Apache Security

• Limit Apache to listen only on local interface by configuring /etc/httpd/conf/httpd.conf to read:

  Listen 127.0.0.1:80

• Use the following to disable access to the entire filesystem by default, unless explicitly permitted. This will disable printing of indexes if no index.html exists, server-side includes, and following symbolic links. Disabling symlinks may impact performance for large sites.

 <Directory />
 Options None
 AllowOverride None
 Order deny,allow
 Deny from all
 </Directory>

• Use the following to control access to the server from limited addresses in /etc/httpd/conf/access.conf to read:

 <Directory /home/httpd/html>
  # Deny all accesses by default
  Order deny,allow
  # Allow access to local machine
  Allow from 127.0.0.1
  # Allow access to entire local network
  Allow from 192.168.1.
  # Allow access to single remote host
  Allow from 192.168.5.3
  # Deny from everyone else
  Deny from all
 </Directory>

• Use the following to require password authentication when attempting to access a specific directory in /etc/httpd/conf/access.conf:

 <Directory /home/httpd/html/protected>
  Order Deny,Allow
  Deny from All
  Allow from 192.168.1.11
  AuthName “Private Information”
  AuthType Basic
  AuthUserFile /etc/httpd/conf/private-users
  AuthGroupFile /etc/httpd/conf/private-groups
  require group <group-name>
 </Directory>

Create the private-groups file using the following format:

group-name: user1 user2 user…

Create password entries for each user in the above list:

  # htpasswd -cm /etc/httpd/conf/private-users user1
  New password: <password>
  Re-type new password: <password>
  Adding password for user user1

Be sure to restart apache and test it. This will result in the enabling of double reverse lookups to verify the identity of the remote host. Remove the -c option to htpasswd after the first user has been added. Be sure the password file you create is not located within the DocumentRoot to prevent it from being downloaded.