Tips and tricks for Apache 1.3. See also mod_perl logging notes.
- Debugging Mode
- Loopback Interface Testing
To run httpd single threaded on a different port from the command line, use the following instead of editing a custom httpd.conf.
$ httpd -X -c 'Port 9876'
Development and testing systems can run multiple websites on the localhost interface, using a different port for each site. The developer can run httpd under their account, and connect to the local system for testing.
Listen 127.0.0.1:8000
Listen 127.0.0.1:1111
BindAddress 127.0.0.1
Port 1111
Port 8000
ServerName 127.0.0.1
NameVirtualHost *
<VirtualHost *:8000>
DocumentRoot "/home/username/test/example.org/htdocs"
<Directory "/home/username/test/example.org/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:1111>
DocumentRoot "/home/username/test/example.com/htdocs/"
<Directory "/home/username/test/example.com/htdocs/">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Security Tips
- Deny filesystem access by default.
- Disable access to dotfiles.
- Restrict where Common Gateway Interface (CGI) may run.
- Security Problems
To enforce a “deny by default” access policy, set Deny from all in the root directory definition. This prevents Apache from accessing the filesystem. Each allowed directory must include an Allow from all statement.
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
DocumentRoot "/var/www/htdocs"
<Directory "/var/www/htdocs">
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Disallow access to any dotfiles, except for the special Unix working and parent directories (. and ..). This prevents access to .htaccess and other dotfiles. Be aware some sites may not work with all dotfiles blocked.
<Files ~ "^\.">
Order allow,deny
Deny from all
</Files>
<Files ~ "^\.\.?$">
Order allow,deny
Allow from all
</Files>
CGI scripts should be limited to specific directories. Should additional directories be needed, use ScriptAliasMatch to turn any directory named cgi-bin into a script repository.
ScriptAliasMatch ^/(.*)/cgi-bin/(.*) "/var/www/htdocs/$1/cgi-bin/$2"
Some operating systems restrict the operation of Apache, via chroot, systrace on OpenBSD, or selinux in Fedora Core 3. These restrictions may prevent CGI or other functions from working, so should be considered when debugging problems.
Logging
Use httplog to automatically write logs into files by date. This avoids problems with traditional log rotation methods.
mod_rewrite
The mod_rewrite module allows flexible Uniform Resource Locator (URL) handling. Apache will need to be compiled with mod_rewrite support or the module loaded dynamically.
$ httpd -l | grep mod_re
mod_rewrite.c
<IfModule mod_rewrite.c>
RewriteEngine on
…
</IfModule>
Uses of mod_rewrite include presenting clean URL to external visitors. Some web applications make use of ? in the URL; with mod_rewrite, this can be renamed. With ? (or cgi-bin) removed from the URL, web proxies like squid can cache the pages.
hierarchy_stoplist cgi-bin ?
Additional mod_rewrite tips:
- Robot Redirects
- Reject webspiders.
Redirect all visitors except for those whose User-Agent header starts with Googlebot from www.sial.org to sial.org.
RewriteCond %{HTTP_USER_AGENT} !^Googlebot/
RewriteCond %{HTTP_HOST} ^www\.sial\.org
RewriteRule ^(.*)$ http://sial.org$1 [R=301]
Mark all pages as gone [G] for webspiders that identify as TurnitinBot.
RewriteCond %{HTTP_USER_AGENT} ^TurnitinBot
RewriteRule ^.*$ /error/foo [G]
mod_ssl
Disable old Transport Layer Security (TLS) protocols and weak ciphers by default. This may block outdated clients.
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:-SSLv2:-RC4:+EXP
Encryption types allowed by the SSLCipherSuite statement can be listed with the OpenSSL ciphers utility.
$ openssl ciphers 'ALL:!ADH:!EXPORT56:+HIGH:+MEDIUM:-SSLv2:-RC4:+EXP' \
| perl -ple 's/:/\n/g'
