Tue. Feb 18th, 2020

How to secure Apache HTTP server

3 min read
If you are a system administrator, you should follow these 7 tips to keep your Apache HTTP server secure.
Apache Tomcat Native
1. Disable unnecessary modules
If you plan to compile and install Apache from source, you should disable the following modules. If you run ./configure -help, you will see all available modules that you can disable/enable.
./configure \
–enable-ssl \
–enable-so \
–disable-userdir \
–disable-autoindex \
–disable-status \
–disable-env \
–disable-setenvif \
–disable-cgi \
–disable-actions \
–disable-negotiation \
–disable-alias \
–disable-include \
–disable-filter \
–disable-version \
–disable-asis
2. Run Apache as a separate user and user group
Apache may run as nobody or daemon by default. It is better to run Apache under an account that you do not have privileges on. For example: apache user.
groupadd apache
useradd -d /usr/local/apache2/htdocs -g apache -s /bin/false apache
Change httpd.conf to set User and Group correctly.
vi httpd.conf
User apache
Group apache
After restarting apache, execute the ps -ef command and you will see that apache is running as “apache” user
3. Restrict access to the root directory
Set the following in the httpd.conf file to enhance the security of the root directory.

<Directory />
Options None
Order deny,allow
Deny from all
</Directory>

4.Set proper permissions for the conf and bin directories

The bin and conf directories should only be viewed by authorized users. Creating a group and adding all users who are allowed to view/modify apache configuration files to this group is a good way to authorize.
Below we set this group to apacheadmin
Create group:

groupadd apacheadmin

Allow this group to access the bin directory.

chown -R root:apacheadmin /usr/local/apache2/bin
chmod -R 770 /usr/local/apache2/bin

Allow this group to access the conf directory.

chown -R root:apacheadmin /usr/local/apache2/conf
chmod -R 770 /usr/local/apache2/conf

Add the right users to this group.

# vi /etc/group
apacheadmin:x:1121:user1,user2

5. Disable directory browsing

If you don’t turn off directory browsing, users can see all the files (directories) in your root directory (or any subdirectories).

The Indexes option displays a list and subdirectories of available files in the browser. So Indexes should be disabled.
<Directory />
Options None
Order allow,deny
Allow from all
</Directory>

(or)

<Directory />
Options -Indexes
Order allow,deny
Allow from all
</Directory>

6. Restrict access to specific networks (or IP addresses)

If you need to allow only specific IP addresses or networks to access your website, proceed as follows:
Allow only specific networks to access your website, give the network address under the Allow command.
<Directory /site>
Options None
AllowOverride None
Order deny,allow
Deny from all
Allow from 10.10.0.0/24
</Directory>

7. Remove unwanted DSO modules

If you load dynamic shared object modules into Apache, they should be in the httpd.conf file under the “LoadModule” directive.
Dynamic Shared Object (DSO) Support. The Apache HTTP Server is a modular program where the administrator can choose the functionality to include in the server by selecting a set of modulesModules will be compiled as Dynamic Shared Objects (DSOs) that exist separately from the main httpd binary file.
Comment any unwanted “LoadModules” directives in httpd.conf.
grep LoadModule /usr/local/apache2/conf/httpd.conf