APACHE2 - Virtual Host Configuration Security Best Practices

Return to Wiki Index

By default, Apache may reveal sensitive information about your server version, OS, and modules. It’s important to disable these headers to minimize information exposure.

# Disable ServerTokens to prevent detailed server version disclosure
ServerTokens Prod

# Disable ServerSignature to prevent the display of server version info in error pages
ServerSignature Off

Ensure that sensitive files, like configuration files or backup directories, are not accessible over the web. You can configure Apache to block access to certain files and directories.

# Block access to .htaccess, .htpasswd, and other sensitive files
<Directory "/var/www/html">
    <FilesMatch "^(\.ht|\.git)">
        Require all denied
    </FilesMatch>
</Directory>

A key best practice is to enforce HTTPS for all web traffic. This ensures that data is encrypted between the server and the client.

# Redirect all HTTP requests to HTTPS
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/example.com.key
    SSLCACertificateFile /etc/ssl/certs/CA.crt
</VirtualHost>

Disabling directory listing is a critical measure to prevent attackers from browsing the contents of your directories.

# Disable directory listing
<Directory "/var/www/html">
    Options -Indexes
</Directory>

Limiting the allowed HTTP methods helps mitigate the risk of certain attack vectors, such as Cross-Site Request Forgery (CSRF).

# Allow only essential HTTP methods
<Directory "/var/www/html">
    <Limit GET POST>
        Require all granted
    </Limit>
    <Limit DELETE PUT PATCH>
        Require all denied
    </Limit>
</Directory>

ModSecurity is an open-source web application firewall that provides an additional layer of security by detecting and blocking malicious traffic.

# Enable ModSecurity and include recommended security rules
<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess Off
    SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@rx <script" \
        "id:'1000001',phase:2,t:none,t:urlDecodeUni,deny,status:403,msg:'XSS Attack Detected'"
</IfModule>

A Content Security Policy (CSP) helps mitigate the risk of Cross-Site Scripting (XSS) attacks by restricting the sources from which content can be loaded.

# Set a Content Security Policy header
<VirtualHost *:443>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self';"
</VirtualHost>

Clickjacking is a malicious technique where an attacker tricks a user into clicking on something different from what the user thinks they are clicking on. You can prevent this using HTTP headers.

# Disable clickjacking by setting the X-Frame-Options header
<VirtualHost *:443>
    Header always set X-Frame-Options "DENY"
</VirtualHost>

To prevent denial of service (DoS) attacks, limiting the number of connections from a single IP can help mitigate such attacks.

# Limit connections from the same IP address
<IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSBlockingPeriod 10
</IfModule>

Enable detailed logging to track access attempts, errors, and other potentially malicious activities. Logs should be stored in secure locations, with proper access controls.

# Enable logging for monitoring
<VirtualHost *:443>
    CustomLog /var/log/apache2/ssl_access_log combined
    ErrorLog /var/log/apache2/ssl_error_log
</VirtualHost>

Disabling unnecessary Apache modules reduces the attack surface of the server. Keep only the modules that are essential for your use case.

# Disable unused modules
<IfModule mod_load.c>
    # Example: Disable mod_php if not needed
    # LoadModule php7_module modules/mod_php7.so
</IfModule>

Ensure that file permissions are set correctly to avoid unauthorized access to your website’s files.

# Set correct file permissions
# Directories should be 755
# Files should be 644
# .htaccess should be 644

• [Apache HTTP Server Documentation](https://httpd.apache.org/docs/)
• [OWASP Apache Security Project](https://owasp.org/www-project-apache/)
• [ModSecurity GitHub Repository](https://github.com/SpiderLabs/ModSecurity)
• [Mozilla Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
• [Apache Security Best Practices](https://www.acs.com/resources/Manuals/apache-security-guide.pdf)