Ubuntu Hardy - Apache configuration #2

Continuing from the first Ubuntu Hardy Apache configuration article, we'll now look at some of the other settings in the main apache2.conf file and what they can do.

Concentrating on efficiency and security, this will end our apache2.conf journey (for now).


ServerName

Default: Not Set

The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).

If you followed the Ubuntu Hardy installing Apache and PHP5 article, you will have already set the ServerName configuration.

If you fail to set the ServerName then on an Apache restart you will see the following warning:

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

To stop the warning and set the ServerName, add the following to the apache2.conf:

ServerName demo

Remember the test slice has a hostname of 'demo' - set this to your hostname or FQDN.

HostnameLookups

Default:

HostnameLookups Off

If you want happy users and to save traffic, keep this at Off.

Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.

All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.

ServerTokens

Default:

ServerTokens Full

The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.

The default (Full) would send something like this:

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server

Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.

It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Ubuntu Apache 2.2.8 and so on. Why make it easy for them?

The options are (with example outputs):

Full

Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch Server

OS

Apache/2.2.8 (Ubuntu) Server

Minimal

Apache/2.2.8 Server

Minor

Apache/2.2 Server

Major

Apache/2 Server

Prod

Apache Server

It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.

ServerSignature

Default:

ServerSignature On

Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.

If you navigate to your Slice IP address and a non-existent page:

http://123.45.67.890/blahblah

You will see a 404 Page not found page with the footer information:

Apache  ServerSignature

The options are:

Off: Produces no footer

On: Produces footer information (at a level defined by the ServerTokens setting)

Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)

It doesn't work!

If you are experimenting with the settings in the main apache2.conf file and find that changing the ServerSignature setting does nothing then keep in mind that many settings can be overridden by the virtual host file.

In this case, the default virtual host file has:

ServerSignature On

So open the file:

sudo nano /etc/apache2/sites-available/default

Change the ServerSignature to On, Off or Email. You can even delete the ServerSignature setting from the vhost file so it takes it from the apache2.conf.

Reload Apache after any changes to the virtual host file and voilà! All is good.

Summary

Some simple steps in this article but ones which I believe are very useful and aid in increasing the efficiency of your Slice and assist in the overall security effort on your Slice.

PickledOnion.

Article Comments:

Ricardo Silva commented Tue May 06 09:25:01 UTC 2008:

I've just diagonally read all the articles from the Apache installation untill this one. Very informative stuff and clear writing. Thanks, I'll bookmark this site for future reference.

Ian commented Sun Jun 15 10:57:11 UTC 2008:

Thanks! The whole set of Apache setup articles (there's several!) are perfect, and incredibly useful.

Thanks!

Bill Turner, wb4alm commented Thu Jul 10 15:09:57 UTC 2008:

Excellent writing style and content. In reading these article for just a few minutes, you have provided the answers to a number of questions that I had.

I'm waiting for the next series of articles... (grin)

Thanks!

Dylan commented Thu Aug 14 01:04:25 UTC 2008:

If you installed php you probably want to turn off it's signature as well, otherwise the php version/package will be exposed.

Change the setting: expose_php = On
... to Off in /etc/php5/apache2/php.ini then reload apache.

Mario da Silva commented Tue Aug 26 01:18:59 UTC 2008:

Hi, This is the first time I'm trying to create a server and I'm not having any joy, save that when I access the program LOCALLY with the 192.168.x.x, It says "It Works!". However I cannot access it by its Dyndns name at all. I've spend two days setting and resetting the Router after creating the name in Dyndns sucessfully, but I'm getting more confused. Pse Help?

PickledOnion commented Tue Aug 26 09:19:41 UTC 2008:

Mario,

I think this is simply a case of the settings in your router.

You should be able to simply enter you domain (I assume you have the domain IP pointing to your Slice?).

If you are using our DNS facilities you will be able to add the details there.

PickledOnion

Rakesh commented Tue Sep 23 13:44:38 UTC 2008:

Great! effort Thanks PO, You rock!

Steve Cox commented Sat Jan 03 20:20:06 UTC 2009:

These are some of the best written how-to's I've ever read. You have a conversational style (which I love) and you provide a lot of content in each article, but not too much. A very fine line which you walk admirably.

Kamal commented Tue Mar 03 09:47:20 UTC 2009:

I have no nameservers. Should I link my IP address directly in the place of IP address for the nameserver against my domain name?

Please Help

Samuel commented Fri Mar 20 19:19:24 UTC 2009:

Just an addition to this excellent guide, section "It doesn't work": On my Ubunty 8.10/Apache2.2 setup, there was a file conf.d/security which held the ServerSignature and ServerTokens defaults, and the conf.d files were read after - so that's where I hade to make the changes... In case it may help somebody.

conficker commented Wed Apr 01 19:48:51 UTC 2009:

Nice article - worked perfectly (beware Windows users, you will have to replace a few things in both steps to achieve that which the Linux users can)

ZoltanK commented Wed Apr 01 22:02:49 UTC 2009:

Great articles!

kurinchiblogger commented Thu Jul 30 21:02:12 UTC 2009:

Good work with your article organization. Article are informative.

Thanks

James I. M. commented Fri Aug 21 10:37:06 UTC 2009:

Quite a nice read. Provides solutions in a straight forward manner, unlike most IT gurus. Keep it up

angeletti group commented Thu Nov 12 18:30:23 UTC 2009:

I wish there was an Apache article specifically for those installing Django. I'm afraid I'll mess things up.

David Brunner commented Wed Feb 24 22:04:30 UTC 2010:

These articles are extremely helpful. I appreciate the clear explanations and sensible advice. Links to outside resources "for further reading" are helpful, too. Thank you very much!

cc commented Wed Mar 24 12:22:23 UTC 2010:

How would you use a rewrite rule to redirect web traffic to a cdn? Is it possible to keep the original web address?

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)