Debian Lenny - Apache configuration #2

Continuing from the first Debian Lenny Apache configuration article, we'll now look at some of the other settings in the main apache2.conf file and what they can do.

Concentrating on efficiency and security, this will end our apache2.conf journey (for now.)


ServerName

Default: Not Set

The ServerName is usually a hostname or a FQDN (Fully Qualified Domain Name).

If you followed the Debian Lenny installing Apache2 and PHP5 article, you will have already set the ServerName configuration.

If you fail to set the ServerName then on an Apache restart you will see the following warning:

apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName

To stop the warning and set the ServerName, add the following to the apache2.conf:

ServerName demo

Remember the test slice has a hostname of 'demo' - set this to your hostname or FQDN.

HostnameLookups

Default:

HostnameLookups Off

If you want happy users and to save traffic, keep this at Off.

Setting this to 'On' will enable DNS lookups so host names can be logged (it performs a reverse DNS check), setting it to 'Double' will not only perform the reverse DNS check it will then check the resulting hostname.

All a bit much and if you desperately need hostname information from your visitors it is advised to use logresolve (located in /usr/sbin/logresolve) for this purpose. A small explanation can be found here.

Security Settings

It's a good idea to review a couple of security-related settings for Apache — ServerTokens and ServerSignature — which in the Debian Lenny Apache layout are stored by default in the 'security' config file:

/etc/apache2/conf.d/security

ServerTokens

Default:

ServerTokens Full

The ServerTokens setting will dictate how much information is sent in the Headers with regard to Apache version and modules in use.

The default (Full) would send something like this:

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at demo

Does this make a difference? Well, yes. If we can suppress that information it will make it harder for someone to find an exploit.

It does not make the actual install any more secure but all someone has to do right now is look for an exploit in Debian Lenny, Apache 2.2.9 and so on. Why make it easy for them?

The options are (with example outputs):

Full

Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch Server at demo

OS

Apache/2.2.9 (Debian) Server

Minimal

Apache/2.2.9 Server

Minor

Apache/2.2 Server

Major

Apache/2 Server

Prod

Apache Server

It's up to you what level of info you want to give out. I prefer setting ServerTokens to Prod.

ServerSignature

Default:

ServerSignature On

Server generated pages, such as 404 pages or directory listings, can contain a footer line which includes server information and can include the ServerAdmin email address.

If you navigate to your Slice IP address and a non-existent page, you will see a 404 Page not found page with the footer information:

Apache  ServerSignature

The options are:

Off: Produces no footer

On: Produces footer information (at a level defined by the ServerTokens setting)

Email: Adds an email link to the information (email address is defined in the vhosts file with the ServerAdmin setting)

Keep in mind that many settings can be overridden by a virtual host file.

If you disable the ServerSignature in the 'security' config file, but a virtual host file has:

ServerSignature On

Then the global setting will be overridden and a footer will still be displayed on 404 pages, etc. for any sites associated with that virtual host.

Summary

There are some simple steps in this article, but ones which I believe are quite useful and aid in increasing the efficiency of your Slice and assist in the overall security of your Slice.

Ben B

Article Comments:

Davo commented Mon Jun 29 00:06:48 UTC 2009:

I can't seem to access the security file at /etc/apache2/conf.d/security. I just keep getting a permission denied comment. Please advise.

Andy commented Thu Jul 02 12:05:17 UTC 2009:

@Davo type sudo first :o)

sudo nano /etc/apache2/conf.d/security

Neodolphin commented Tue Jul 07 19:50:31 UTC 2009:

First great article :) in the security part you don't speak about "Allow TRACE method", it would nice to tell something about it

Greg Halse commented Wed Dec 16 11:52:29 UTC 2009:

Forbidden You don't have permission to access / on this server.


Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny3 with Suhosin-Patch modssl/2.2.9 OpenSSL/0.9.8g modperl/2.0.4 Perl/v5.10.0 Server at ski.com.au Port 80

All that I'm trying to do is open the web site not hack into it.

kelvin commented Sat Jan 22 22:38:11 UTC 2011:

what could be the couse of Index of / Name Last modified Size Description


Advocates.html 23-Jan-2011 01:10 2.0K Clients.html 23-Jan-2011 01:10 11K Index.html 23-Jan-2011 01:10 18K Publication.html 23-Jan-2011 01:10 15K Service.html 23-Jan-2011 01:10 20K images/ 23-Jan-2011 01:11 -


Apache/2.2.9 (Debian) mod_ssl/2.2.9 OpenSSL/0.9.8g Server at www.raffrutsolicitor.ru Port 80

Jered commented Mon Jan 24 20:52:15 UTC 2011:

Kevin, the filesystem on your slice is case-sensitive, meaning that it treats "index.html" as being a different name from "Index.html". It looks like you'll either want to rename Index.html to make the name all lower-case or add "Index.html" to the DirectoryIndex setting.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)