apache configuration file httpd.conf security related configuration

1, Configure virtual host

httpd.conf two required options (centos 6.9)

LoadModule vhost_alias_module modules/mod_vhost_alias.so	#Open module, default is on
NameVirtualHost *:80			#Open NameVirtualHost, default is off
1. Based on ip address
  • Configure a new ip address for eth0
[root@redwand conf]# ifconfig eth0:1 10.10.10.171
[root@redwand conf]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:0C:29:4B:6A:08
          inet addr:10.10.10.170  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe4b:6a08/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30102 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18450 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:27636739 (26.3 MiB)  TX bytes:2391524 (2.2 MiB)

eth0:1    Link encap:Ethernet  HWaddr 00:0C:29:4B:6A:08
          inet addr:10.10.10.171  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  • httpd.conf configuration file
<VirtualHost 10.10.10.170:80>	#Configure vhost170
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/html
    ServerName www.mytest.com
    ErrorLog logs/mytest.com-error_log
    CustomLog logs/mytest.com-access_log common
</VirtualHost>
<VirtualHost 10.10.10.171:80>	#Configuring vhost171
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/html/test/upload-labs
    ServerName www.upload-labs.com
    ErrorLog logs/upload.com-error_log
    CustomLog logs/upload.com-access_log common
</VirtualHost>
  • Client / etc/hosts
    10.10.10.170 www.mytest.com
    10.10.10.171 www.upload-labs.com
2. Based on domain name
  • httpd.conf configuration file
<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/html/test/upload-labs
    ServerName www.upload-labs.com
    ErrorLog logs/upload-labs.com-error_log
    CustomLog logs/upload-labs.com-access_log common
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/html
    ServerName www.mytest.com
    ErrorLog logs/mytest.com-error_log
    CustomLog logs/mytest.com-access_log common
</VirtualHost>
3. Port based
  • httpd.conf configuration file
Linsten 80
Linsten 81
<VirtualHost *:80>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/html/test/upload-labs
    ServerName www.mytest.com
    ErrorLog logs/upload-labs.com-error_log
    CustomLog logs/upload-labs.com-access_log common
</VirtualHost>
<VirtualHost *:81>
    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/html
    ServerName www.mytest.com
    ErrorLog logs/mytest.com-error_log
    CustomLog logs/mytest.com-access_log common
</VirtualHost>

2, Directory access control

1. General catalog default options
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

(1)Options
Inedexs: directory index can be used to open a directory browsing vulnerability, that is, index of.
FollowSymLinks: in the web directory, you can ask the directory the shortcut points to.

[root@redwand ~]# mkdir /web
[root@redwand ~]# echo "This is web" > /web/index.html
[root@redwand ~]# ln -s /web /var/www/html
[root@redwand ~]# ll /var/www/html/web
lrwxrwxrwx 1 root root 4 1 Month 500:26 /var/www/html/web -> /web

When - FollowSymLinks is configured:
Forbidden
You don't have permission to access /web/ on this server.
When FollowSymLinks is configured:
This is web
(2) Order allow,deny is the priority

Order allow,deny
allow 192.168.0.0/24
deny 192.168.0.0/24		#Actually working
Order deny,allow
allow 192.168.0.0/24	#In practice
deny 192.168.0.0/24		
2. Special directory access control
Alias /admin/ "/admin/"	#Note the last /, no errors will occur, virtual directory configuration.
<Directory "/admin">	#Notice there's no/
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
    authtype basic
    authname "admin_web"
    authuserfile /etc/httpd/conf/passwd.secret
    require valid-user #require user tom bob
</Directory>

htpasswd set valid user
-c: Create an encrypted file;
-n: Do not update the encrypted file, only display the encrypted user name and password on the screen;
-m: MD5 algorithm is used to encrypt the password by default;
-d: CRYPT algorithm is used to encrypt the password;
-p: Do not encrypt the password, that is, clear text password;
-s: SHA algorithm is used to encrypt the password;
-b: Enter both the user name and password at the command line instead of the password as prompted;
-D: Delete the specified user.

[root@redwand admin]# htpasswd -cm /etc/httpd/conf/passwd.secret u1_md5 	
[root@redwand admin]# cat /etc/httpd/conf/passwd.secret
u1_md5:$apr1$FgxedXCv$/yZ2BDIodO/yTtPiRzGS/1
u2_crypt:SkggAh44MvTP6
u3:123456
u4_sha:{SHA}fEqNCco3Yq9h5ZUglD3CZJT4lBs=
3. Special directory access grab

http://10.10.10.170/admin/
The first request package pops up the authentication box.

The second request package, enter the password of the authentication account.

Found that the account password is base64 encryption, decryption is as follows.

3, Other details

1. The role of ServerToken:

The display information is modified in HTTP header, and the specific version number of apache cannot be detected through nmap and other detectors.

  • ServerToken FULL
    Response header: Server: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips mod_wsgi/3.2 Python/2.6.6 mod_perl/2.0.4 Perl/v5.10.1
  • ServerToken OS default configuration
    Response header: Server: Apache/2.2.15 (CentOS)
  • ServerToken Min[imal]
    Response header: Server: Apache/2.2.15
  • ServerToken Minor
    Response header: Server: Apache/2.2
  • ServerToken Major
    Response header: Server: Apache/2
  • ServerToken Prod[uctOnly]
    Response header: Server: Apache
  • If you want to completely hide the Server header in the response, you need to recompile the apache installation package.
  • Hide X-Powered-By
    In php.ini, set expose_php = Off.
2. The role of ServerSignature
  • ServerSignature on
  • ServerSignature off
Published 12 original articles, won praise 2, visited 4817
Private letter follow

Tags: Apache CentOS PHP OpenSSL

Posted on Tue, 11 Feb 2020 04:25:07 -0800 by vamosbenedikt