CentOS 6 – Apache Web Server

Install, Configure and Secure

Environment

Fresh install of CentOS-6.3-x86_64-minimal with the latest updates yum update -y

 # uname -sro
Linux 2.6.32-279.22.1.el6.x86_64 GNU/Linux

I used nano as the text editor, but you can just as easily use vi

yum install -y nano

Prerequisites

Configure Firewall

Make sure you add any other rules not listed here which you are using.

nano /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
service iptables restart

Install

Install Apache (httpd)

yum install -y httpd mod_ssl

Tune and Secure

Apache Configuration Files – A quick explanation

When Apache starts, it reads one or more configuration files to see what settings it should have. The first file it normally reads is/etc/httpd/conf/httpd.conf which it processes line by line overwriting any previously set variables. For example, if you had on line 6 ‘fruit apple’ and then on line 10 ‘fruit orange’, then when Apache has finished reading all configuration files, the value of fruit would be orange as it was the last value for fruit that was read.

There is a special line in a configuration file that tells Apache to pause reading the current file and to read one or more other configuration files before continuing; this line starts with Include such as Include conf.d/*.conf which tells Apache to read all the files ending in ‘.conf’ in the directory ‘/etc/httpd/conf.d/’, and is the normal procedure on a standard install.

If you also had a value for ‘fruit’ in one of the included configuration files, then that value would overwrite the current value for ‘fruit’, however, the final value of ‘fruit’ is only determined once Apache has finished reading to the bottom of it’s initial configuration file, which as mentioned before, is normally /etc/httpd/conf/httpd.conf, so if on the last line of ‘httpd.conf’ you had fruit none, then the final value Apache uses would be ‘none’.

Creating a Global config file

The best way to manage Apache’s settings is to create your own configuration files in /etc/httpd/conf.d/. This way you can easily see what changes you have made to the system should something need changing, and you can easily revert the system back should something go wrong.

By default, Apache reads /etc/httpd/conf/httpd.conf as mentioned earlier. Part way through this file, is an Include line which instructs Apache to read all configuration files in the directory ‘/etc/httpd/conf.d/’. So a good place to create a global configuration file would be inside the ‘/etc/httpd/conf.d/’ directory. As Apache reads files in alphanumeric order, we will prefix characters that will ensure it is read first.

nano /etc/httpd/conf.d/1.global.conf

Inside this file, add the following which I will explain further on:

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Header append Vary Accept-Encoding

<filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$">
  Header set Cache-Control "max-age=604800, public"
</filesMatch>

Header always append X-Frame-Options SAMEORIGIN

TraceEnable off

ServerTokens Minimal

Modify main config file

The following settings appear after the Include conf.d/*.conf line in the /etc/httpd/conf/httpd.conf file and therefore can’t be set in our Global config file, as explained earlier.

nano /etc/httpd/conf/httpd.conf
ServerSignature Off

The following line is inside the <Directory "/var/www/html"> around line 331.

Options -Indexes FollowSymLinks

Explanation

Compress Content

This configures Apache to compress content if the web browser supports it. Images and PDF’s are already compressed so are excluded. [Click here to learn more]

SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary

Vary: Accept-Encoding

Header append Vary Accept-Encoding

This configures Apache to tell web browsers that content could come in different formats such as compressed and uncompressed but to treat it the same. [Click here to learn more]

Cache-Control

<filesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$">
  Header set Cache-Control "max-age=604800, public"
</filesMatch>

This configures Apache to tell web browsers to cache certain types of files for a specified period of time [Click here to learn more]

Prevent ClickJacking

Header always append X-Frame-Options SAMEORIGIN

This protects visitors to your web server from being redirected to malicious sites [Click here to learn more]

Disable HTTP TRACE

TraceEnable off

This stops a very basic attack whereby a person can see the response of a server request. [Click here to learn more]

Reduce advertised information

ServerTokens Minimal
ServerSignature Off

These two settings reduce the amount of information your server advertises. Not really a major security concern but the less someone knows about your server, the better in my opinion. [Click here to learn more]

Disable directory browsing

Options -Indexes FollowSymLinks

This setting prevents the server from listing files in a directory that doesn’t have a default document such as ‘index.php’. [Click here to learn more]

Test

There are many sites out there for testing but here are some of my favourite

Performance

Pingdom Tools – Tests the load time of your page and offers recommendations

Google PageSpeed –

Load Impact – Load testing and reporting

Blitz – Load testing and reporting

Security

Kyplex – I’ve known this company since it started and their security scanner has always proved worthwhile.

Qualys – Read through their results thoughtfully because they are a bit OTT.

Monitor

Pingdom – Uptime and performance monitoring