Securing Apache Checklist

This is a small checklist of how to secure the Apache webserver. I wrote this mostly for my own personal use, but I hope it proves useful for others, too. For any suggestions or comments, please feel free to contact me.

Note: This is work in progress. More content will be added as time permits.

The checklist:

  • First step: Secure the operating system. On an insecure operating system, you can't have a secure webserver.
  • Run Apache under a distinct user and group (e.g. www-data:www-data). Do not run it as root:root or nobody:nogroup!
    User www-data
    Group www-data
  • Only enable those Apache modules (using the AddModule directive) which are absolutely necessary. Disable all others.
    These are the minimum requirements for a basic Apache install:

    • httpd_core - Core Module
    • mod_access - For Allow, Deny and Order directives
    • mod_auth - For HTTP Basic Authentication
    • mod_dir - For using index files like index.html
    • mod_log_config - For logging
    • mod_mime - For character set, content-encoding, content-language, and MIME types of documents

    Especially dangerous modules which should be disabled: mod_autoindex and mod_info.

  • Don't display more information about the webserver, its version and configuration than absolutely necessary:
    ServerSignature Off
    ServerTokens Prod
  • First, deny access to everything. Then, explicitly allow access for only those directories you need to.
    <Directory />
    Order deny,allow
    Deny from all
    </Directory>
    <Directory "/var/www/www.example.com">
    Order allow,deny
    Allow from all
    </Directory>
  • If you're paranoid, don't run Apache on port 80, but choose another port. Problem: Your users must know the port.
  • If possible, run Apache in a chroot.

Further Readings