Apache2: Unterschied zwischen den Versionen

Aus crazylinux.de
Zur Navigation springen Zur Suche springen
Keine Bearbeitungszusammenfassung
Keine Bearbeitungszusammenfassung
Zeile 1: Zeile 1:
als Webserver verwenden wir Apache2 mit PHP4, mod_security, mod_deflate und ZendOptimizer
als Webserver verwenden wir Apache2 mit PHP4, mod_security, mod_auth_pam, mod_deflate und ZendOptimizer. Desweiteren lassen wir die Logfiles nach einem Tag rotieren. Rotiert wird nach UTC, d.h. wir müssen eine Stunde wieder abziehen (-60).


/etc/apache2/mods-avaible/mod-security.conf
==virt. Host==
<pre>
bsp site-conf /etc/apache2/sites-available/xxxtemplate:
<IfModule mod_security.c>


Listen 62.146.xxx.xxx:80
<VirtualHost 62.146.xxx.xxx:80>
        ServerAdmin webmaster@xxx
        ServerName www.xxxx
        ServerAlias xxxx2
        DocumentRoot /home/www/xxxx/htdocs
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        ErrorLog "|/usr/sbin/rotatelogs /home/www/xxxx/logs/error.log.%Y.%m.%d 86400 -60"
        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn
        CustomLog "|/usr/sbin/rotatelogs /home/www/xxxx/logs/access.log.%Y.%m.%d 86400 -60" combined
</VirtualHost>
==Verzeichnisschutz/mod_auth_pam==
Für den Verzeichnisschutz verwenden wir mod_auth_pam, d.h. wir können die gleichen Logindaten wie am System nutzen. Damit man eine Gruppe nutzen kann, wird
libapache2-mod-auth-sys-group benötigt!
eine bsp. .htaccess:
AuthPAM_Enabled on
AuthType Basic
AuthName "secure area"
require group staff
==mod_security==
/etc/apache2/mods-avaible/mod-security.conf:
<IfModule mod_security.c>
     # Turn the filtering engine On or Off
     # Turn the filtering engine On or Off
     SecFilterEngine On
     SecFilterEngine On
     # Make sure that URL encoding is valid
     # Make sure that URL encoding is valid
     SecFilterCheckURLEncoding On
     SecFilterCheckURLEncoding On
     # Only allow bytes from this range
     # Only allow bytes from this range
     SecFilterForceByteRange 1 255
     SecFilterForceByteRange 1 255
     # The audit engine works independently and
     # The audit engine works independently and
     # can be turned On of Off on the per-server or
     # can be turned On of Off on the per-server or
     # on the per-directory basis
     # on the per-directory basis
     SecAuditEngine RelevantOnly
     SecAuditEngine RelevantOnly
     # The name of the audit log file
     # The name of the audit log file
     SecAuditLog /var/log/apache2/audit_log
     SecAuditLog /var/log/apache2/audit_log
     SecFilterDebugLog /var/log/apache2/modsec_debug_log
     SecFilterDebugLog /var/log/apache2/modsec_debug_log
     SecFilterDebugLevel 0
     SecFilterDebugLevel 0
     # Should mod_security inspect POST payloads
     # Should mod_security inspect POST payloads
     SecFilterScanPOST On
     SecFilterScanPOST On
     # Action to take by default
     # Action to take by default
     SecFilterDefaultAction "deny,log,status:406"
     SecFilterDefaultAction "deny,log,status:406"
Zeile 33: Zeile 56:
     SecFilter /etc/ password
     SecFilter /etc/ password
     SecFilter /bin/ ls
     SecFilter /bin/ ls
     # Prevent path traversal (..) attacks
     # Prevent path traversal (..) attacks
     SecFilter "\.\./"
     SecFilter "\.\./"
     # Weaker XSS protection but allows common HTML tags
     # Weaker XSS protection but allows common HTML tags
     SecFilter "<( |\n)*script"
     SecFilter "<( |\n)*script"
     # Prevent XSS atacks (HTML/Javascript injection)
     # Prevent XSS atacks (HTML/Javascript injection)
     #SecFilter "<(.|\n)+>"
     #SecFilter "<(.|\n)+>"
</IfModule>
</IfModule>
</pre>
 
