Apache's httpd.conf
» Articles / Code » Server Configuration » Apache's httpd.conf
An Example of Apache's httpd.conf with a whole bunch of useful security options:
- some protection against ddos
- bufferoverflows
- IDS/Honeypo
- Fake Headers
- Mod_Security IDS
- Logging
##
## This file has been simplified (removing normal httpd.conf
## information) in order to make it easier for the reader to identify
## the security settings.
##
## You should modify this file appropriately for your environment.
##
##########################################
### Server-Oriented General Directives ###
##########################################
ServerType standalone
ServerRoot "/var/www"
DocumentRoot "/var/www/htdocs"
ServerName www.companyx.com
HostnameLookups On
Port 80
##########################################
########################################
### User-Oriented General Directives ###
########################################
User webserv
Group webserv
ServerAdmin webmaster@companyx.com
########################################
PidFile /var/www/logs/httpd.pid
ScoreBoardFile /var/www/logs/httpd.scoreboard
#########################################
### DoS Protective General Directives ###
#########################################
Timeout 60
KeepAlive On
KeepAliveTimeout 15
MaxKeepAliveRequests 100
MinSpareServers 10
MaxSpareServers 20
StartServers 10
MaxClients 2048
MaxRequestsPerChild 0
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 1
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSEmailNotify root
#########################################
##########################################
### Buffer Overflow General Directives ###
##########################################
LimitRequestBody 10240
LimitRequestFields 40
LimitRequestFieldsize 1000
LimitRequestline 500
CoreDumpDirectory /var/www/logs
##########################################
###############################################
### Software Obfuscation General Directives ###
###############################################
ServerTokens Prod
ServerSignature Off
ErrorDocument 404 /custom404.html
ErrorDocument 400 /cgi-bin/400.cgi
ErrorDocument 401 /cgi-bin/401.cgi
ErrorDocument 403 /cgi-bin/403.cgi
ErrorDocument 405 /cgi-bin/405.cgi
ErrorDocument 406 /cgi-bin/406.cgi
ErrorDocument 409 /cgi-bin/409.cgi
ErrorDocument 413 /cgi-bin/413.cgi
ErrorDocument 414 /cgi-bin/414.cgi
ErrorDocument 500 /cgi-bin/500.cgi
ErrorDocument 501 /cgi-bin/501.cgi
###############################################
##########################
### Mod_Rewrite VooDoo ###
##########################
RewriteEngine On
RewriteLog /var/www/logs/rewrite.log
RewriteLogLevel 2
RewriteRule [^a-zA-Z0-9|\.|/|_|-] - [F]
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
#########################
############################
### IDS/Honeypot Options ###
############################
#
# This next section will deny attempts to access common CGI directories.
#
deny from all
#
# This next section will deny attempts to access common CGI files.
# This is an alternative to actually creating fake cgi scripts.
#
deny from all
deny from all
############################
####################
### Fake Headers ###
####################
Header set Via "1.1 squid.proxy.companyx.com (Squid/2.4.STABLE6)"
Header set X-Powered-By "ASP.NET"
####################
###################################
### Mod_Security IDS Directives ###
###################################
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Make sure the Unicode encoding is valid
SecFilterCheckUnicodeEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 32 126
# The audit engine works independently and
# can be turned On of Off on the per-server or
# on the per-directory basis
SecAuditEngine On
# The name of the audit log file
SecAuditLog logs/audit_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
# Should mod_security inspect POST payloads
SecFilterScanPOST On
# Action to take by default
SecFilterDefaultAction "deny,log,status:403"
# Prevent OS-specific keywords
SecFilter /etc/password
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "< ( |\n)*script"
# Prevent XSS attacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
# Very crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
# Restrict cgi-bin access to allow ONLY the following files:
# - 4XX.cgi and 5XX.cgi Error Scripts
# - List any valid cgi scripts
# Any request for files other than those listed will be denied
SecFilter "!(4..\.cgi|5..\.cgi|valid1\.cgi|valid2\.pl)"
include conf/snortmodsec-rules.txt
##########################
Listen 80
Listen 443
Options None
AllowOverride None
Order deny,allow
Deny from all
deny from all
Options -FollowSymLinks -Includes -Indexes -MultiViews
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Private Access Test"
AuthUserFile /var/www/conf/passwd
Require user test
UserDir public_html
DirectoryIndex index.html
AccessFileName .htaccess
Order allow,deny
Deny from all
Satisfy All
UseCanonicalName On
TypesConfig /var/www/conf/mime.types
DefaultType text/plain
MIMEMagicFile /var/www/conf/magic
##################################
### Logging General Directives ###
##################################
ErrorLog syslog
LogLevel debug
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Accept}i\"
\"%{Accept-Encoding}i\"
\"%{Host}i\" \"%{Connection}i\" \"%{Referer}i\" \"%{User-Agent}i\""
combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
CustomLog /var/www/logs/access_log common
##################################
Alias /icons/ "/var/www/icons/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
Alias /manual/ "/var/www/htdocs/manual/"
Options Indexes FollowSymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
AllowOverride None
Options None
Order allow,deny
Allow from all
IndexOptions FancyIndexing
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README
HeaderName HEADER
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz
AddLanguage da .dk
AddLanguage nl .nl
AddLanguage en .en
AddLanguage et .ee
AddLanguage fr .fr
AddLanguage de .de
AddLanguage el .el
AddLanguage he .he
AddCharset ISO-8859-8 .iso8859-8
AddLanguage it .it
AddLanguage ja .ja
AddCharset ISO-2022-JP .jis
AddLanguage kr .kr
AddCharset ISO-2022-KR .iso-kr
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddCharset ISO-8859-2 .iso-pl
AddLanguage pt .pt
AddLanguage pt-br .pt-br
AddLanguage ltz .lu
AddLanguage ca .ca
AddLanguage es .es
AddLanguage sv .sv
AddLanguage cz .cz
AddLanguage ru .ru
AddLanguage zh-tw .tw
AddLanguage tw .tw
AddCharset Big5 .Big5 .big5
AddCharset WINDOWS-1251 .cp-1251
AddCharset CP866 .cp866
AddCharset ISO-8859-5 .iso-ru
AddCharset KOI8-R .koi8-r
AddCharset UCS-2 .ucs2
AddCharset UCS-4 .ucs4
AddCharset UTF-8 .utf8
LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru
ltz ca es sv tw
AddType application/x-tar .tgz
AddType image/x-icon .ico
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0
force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/www/logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/www/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog /var/www/logs/ssl_engine_log
SSLLogLevel info
DocumentRoot "/var/www/htdocs"
ServerName hostname.companyx.com
ServerAdmin root@ hostname.companyx.com
ErrorLog /var/www/logs/error_log
TransferLog /var/www/logs/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /var/www/conf/ssl.crt/server.crt
SSLCertificateKeyFile /var/www/conf/ssl.key/server.key
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/www/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Post your comment
Comments
No one has commented on this page yet.
RSS feed for comments on this page | RSS feed for all comments