CentOS - Apache configuration #2

Continuing from the first CentOS Apache configuration article, we now look at some of the other settings in the main httpd.conf file and what they can do.

Concentrating on efficiency and security, this will end our httpd.conf journey (for now).


ServerName

Default: Not Set

The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).

If you set followed the CentOS installing Apache and PHP5 article, you will have already set the ServerName configuration.

If you fail to set the ServerName then on an Apache restart you will see the following warning:

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName

HostnameLookups

Default:

HostnameLookups Off

If you want happy users and to save traffic, keep this at Off.

Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.

All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/bin/logresolve) for this purpose. A small explanation can be found here.

ServerTokens

Default:

ServerTokens OS

The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.

The default (Set as 'OS") would send something like this:

Apache/2.2.3 (CentOS)

Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.

It does not make the actual install any more secure but all someone has to do right now is look for an exploit in CentOS Apache 2.2.3 and so on. Why make it easy for them?

The options are (with example outputs):

Full

Apache/2.2.3 (CentOS) DAV/2 PHP/5.1.6 mod_ssl/2.2.3 OpenSSL/0.9.8b

OS

Apache/2.2.3 (CentOS)

Minimal

Apache/2.2.3

Minor

Apache/2.2

Major

Apache/2

Prod

Apache

It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.

ServerSignature

Default:

ServerSignature On

Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.

If you navigate to your Slice IP address and a non-existent page:

http://123.45.67.890/blahblah

You will see a 404 Page not found page with the footer information:

Apache  ServerSignature

Note the image shown has ServerTokens set to 'Prod' so little information is shown in the footer.

The options are:

Off: Produces no footer

On: Produces footer information (at a level defined by the ServerTokens setting)

Email: Adds an email link to the information (level defined by the ServerTokens setting)

Reload

After each change to the httpd.conf file, you will need to reload Apache for the settings to take effect:

sudo /etc/init.d/httpd reload

Summary

Some simple steps in this article but ones which I believe are very useful and aid in increasing the efficiency of your Slice and assist in the overall security effort on your Slice.

PickledOnion.

Article Comments:

sal commented Tue Apr 01 16:01:12 UTC 2008:

awesome articles!

thanks for you time...

cheers

Darin Carter commented Mon Apr 06 18:06:03 UTC 2009:

Very nice ... learning a lot today!

John commented Wed Apr 22 03:06:45 UTC 2009:

Very useful. I learned a couple of new things and I've been using Apache for ages!

amhcohc commented Sun Apr 11 10:18:54 UTC 2010:

Thanks for your articles! It was very useful for me.

Nickman commented Fri Jun 25 13:29:12 UTC 2010:

Very helpful for a newbie like me :)

thanks much

Klevin commented Thu Sep 08 10:43:58 UTC 2011:

Thanks a lot! it is very usefull and very good tutorials!

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)