Debian Etch - Apache configuration #2

Continuing from the first Apache configuration article, we'll now look at some of the other settings in the main apache2.conf file and what they can do.

Concentrating on efficiency and security, this will end our apache2.conf journey (for now).


ServerName

Remember that pesky "Could not reliably determine the server's fully qualified domain name" message when reloading Apache?

Let's get rid of that by defining the ServerName.

The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name). In this case, I am going to use the Slice hostname. It can also be set as 'localhost'.

So open the apache2.conf file:

sudo nano /etc/apache2/apache2.conf

and add this:

ServerName etch

Of course, change the hostname to your Slice hostname or a FQDN. Once done, save apache2.conf and gracefully restart Apache (this method of restarting won't kill open connections):

sudo apache2ctl graceful

No warning. Nice.

HostnameLookups

Default:

HostnameLookups Off

If you want happy users and to save traffic, keep this at Off.

Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.

All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.

ServerTokens

Default:

ServerTokens Full

The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.

The default (Full) would send something like this:

Apache/2.2.3 (Debian) PHP/5.2.0-8+etch7

Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.

It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Debian Apache 2.2.3 and so on. Why make it easy for them?

The options are (with example outputs):

Full

Apache/2.2.3 (Debian) PHP/5.2.0-8+etch7

OS

Apache/2.2.3 (Debian)

Minimal

Apache/2.2.3

Minor

Apache/2.2

Major

Apache/2

Prod

Apache

It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.

ServerSignature

Default:

ServerSignature On

Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.

If you navigate to your Slice IP address and a non-existent page:

http://123.45.67.890/blahblah

You will see a 404 Page not found page with the footer information:

Apache  ServerSignature

The options are:

Off: Produces no footer

On: Produces footer information (at a level defined by the ServerTokens setting)

Email: Adds an email link to the information (level defined by the ServerTokens setting)

It doesn't work!

If you are experimenting with the settings in the main apache2.conf file and find that changing the ServerSignature setting does nothing then keep in mind that many settings can be overridden by the virtual host file.

In this case, the default virtual host file has:

ServerSignature On

So open the file:

sudo nano /etc/apache2/sites-available/default

Change the ServerSignature to On, Off or Email.

Reload Apache after any changes to the virtual host file and voilà! All is good.

Summary

Some simple steps in this article but ones which I believe are very useful and aid in increasing the efficiency of your Slice and assist in the overall security effort on your Slice.

PickledOnion.

Article Comments:

Jeff commented Tue Nov 13 08:48:35 UTC 2007:

Hi, Can I use any domain name for my intranet?

I have just one IP address, do I need to add the my second domain name to the hosts file?

Thanks in advance

PickledOnion commented Tue Nov 13 09:42:57 UTC 2007:

Hi Jeff,

Sorry I am not sure what you are asking. I haven't written an article on intranets so I am not sure what you are referencing.

PickledOnion.

Daniel Wood commented Sat Mar 07 13:20:15 UTC 2009:

For those following this using lenny the security changes for ServerTokens and ServerSignature should be made in /etc/apache2/conf.d/security

Richard commented Wed Mar 18 01:02:43 UTC 2009:

Thanks Daniel, wish I read the comments before I spent half an hour wondering why it wouldn't work.

John Comeau commented Sat Oct 30 22:30:12 UTC 2010:

Another way to set ServerName:

echo ServerName localhost > /etc/apache2/conf.d/servername /etc/init.d/apache2 restart

John Comeau commented Sat Oct 30 22:33:00 UTC 2010:

Grr, that didn't format right. The restart command should have been on a separate line. Trying again:

echo ServerName localhost > /etc/apache2/conf.d/servername

/etc/init.d/apache2 restart

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)