Apache Web Server Security Configuration

Some Apache basic info you need to know:

Document root Directory: /var/www/html or /var/www
Configuration file: /etc/httpd/conf/httpd.conf (RHEL/CentOS/Fedora) and /etc/apache/apache2.conf (Debian/Ubuntu).
Default HTTP port: 80 TCP
Default HTTPS port: 443 TCP
Check out configuration file by command: httpd -t
Access log: /var/log/httpd/access_log
Error log: /var/log/httpd/error_log
Restart Apache: service httpd restart
Edit httpd.conf by installed editor you have on your system such as: vi, vim, …

Add these lines into httpd.conf

ServerSignature Off
ServerTokens Prod

And then reload Apache: service httpd reload

Add directive Options as bellow:

<Directory /var/www/html>
    Options -Indexes
</Directory>

Reload Apache: service httpd reload

Check out Apache version: httpd -v

Result will be shown as bellow:

Server version: Apache/2.2.15 (Unix)
Server built:   Aug 13 2013 17:29:28

Update Apache by command:

yum update httpd

or

apt-get install apache2

Checkout modules are using:

grep LoadModule /etc/httpd/conf/httpd.conf

If you want to disable modules, you just add # before module and restart Apache

Add this content into httpd.conf

<Directory />
   Options None
   Order deny,allow
   Deny from all
</Directory>

Options “None” – Not allow user setups configuration again (Ex: setup via .htaccess)
Order deny, allow – Order to read settings: deny first and then allow
Deny from all – Nobody is allowed access root folder

As default, Apache doesn’t limit request size. It means that Request size can be 1GB or lager.

In order setting as bellow, assume we limit file with 500KB

<Directory "/var/www/my_web/user_uploads">
   LimitRequestBody 512000
</Directory>

Refs