Continuing from the first LTS Apache configuration article, we now look at some of the other settings in the main apache2.conf file and what they can do.
Concentrating on efficiency and security, this will end our apache2.conf journey (for now).
Remember that pesky "Could not reliably determine the server's fully qualified domain name" message when reloading Apache?
Let's get rid of that by defining the ServerName.
The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name). In this case, I am going to use the Slice hostname (dapper). It can also be set as 'localhost'.
So open the apache2.conf file:
sudo nano /etc/apache2/apache2.conf
and add this:
Of course, change the hostname to your Slice hostname or a FQDN. Once done, save apache2.conf and gracefully restart Apache (this method of restarting won't kill open connections):
sudo apache2ctl graceful
No warning. Nice.
Now we can continuing looking at the apache2.conf settings:
If you want happy users and to save traffic, keep this at Off.
Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.
ServerTokens are not enabled by default (and don't even appear in the apache2.conf file). This simple setting is one that should be considered when setting up Apache as not setting it reveals information about the Apache version and any installed modules.
ServerTokens set to 'Full' would send something like this:
Apache/2.0.55 (Ubuntu) PHP/5.1.2
Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.
It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Ubuntu Apache 2.0.55 and PHP 5.1.2. Why make it easy for them?
The options are (with example outputs):
Apache/2.0.55 (Ubuntu) PHP/5.1.2
It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod with this simple setting:
The ServerSignature setting is not defined in the apache2.conf file either. Interestingly though, it is set in the default vhosts file.
Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address (the level of information is discussed above with the ServerTokens setting).
If you navigate to your Slice IP address and a non-existent page:
You will see a 404 'not found' page with the footer information:
The options are:
Off: Produces no footer
On: Produces footer information (at a level defined by the ServerTokens setting)
Email: Adds an email link to the information (level defined by the ServerTokens setting)
It doesn't work!
If you are experimenting with the settings in the main apache2.conf file and find that changing the ServerSignature setting does nothing then keep in mind that many settings can be overridden by the virtual host file.
Remember that the ServerSignature is already defined in the default virtual host file:
So open the file:
sudo nano /etc/apache2/sites-available/default
Change the ServerSignature to On, Off or Email.
Reload Apache after any changes to the virtual host file and voilà! All is good.
Some simple steps in this article but ones which I believe are very useful and aid in increasing the efficiency of your Slice and assist in the overall security effort on your Slice.