[PLUG] Configuring Apache modules for better security
Keith Lofstrom
keithl at kl-ic.com
Thu Jan 27 00:50:57 UTC 2011
> On Fri, 21 Jan 2011, Keith Lofstrom wrote:
> >I'm cleaning up the config, removing stuff I don't really need. Ivan
> >Ristic's book "Apache Security" has been helpful, and he makes many
> >good suggestions, such as minimizing the modules loaded. Sounds
> >good, my apache config loads way too many modules. But it is
> >unclear which modules are actually being used by my web apps. Is
> >there an easy way to find out? Or do I just try all the features of
> >all the apps, while pulling out modules and looking for breakage?
Thanks to all who replied. After cleaning up various stanzas of
httpd.conf, taking out some of the unsupported internationalization,
and taking some unneeded configurations out of conf.d ( I don't
use AJP(?) and PHP ), I started yanking modules, putting them
back when the apache syntax checker complained (thanks, Paul).
In some cases, I removed unneeded portions of httpd.conf that
used those modules.
I constructed a links-testing webpage on one of my other servers,
with links to the websites and wikis and svn and mailman URLs
running on the server - about 50 things to click and look at.
The old (soon to be removed) kwiki sites ran very slow, so I
turned the caching back on. A passworded URL complained, so
I added mod_auth_basic back. There may be some other breakage
lurking there, perhaps some odd feature associated with
subversion, but everything seems to be OK OK OK OK OK OK ... :-)
So, the httpd.conf file is half its former size ( I did save the
original ) and I am using only 16 of the 57 modules the original
distro version called for. I hope this will make apache a little
more secure, faster, and reduce the memory footprint somewhat.
I'm not going to post what I still use to the list ( the bad guys
are watching ) but I can discuss what I did and why by private email.
Next task: setting up an HTTPS virtual site, using all the good
suggestions I've gotten here about getting cheap certs. Mostly
this will be for a form that people can use to send me secret
stuff (passwords, zip keys, etc) without relying on their
(lack of) knowledge of encryption or certificate management.
Keith
--
Keith Lofstrom keithl at keithl.com Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs
More information about the PLUG
mailing list