How can we perfrom the Security configuration for Apache

In this tutorial, we will show how to set up the additional security configurations for the PHP application hosted with Apache application server.

There are two ways of setting up the main security configurations:

  • make changes in the main configuration file of the Apache (httpd.conf)
  • create special ".htaccess" file, which contains one or more configuration directives and is placed inside the application directory

The directives are able to override a subset of the server's global configuration for that directory and all subdirectories thereof. What can put in this file is determined by the AllowOverride directive.

AllowOverride is valid only in < directory > sections specified without regular expressions. When this directive is set to None - .htaccess files are completely ignored. When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.

Let’s examine every kind of security configs I can apply in order to protect the application:

  • Authentication
  • Setting up the access criteria
  • Configuring mod_security module
  • Server version hiding
A. Setting Up the Authentication Request

To set the authentication to the Apache application or to just separate a directory in the application, follow these next steps.

  1. Generate hash from the password. For that, I can use any htpasswd tool or online service (for example, http://www.htpasswdgenerator.net/).
  2. Create a simple text file with a previously generated hash.
  3. Click Config button for the server.
  4. Upload the created file to the /var/www/webroot/ROOT folder.

In the /etc/httpd/conf folder open httpd.conf file (or .htaccess file, if I use it) perform the following configurations:

    • authentication for the whole application

Add the following strings to the Directory as it is shown in the image below:

AuthName "Restricted area"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/webroot/ROOT/.htpasswd
Require valid-user

apache authentication
  • authentication for the separate directory

Add the following Location strings stating the path to the required directory:


AuthName "Restricted area"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/webroot/ROOT/.htpasswd
Require valid-user

apache directory authentication


5. Save the changes and Restart the Apache server.

Note: if I use httpd.conf file for setting up the security configuration, I need to restart Apache after making every change in configuration. In the case of .htaccess files usage, changes made in these files take immediate effect, because these files are read on every request.

As a result, while accessing the application or the protected directory a user will be requested to authenticate.

authentication required

B. Security Through Setting Up Criteria

I can provide security for the application through setting access control to the particular parts of the server based on specific criteria (e.g. client hostname or IP address).

The necessary configurations can be applied with the help of the Require directive. And in order to set up more complex access policy, it can be used in conjunction with:
  • RequireAll - a set of authorization directives, where none must fail and at least one to succeed
  • RequireAny -  a set of authorization directives, where at least one must succeed
  • RequireNone - a set of authorization directives, where none must succeed

Navigate to the /etc/httpd/conf folder and open the httpd.conf file (or the .htaccess one directly in a target directory).

1. In order to set up access criteria by IP, just add a necessary directive to the Directory section.

apache security by criteria
2. As a more complex example, I can configure access policy of several conditions (e.g. via RequireAll directive) and for a particular server folder (just change the part underlined in the image below).

apache security using require directive
3. Don’t forget to Save the changes and Restart the Apache server to apply changes.

Note: Denying access through IP makes sense only if I use Public IP feature.

C. Configuring mod_security Module

mod_security is a super handy Apache module which provides such abilities as simple filtering, URL and Unicode encoding validation, auditing, null byte attack prevention, upload memory limits, server identity masking, built in chroot support and many more.

This module is available in Jelastic by default and can be configured via /etc/httpd/conf.d/mod_security.conf file.

modsecurity


Here I can edit the default configurations or add the own custom.

For example, I can add some extra ModSecurity Rules by uploading them to the /etc/httpd/modsecurity.d folder (e.g. modsecurity_crs_11_brute_force.conf).

modsecurity rules

The rules uploaded to modsecurity.d or to activated_rules folders will be automatically activated without any extra settings. This is configured by the following default parameters in the /etc/httpd/conf.d/mod_security.conf file:

Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf

D. Hide Apache Server Version

Usually, with default configurations, the Apache server version is publicly shown. As a result, the information about the version of the Apache and operating system/version, or even the details about installed Apache Modules can be used to perform an attack.

To avoid this, Jelastic automatically adds the following configurations to the httpd.conf file:
  • ServerSignature Off - shows 404 page instead of directory listings and other such pages generated by Apache
  • ServerTokens Prod - determines Apache Server HTTP response header; with the Prod value the HTTP response header will be as follows - Server: Apache


Was this article helpful?

mood_bad Dislike 0
mood Like 0
visibility Views: 9887