Continuing from the first Gentoo Apache configuration article, we’ll now look at some of the other settings in the main configuration files and what they can do.
Concentrating on efficiency and security, this will end our Apache configuration journey (for now).
Default: Not Set
The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).
If you followed the Gentoo - Apache Instalation article, you will have already set the ServerName configuration.
If you fail to set the ServerName then on an Apache restart you will see the following warning:
apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
To stop the warning and set the ServerName, add the following to the end of ‘/etc/apache2/httpd.conf’:
Remember the test slice has a hostname of ‘demo’ — set this to your hostname or FQDN.
Other Default Settings
Open the file where most of the default configuration settings are found in your favourite editor:
We’ll go through the more important settings that we haven’t already covered in the previous article.
You can find out more about the settings we don’t cover here by reading the commented paragraph found above where the setting’s default value is displayed in the configuration files. Also Google is very useful, I usually Google for something like “Apache 2.2 SettingName” and it brings me to the right place in the Apache docs.
Scroll down the file until you find each setting mentioned below.
The ServerTokens setting will dictate how much information is sent in the Headers with regard to the Apache version and modules in use.
On a lot of non-gentoo systems the default here is ‘Full’, which would send the maximum information possible; this can be useful in certain situations, for example when debugging a server install. However on Gentoo the default is ‘Prod’, which shows the least information possible:
Does this make a difference? Well, yes. If we can suppress the amount of information shown, it will make it harder for someone to find an exploit.
It does not make the actual install any more secure but all someone would have to do if the setting were on ‘Full’ would be to look for an exploit on ‘Gentoo Apache 2.2.11’ for example. Why make it easier for them?
The options are (with example outputs):
Apache/2.2.11 (Gentoo) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.10-pl0-gentoo
It’s up to you what level of information you want to give out. I prefer leaving ServerTokens set to ‘Prod’.
Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can also include the ServerAdmin’s email address.
If you navigate to your Slice IP address and a non-existent page, you will see a 404 Page not found page with the footer information:
Apache Server at demo Port 80
The options are:
Off: Produces no footer
On: Produces footer information (at a level defined by the ServerTokens setting)
Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)
Keep in mind that many settings can be overridden by a virtual host file.
If you disable the ServerSignature in this file, but a virtual host file has:
Then the global setting will be overridden and a footer will still be displayed on 404 pages, etc. for any sites associated with that virtual host.
If you want happy users and to save traffic, leave this set to ‘Off’.
Setting this to ‘On’ will enable DNS lookups, so the host names of your site’s visitors can be logged (it performs a reverse DNS check).
All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.
As you can see, the Gentoo Apache default settings are already quite efficient and secure, but it is a good idea to understand the different options available, as the default settings may not be ideal for every install.