Continuing from the first Ubuntu Intrepid Apache configuration article, we'll now look at some of the other settings in the main apache2.conf file and what they can do.
Concentrating on efficiency and security, this will end our apache2.conf journey (for now).
Default: Not Set
The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).
If you followed the Ubuntu Intrepid installing Apache and PHP5 article, you will have already set the ServerName configuration.
If you fail to set the ServerName then on an Apache restart you will see the following warning:
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
To stop the warning and set the ServerName, add the following to the apache2.conf:
Remember the test slice has a hostname of 'demo' - set this to your hostname or FQDN.
If you want happy users and to save traffic, keep this at Off.
Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.
All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.
It's a good idea to review a couple of security-related settings for Apache — ServerTokens and ServerSignature — which in the Ubuntu Intrepid Apache layout are stored by default in the 'security' config file:
The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.
The default (Full) would send something like this:
Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch Server
Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.
It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Ubuntu Apache 2.2.9 and so on. Why make it easy for them?
The options are (with example outputs):
Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4 with Suhosin-Patch
Apache/2.2.9 (Ubuntu) Server
It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.
Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.
If you navigate to your Slice IP address and a non-existent page, you will see a 404 Page not found page with the footer information:
The options are:
Off: Produces no footer
On: Produces footer information (at a level defined by the ServerTokens setting)
Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)
Keep in mind that many settings can be overridden by a virtual host file.
If you disable the ServerSignature in the 'security' config file, but a virtual host file has:
Then the global setting will be overridden and a footer will still be displayed on 404 pages, etc. for any sites associated with that virtual host.
There are some simple steps in this article, but ones which I believe are quite useful and aid in increasing the efficiency of your Slice and assist in the overall security of your Slice.