www.bonsaiframework.com
Page tree

Versions Compared

Old Version 21

changes.mady.by.user Tin Pham

Saved on

compared with

New Version Current

changes.mady.by.user Tin Pham

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This document covers zero footprint compilation and installation of the Apache HTTP Server. It also covers the basic configuration settings to allow the compilation of a server corresponding to specific requirements. Also best practice to create secure web server are provided , which can be applied based on application and security need.

Table of Contents


Create Zero FootPrint Apache Package

Create No Login User

Create apacheaem no login user without home directory. This user is solely created to run apache services

Code Block
languagebash
sudo adduser apacheaem --shell=/bin/false --no-create-home

Install C Compiler

Code Block
languagebash
titleCompiling Apache Server
sudo apt-get update
sudo apt-get install build-essential

Download Apache Package

Code Block
languagebash
cd /home/bnsadm/
wget https://www.apache.org/dist/httpd/httpd-2.2.32.tar.bz2
tar -xvf httpd-2.2.32.tar.bz2

Configure apache for compilation

Code Block
languagebash
cd /home/bnsadm/httpd-2.2.32
./configure --prefix=/home/bnsadm/apache2 --enable-mods-shared=few --enable-module-rewrite

...

http://httpd.apache.org/docs/2.4/programs/configure.html#installationdirectories

Prepare Build and Compile Apache

execute below command to prepare build and compile apache under /home/bnsadm/apache2 folder as defined by --prefix option in above step. 

Code Block
languagebash
make
make install

Make Config Changes

Code Block
languagebash
cd /home/bnsadm/apache2/conf/
cp -p httpd.conf httpd.conf_orig
sed -e 's/User daemon/User apacheaem/g; s/Group daemon/Group apacheaem/g; s/#ServerName www.example.com:80/ServerName localhost/g'  httpd.conf >> httpd.conf_1
mv httpd.conf_1 httpd.conf

Above command will make apache services to run with apacheaem no login user. It will also change ServerName to localhost.
Any other config changes related to apache dispatcher can be added in sed command separated with `;`.

Start and test Apache

Code Block
languagebash
sudo /home/bnsadm/apache2/bin/apachectl start
curl http://localhost:80

The reason why apache needs to run as root initially is because by default apache will needs to bind itself to port 80/TCP.  Anything that runs below port 1024 needs to be root.  However this will only be for the parent process, the subsequent child processes will run as apacheaem nologin user.

Package Apache for Zero FootPrint Deployment on other machines

... 

The tar command used here will not work properly.

Code Block
languagebash
cd /home/bnsadm/
tar -cvzf apache_zerofs.tar.gz apache2

Deploy and start Zero FootPrint Apache Server on other machine

Copy apace_zerofs.tar.gz file to another machine and execute below command to setup and start apache server. 

...

Please note that apacheaem no login user will have to be created on this machine.

Best practices for secure web server

You may follow these best practices to secure Apache Web Server on UNIX / Linux machine

Disable unnecessary modules

If you are planning to install apache, you should disable the following modules. If you do ./configure –help, you’ll see all available modules that you can disable/enable.

...

  • core.c – Apache core module
  • mod_auth* – For various authentication modules
  • mod_log_config.c – Log client request. provides additional log flexibilities.
  • mod_ssl.c – For SSL
  • prefork.c – For MPM (Multi-Processing Module) module
  • httpd_core.c – Apache core module
  • mod_mime.c – For setting document MIME types
  • mod_dir.c – For trailing slash redirect on directory paths. if you specify url/test/, it goes to url/test/index.html
  • mod_so.c – For loading modules during start or restart

Run Apache as separate user and group

By default, apache might run as nobody or daemon. It is good to run apache in its own non-privileged account as in example we have configured to run it as apacheaem.

...

# ps -ef | grep -i http | awk '{print $1}'

Restrict access to root directory (Use Allow and Deny)

Secure the root directory by setting the following in the httpd.conf

...

  • Options None – Set this to None, which will not enable any optional extra features.
  • Order deny,allow – This is the order in which the “Deny” and “Allow” directivites should be processed. This processes the “deny” first and “allow” next.
  • Deny from all – This denies request from everybody to the root directory. There is no Allow directive for the root directory. So, nobody can access it.

Set appropriate permissions for conf and bin directory

bin and conf directory should be viewed only by authorized users. It is good idea to create a group, and add all users who are allowed to view/modify the apache configuration files to this group.

...

# vi /etc/group
apacheadmin:x:1121:rinku,tin, adam

Disable Directory Browsing

If you don’t do this, users will be able to see all the files (and directories) under your root (or any sub-directory).

...

<Directory />
  Options None
  Order allow,deny
  Allow from all
</Directory>

(or)

<Directory />
  Options -Indexes
  Order allow,deny
  Allow from all
</Directory>

Don’t allow .htaccess

Using .htaccess file inside a specific sub-directory under the htdocs (or anywhere ouside), users can overwrite the default apache directives. On certain situations, this is not good, and should be avoided. You should disable this feature.

...

<Directory />
  Options None
  AllowOverride None
  Order allow,deny
  Allow from all
</Directory>

Disable other Options

Following are the available values for Options directive:

...

  • /site will have Includes and Indexes
  • /site/en will have Indexes and FollowSymLink

Remove unwanted DSO modules

If you have loaded any dynamic shared object modules to the apache, they’ll be present inside the httpd.conf under “LoadModule” directive.Please note that the statically compiled apache modules will not be listed as “LoadModule” directive.Comment out any unwanted “LoadModules” in the httpd.conf

grep LoadModule /home/bnsadm/apache2/conf/httpd.conf

Restrict access to a specific network (or ip-address)

If you want your site to be viewed only by a specific ip-address or network, do the following: To allow a specific network to access your site, give the network address in the Allow directive.

...

<Directory /site>
  Options None
  AllowOverride None
  Order deny,allow
  Deny from all
  Allow from 10.10.1.21
</Directory>

Don’t display or send Apache version (Set ServerTokens)

By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number.

...