Setup Time: Configuring Apache
Configuring a web server is like configuring an email or DNS server — small changes can have unforeseen consequences. Most web security problems are caused by configuration errors rather than exploits of the Apache code.
Apache Configuration Files
I
mentioned that Apache’s configuration files could be
found under /etc/httpd/conf,
/usr/local/apache/conf, or some less well-lit
place. The most prominent file is httpd.conf,
but you will also see access.conf and
srm.conf. These are historic remnants from the
original NCSA web server. You can put any of
Apache’s configuration directives in any of these
files. In practice, people usually throw everything into
httpd.conf
. If you’d like to
separate security-related directives from others, put them in
access.conf
. This has some advantages:
access.conf is smaller, an editing error
won’t break everything else, and security settings
are more visible. But everything will work fine if you make your
changes in httpd.conf.
Tip
There are also GUI tools to modify the Apache configuration, such as Red Hat’s X-based Apache Configuration Tool or the web-based webmin . Here, we’ll do it the old-fashioned text way and supply more information in place of screenshots.
Any time you change Apache’s configuration, check it before restarting the server:
# apachectl configtest
If this succeeds, start Apache:
# apachectl start
Before starting Apache, let’s see how secure we can make it.
Configuration Options
To see what options your ...
Get Building Secure Servers with Linux now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
