpd to do what they needed or to fix bugs. Eventually a group of people got together and collated all the patches into one server which was "a patchy server", hence "Apache".
+!!! Installation
-Apache is one of
the critical components of [LAMP] ([Linux]/
[Apache]
/[MySQL]
/[PHP
])
.
+If you're going to compile and install [
Apache] from source, use
the [Apache Toolbox | http:
//www.apachetoolbox.com/
].
-----
+!!! Rotating your logs
-!!Security in
Apache
+Want to rotate all of your separate ~VirtualHost log files without restarting [
Apache]? Use a little-known tool that comes with [Apache] called rotatelogs(8).
-Apache recently featured in a list of security problems ([http://isc.sans.org/top20.html]). Apache is no more inherently insecure than any other web-based application, however in can been installed and configured
to be insecure. Points to note when installing, configuring and mantaining Apache include
:
+Change your ~TransferLog lines
to:
-!!![CGI] scripts
+<verbatim>
+TransferLog "|/path/to/rotatelogs /your/log/file.log 64800"
+</verbatim>
-[CGI] scripts are probably
the biggest problem. Upload and CGI directories need to be distinct (so people can't upload ''improved'' CGI scripts and as small as possible
.
+Read
the ManPage for more information, or replace with ~CronoLog which has more features
.
-Apache2 makes it easier to run different scripts as different users, rather than as the user that apache is running as.
+!!! Securing [Apache]
-!!!Chroot prisons
-Chroot prisons limit the damage than can be done should an application be compromised. See
[chroot(2)
] for details
. Apache2 has better support for this
.
+[Apache
] recently featured in a [list of security problems | http://isc
.sans
.org/top20.html]. They generally boil down to configuration mistakes. Points to note when installing, configuring and mantaining [Apache] include: <br> <br> :
-See also:
[HowToSecureProgramsHOWTO
],
[HowToSecurityQuickstartHOWTO
],
[HowToSecurityHOWTO
] and [http://httpd
.apache.org/docs/misc/security_tips.html]
+ __
[CGI
] scripts__:
+ Probably the biggest problem. Upload and
[CGI
] directories need to be distinct (so people can't upload "improved"
[CGI
] scripts)
and as small as possible
.
-!!!Installation
-If you're going
to compile and install apache from source
, use
[http://www
.apachetoolbox
.com
/]
+ Apache2 makes it easier
to run different scripts or even different Virtual Hosts as different users
, rather than as the user that [Apache] is running as.
+
+ __Chroot prisons__:
+ Running in a chroot prison limits the damage than can be done should an application be compromised. See [chroot(2)] for details. Apache2 has better support for this.
+
+ See also:
+ * [HowToSecureProgramsHOWTO]
+ * [HowToSecurityQuickstartHOWTO]
+ * [HowToSecurityHOWTO]
+ *
[http://httpd
.apache
.org
/docs/misc/security_tips.html
]
+ <br>
+
+ __FireWall~ing [Apache]__:
+ You probably should FireWall the [Apache] user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your WebSite. The same idea can be applied to other services.
+
+ <verbatim>
+ iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT
+ iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG
+ </verbatim>
+
+!!! Extra information in directory listings
+
+You can have additional information displayed at the top and bottom of a <tt>mod_autoindex</tt> directory listing by putting the text in a file called <tt>HEADER</tt> and <tt>README</tt>, respectively. Either file can any have FileExtension (or none). To enable this feature, you will need <tt>~MultiViews on</tt> to be in effect for that request.
+
+----
+!! See also
-!!!Firewalling apache.
-You probably should firewall the apache user from connecting out to the InterNet unless you know that they actually have to. Doing this prevents a lot of exploits that people will attempt against your website. The same idea can be applied to other services.
- iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump REJECT
- iptables --insert OUTPUT --match owner --uid-owner www-data --protocol tcp --syn --jump LOG
+* NameVirtualHosting
+* ModBackhand
