Securing an Apache Web Server

Category: Apache General

The following configuration options in httpd.conf are useful to prevent cross-site scripting and clickjacking attacks:

# Disable TRACK/TRACE

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F
TraceEnable off

# Prevent clickjacking

Header always append X-Frame-Options SAMEORIGIN

# Supress the version string

ServerSignature Off
ServerTokens Prod

In the case of virtual hosts, use the following under each virtualhost:

# Virtualhost Security Configuration

        RewriteEngine On
        RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
        RewriteRule .* - [F
        ServerSignature Off
        Header always set X-Frame-Options SAMEORIGIN
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Content-Type-Options: "nosniff"
        Header set Access-Control-Allow-Origin "*"

If you’re using PHP, make sure your configuration file (usually /etc/php.ini) contains:

expose_php = Off

Verify your configuration:

curl -v -X TRACE http://www.example.com

OR

curl --insecure -v -X TRACE https://www.example.com/

If you’re using SSL, legacy protocols should be disabled. Add the following to /etc/httpd/conf.d/ssl.conf (and any relevant VirtualHost configurations)

SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder     on
SSLCipherSuite          "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:aNULL:eNULL:EXPORT:DES:RC4:MD5:PSK:aECDH:EDH-DSS-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:KRB5-DES-CBC3-SHA"

This should also be added to any virtualhost configuration files:

        Header set Strict-Transport-Security: "max-age=31536000; includeSubdomains;"

Tags: