My linux world » Apache Security Survival Guide

Apache Security Survival Guide


Contents

How to enable .htaccess ?

In httpd.conf, update value to AllowOverride All

How to configure security?

Using htpasswd

<Location "/">
    AuthBasicProvider file
    AuthType Basic
    AuthName "Authorization required"
    AuthUserFile /etc/httpd/passwd
    Require valid-user
</Location>

To create password for user ‘myuser’:

htpasswd -c /etc/httpd/passwd myuser
> New password: mypassword
> Re-type new password: mypassword
> Adding password for user myuser

Using LDAP

You need to install mod_authnz_ldap.
Then add a location directive:

<Location "/">
    AuthBasicProvider ldap
    AuthType Basic
    AuthName "Authorization required"
    AuthzLDAPAuthoritative off
    AuthLDAPURL "ldaps://ldap.example.com/dc=example,dc=com?uid?sub"
    AuthLDAPBindDN "cn=myldaplogin,ou=someOU,dc=example,dc=com"
    AuthLDAPBindPassword "myldappassword"
    Require valid-user
</Location>

Apache HTTP Proxypass

Configuration

You can allow a local url without exposing all your http server.
So you can make public only the local url you choose.

* First, open ”httpd.conf”
* Then, enable ”mod_proxy” and ”mod_proxy_http”
* Finally add the file /etc/httpd/conf.d/czproxyPass.conf with the following content:

  ## Virtual Hosts:
  NameVirtualHost *:80
 
  # My local application 1
  <VirtualHost *:80>
    ServerName myservername1.com
    ProxyPreserveHost On
    Proxypass /my-web-application1 http://localhost:8080/my-web-application1
    Proxypassreverse /my-web-application1 http://localhost:8080/my-web-application1
    RedirectMatch permanent ^/$ /my-web-application1
  </VirtualHost>
 
  # My local application 2
  <VirtualHost *:80>
    ServerName myservername2.com
    ProxyPreserveHost On
    Proxypass /my-web-application2 http://localhost:8080/my-web-application2
    Proxypassreverse /my-web-application2 http://localhost:8080/my-web-application2
    RedirectMatch permanent ^/$ /my-web-application2
  </VirtualHost>

Tests

Try to access to:

Apache HTTP vhost

You can have a single server with many directories that represent your applications.
To mount them, you can use the vhost configuration.

Configuration

NameVirtualHost *:80
 
#myservername1.com: 
<VirtualHost *:80>
ServerName myservername1.com
DocumentRoot /var/www/vhost/myservername1.com
</VirtualHost>
 
#myservername2.com: 
<VirtualHost *:80>
ServerName myservername2.com
DocumentRoot /var/www/vhost/myservername2.com
</VirtualHost>

Tests

Try to access to:

Apache HTTP redirect

For many reasons, you decided to move you website to a new url.
You do not want your users to change their favorites.
You can rewrite url.

Configuration

#myservername1.com:  
<VirtualHost *:80>
ServerName myservername1.com
Options +FollowSymlinks
RewriteEngine On
RedirectMatch permanent ^/(.*)$ http://myNEWservername1.com/$1
</VirtualHost>
 
#myservername2.com:  
<VirtualHost *:80>
ServerName myservername2.com
Options +FollowSymlinks
RewriteEngine On
RedirectMatch permanent ^/(.*)$ http://myNEWservername2.com/$1
</VirtualHost>

Tests

Try to access to:

Security throw .htaccess

Using ip

Order Allow,Deny
Allow from 11.22.33.44

Listing directory

To disable listing set “-Indexes”. To enable listing set “+Indexes”.

Options -Indexes

Access-Control-Allow-Origin

If server MY-SERVER-A want to use resource on a server MY-SERVER-B, you might have a COR (Cross Origin Request) issue.
You need, on the server MY-SERVER-B a this line to the .htaccess:

Header add Access-Control-Allow-Origin "http://MY-SERVER-A"

Duplicate content

If you want automatically redirect from http to https, add this to your .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Copyright © 2023 My linux world - by Marc RABAHI
Design by Marc RABAHI and encelades.

Fork me on GitHub