Gentoo - Apache Configuration #2

Continuing from the first Gentoo Apache configuration article, we’ll now look at some of the other settings in the main configuration files and what they can do.

Concentrating on efficiency and security, this will end our Apache configuration journey (for now).


ServerName

Default: Not Set

The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).

If you followed the Gentoo - Apache Instalation article, you will have already set the ServerName configuration.

If you fail to set the ServerName then on an Apache restart you will see the following warning:

apache2: Could not reliably determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName

To stop the warning and set the ServerName, add the following to the end of ‘/etc/apache2/httpd.conf’:

ServerName demo

Remember the test slice has a hostname of ‘demo’ — set this to your hostname or FQDN.

Other Default Settings

Open the file where most of the default configuration settings are found in your favourite editor:

nano /etc/apache2/modules.d/00_default_settings.conf

We’ll go through the more important settings that we haven’t already covered in the previous article.

You can find out more about the settings we don’t cover here by reading the commented paragraph found above where the setting’s default value is displayed in the configuration files. Also Google is very useful, I usually Google for something like “Apache 2.2 SettingName” and it brings me to the right place in the Apache docs.

Scroll down the file until you find each setting mentioned below.

ServerTokens

Default: Prod

The ServerTokens setting will dictate how much information is sent in the Headers with regard to the Apache version and modules in use.

On a lot of non-gentoo systems the default here is ‘Full’, which would send the maximum information possible; this can be useful in certain situations, for example when debugging a server install. However on Gentoo the default is ‘Prod’, which shows the least information possible:

Apache

Does this make a difference? Well, yes. If we can suppress the amount of information shown, it will make it harder for someone to find an exploit.

It does not make the actual install any more secure but all someone would have to do if the setting were on ‘Full’ would be to look for an exploit on ‘Gentoo Apache 2.2.11’ for example. Why make it easier for them?

The options are (with example outputs):

Full

Apache/2.2.11 (Gentoo) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.10-pl0-gentoo

OS

Apache/2.2.11 (Gentoo)

Minimal

Apache/2.2.11

Minor

Apache/2.2

Major

Apache/2

Prod

Apache

It’s up to you what level of information you want to give out. I prefer leaving ServerTokens set to ‘Prod’.

ServerSignature

Default: On

Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can also include the ServerAdmin’s email address.

If you navigate to your Slice IP address and a non-existent page, you will see a 404 Page not found page with the footer information:

Apache Server at demo Port 80

The options are:

Off: Produces no footer

On: Produces footer information (at a level defined by the ServerTokens setting)

Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)

Keep in mind that many settings can be overridden by a virtual host file.

If you disable the ServerSignature in this file, but a virtual host file has:

ServerSignature On

Then the global setting will be overridden and a footer will still be displayed on 404 pages, etc. for any sites associated with that virtual host.

HostnameLookups

Default: Off

If you want happy users and to save traffic, leave this set to ‘Off’.

Setting this to ‘On’ will enable DNS lookups, so the host names of your site’s visitors can be logged (it performs a reverse DNS check).

All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.

Summary

As you can see, the Gentoo Apache default settings are already quite efficient and secure, but it is a good idea to understand the different options available, as the default settings may not be ideal for every install.

matiu

Article Comments:

Mark Shields commented Tue Feb 01 02:35:16 UTC 2011:

There's a better way to handle the ServerName/hostname detection error:

Edit your /etc/hosts file, look for the line that has

127.0.0.1 localhost localhost.localdomain"

Insert your FQDN, then your hostname, between the IP and localhost, so it looks like this (if you use a TLD):

127.0.0.1 example.com example localhost

Or if you use a subdomain:

127.0.0.1 subdomain.example.com subdomain localhost

Set your hostname in /etc/conf.d/hostname to match the 2nd entry of your 127.0.0.1 line ("example"), then type hostname -f

Restart apache, and it should detect it automatically.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)