==mod_php==
Aus Sicherheitsgründen vestecken wir die PHP-Version im HTTP-Header /etc/php4/apache2/php.ini
expose_php = off
memory_limit = 50M      ; Maximum amount of memory a script may consume (8MB)
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/lib/php4/Zend/lib/Optimizer-2.5.10
zend_extension_manager.optimizer_ts=/usr/lib/php4/Zend/lib/Optimizer_TS-2.5.10
zend_optimizer.version=2.5.10a
#zend_extension=/usr/lib/php4/Zend/lib/ZendExtensionManager.so
zend_extension=/usr/lib/php4/20020429/php_accelerator_1.3.3r2.so
#zend_extension_ts=/usr/lib/php4/Zend/lib/ZendExtensionManager_TS.so
phpa.ignore_files ="graph_image.php"
phpa.shm_user = www-data
phpa.shm_group = www-data
 




==Links==
==Links==
http://www.outoforder.cc/projects/apache/mod_log_sql/
http://httpd.apache.org/docs/2.0/programs/rotatelogs.html<br>
http://turck-mmcache.sourceforge.net/
http://www.php-accelerator.co.uk/<br>
[http://mambo.edes.at/index.php?option=com_docman&Itemid=30&task=view_category&catid=81&order=dmdate_published&ascdesc=DESC,''PHPACA Web Front End'']

Version vom 5. November 2005, 18:23 Uhr

als Webserver verwenden wir Apache2 mit PHP4, mod_security, mod_auth_pam, mod_deflate und ZendOptimizer. Desweiteren lassen wir die Logfiles nach einem Tag rotieren. Rotiert wird nach UTC, d.h. wir müssen eine Stunde wieder abziehen (-60).

virt. Host

bsp site-conf /etc/apache2/sites-available/xxxtemplate:

Listen 62.146.xxx.xxx:80
<VirtualHost 62.146.xxx.xxx:80>
       ServerAdmin webmaster@xxx
       ServerName www.xxxx
       ServerAlias xxxx2
       DocumentRoot /home/www/xxxx/htdocs
       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       ErrorLog "|/usr/sbin/rotatelogs /home/www/xxxx/logs/error.log.%Y.%m.%d 86400 -60"
       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn
       CustomLog "|/usr/sbin/rotatelogs /home/www/xxxx/logs/access.log.%Y.%m.%d 86400 -60" combined
</VirtualHost>

Verzeichnisschutz/mod_auth_pam

Für den Verzeichnisschutz verwenden wir mod_auth_pam, d.h. wir können die gleichen Logindaten wie am System nutzen. Damit man eine Gruppe nutzen kann, wird libapache2-mod-auth-sys-group benötigt!

eine bsp. .htaccess:

AuthPAM_Enabled on
AuthType Basic
AuthName "secure area"
require group staff

mod_security

/etc/apache2/mods-avaible/mod-security.conf:

<IfModule mod_security.c>
   # Turn the filtering engine On or Off
   SecFilterEngine On
   # Make sure that URL encoding is valid
   SecFilterCheckURLEncoding On
   # Only allow bytes from this range
   SecFilterForceByteRange 1 255
   # The audit engine works independently and
   # can be turned On of Off on the per-server or
   # on the per-directory basis
   SecAuditEngine RelevantOnly
   # The name of the audit log file
   SecAuditLog /var/log/apache2/audit_log
   SecFilterDebugLog /var/log/apache2/modsec_debug_log
   SecFilterDebugLevel 0
   # Should mod_security inspect POST payloads
   SecFilterScanPOST On
   # Action to take by default
   SecFilterDefaultAction "deny,log,status:406"
   # Prevent OS specific keywords
   SecFilter /etc/ password
   SecFilter /bin/ ls
   # Prevent path traversal (..) attacks
   SecFilter "\.\./"
   # Weaker XSS protection but allows common HTML tags
   SecFilter "<( |\n)*script"
   # Prevent XSS atacks (HTML/Javascript injection)
   #SecFilter "<(.|\n)+>"
</IfModule>

mod_php

Aus Sicherheitsgründen vestecken wir die PHP-Version im HTTP-Header /etc/php4/apache2/php.ini

expose_php = off
memory_limit = 50M      ; Maximum amount of memory a script may consume (8MB)
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer=/usr/lib/php4/Zend/lib/Optimizer-2.5.10
zend_extension_manager.optimizer_ts=/usr/lib/php4/Zend/lib/Optimizer_TS-2.5.10
zend_optimizer.version=2.5.10a
#zend_extension=/usr/lib/php4/Zend/lib/ZendExtensionManager.so
zend_extension=/usr/lib/php4/20020429/php_accelerator_1.3.3r2.so
#zend_extension_ts=/usr/lib/php4/Zend/lib/ZendExtensionManager_TS.so
phpa.ignore_files ="graph_image.php"
phpa.shm_user = www-data
phpa.shm_group = www-data


Links

http://httpd.apache.org/docs/2.0/programs/rotatelogs.html
http://www.php-accelerator.co.uk/
PHPACA Web Front End