View source for APACHE2 - Virtual Host Configuration Security Best Practices

[[Category:Wiki]]

'''''[https://it-arts.net/index.php/Category:Wiki Return to Wiki Index]'''''


== Secure ServerTokens and ServerSignature ==

By default, Apache may reveal sensitive information about your server version, OS, and modules. It’s important to disable these headers to minimize information exposure.

 <nowiki>
# Disable ServerTokens to prevent detailed server version disclosure
ServerTokens Prod

# Disable ServerSignature to prevent the display of server version info in error pages
ServerSignature Off</nowiki>

== Restrict Access to Sensitive Files ==

Ensure that sensitive files, like configuration files or backup directories, are not accessible over the web. You can configure Apache to block access to certain files and directories.

 <nowiki>
# Block access to .htaccess, .htpasswd, and other sensitive files
<Directory "/var/www/html">
    <FilesMatch "^(\.ht|\.git)">
        Require all denied
    </FilesMatch>
</Directory></nowiki>

== Enforce HTTPS and Redirect HTTP to HTTPS ==

A key best practice is to enforce HTTPS for all web traffic. This ensures that data is encrypted between the server and the client.

 <nowiki>
# Redirect all HTTP requests to HTTPS
<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/example.com.key
    SSLCACertificateFile /etc/ssl/certs/CA.crt
</VirtualHost></nowiki>

== Disable Directory Listing ==

Disabling directory listing is a critical measure to prevent attackers from browsing the contents of your directories.

 <nowiki>
# Disable directory listing
<Directory "/var/www/html">
    Options -Indexes
</Directory>
</nowiki>
== Limit Request Methods ==

Limiting the allowed HTTP methods helps mitigate the risk of certain attack vectors, such as Cross-Site Request Forgery (CSRF).

 <nowiki>
# Allow only essential HTTP methods
<Directory "/var/www/html">
    <Limit GET POST>
        Require all granted
    </Limit>
    <Limit DELETE PUT PATCH>
        Require all denied
    </Limit>
</Directory></nowiki>

== Implement ModSecurity for Web Application Firewall ==

ModSecurity is an open-source web application firewall that provides an additional layer of security by detecting and blocking malicious traffic.

 <nowiki>
# Enable ModSecurity and include recommended security rules
<IfModule mod_security2.c>
    SecRuleEngine On
    SecRequestBodyAccess On
    SecResponseBodyAccess Off
    SecRule ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/* "@rx <script" \
        "id:'1000001',phase:2,t:none,t:urlDecodeUni,deny,status:403,msg:'XSS Attack Detected'"
</IfModule></nowiki>

== Implement Content Security Policy (CSP) ==

A Content Security Policy (CSP) helps mitigate the risk of Cross-Site Scripting (XSS) attacks by restricting the sources from which content can be loaded.

 <nowiki>
# Set a Content Security Policy header
<VirtualHost *:443>
    Header always set Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self';"
</VirtualHost></nowiki>

== Protect Against Clickjacking ==

Clickjacking is a malicious technique where an attacker tricks a user into clicking on something different from what the user thinks they are clicking on. You can prevent this using HTTP headers.

 <nowiki>
# Disable clickjacking by setting the X-Frame-Options header
<VirtualHost *:443>
    Header always set X-Frame-Options "DENY"
</VirtualHost></nowiki>

== Limit the Number of Connections per IP ==

To prevent denial of service (DoS) attacks, limiting the number of connections from a single IP can help mitigate such attacks.

 <nowiki>
# Limit connections from the same IP address
<IfModule mod_evasive.c>
    DOSHashTableSize 3097
    DOSPageCount 2
    DOSSiteCount 50
    DOSBlockingPeriod 10
</IfModule></nowiki>

== Enable Logging and Monitoring ==

Enable detailed logging to track access attempts, errors, and other potentially malicious activities. Logs should be stored in secure locations, with proper access controls.

 <nowiki>
# Enable logging for monitoring
<VirtualHost *:443>
    CustomLog /var/log/apache2/ssl_access_log combined
    ErrorLog /var/log/apache2/ssl_error_log
</VirtualHost></nowiki>

== Disable Unnecessary Modules ==

Disabling unnecessary Apache modules reduces the attack surface of the server. Keep only the modules that are essential for your use case.

 <nowiki>
# Disable unused modules
<IfModule mod_load.c>
    # Example: Disable mod_php if not needed
    # LoadModule php7_module modules/mod_php7.so
</IfModule></nowiki>

== Secure File Permissions ==

Ensure that file permissions are set correctly to avoid unauthorized access to your website’s files.

 <nowiki>
# Set correct file permissions
# Directories should be 755
# Files should be 644
# .htaccess should be 644</nowiki>

== Useful Links ==

* [Apache HTTP Server Documentation](https://httpd.apache.org/docs/)
* [OWASP Apache Security Project](https://owasp.org/www-project-apache/)
* [ModSecurity GitHub Repository](https://github.com/SpiderLabs/ModSecurity)
* [Mozilla Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
* [Apache Security Best Practices](https://www.acs.com/resources/Manuals/apache-security-guide.pdf)