Configuring a web server is like configuring an email or DNS server — small changes can have unforeseen consequences. Most web security problems are caused by configuration errors rather than exploits of the Apache code.
mentioned that Apache’s configuration files could be
/usr/local/apache/conf, or some less well-lit
place. The most prominent file is
but you will also see
srm.conf. These are historic remnants from the
original NCSA web server. You can put any of
Apache’s configuration directives in any of these
files. In practice, people usually throw everything into
. If you’d like to
separate security-related directives from others, put them in
. This has some advantages:
access.conf is smaller, an editing error
won’t break everything else, and security settings
are more visible. But everything will work fine if you make your
There are also GUI tools to modify the Apache configuration, such as Red Hat’s X-based Apache Configuration Tool or the web-based webmin . Here, we’ll do it the old-fashioned text way and supply more information in place of screenshots.
Any time you change Apache’s configuration, check it before restarting the server:
# apachectl configtest
If this succeeds, start Apache:
# apachectl start
Before starting Apache, let’s see how secure we can make it.
To see what options your ...