Security configurations for Apache

In this tutorial we will show how to set up the additional security configurations for your PHP application hosted with Apache application server.

There are two ways of setting up your main security configurations:

  • make changes in main configuration file of the Apache (httpd.conf)
  • create special .htaccess file, which contains one or more configuration directives and is placed inside your application directory

The directives are able to override a subset of the server's global configuration for that directory and all subdirectories thereof. What you can put in this file is determined by the AllowOverride directive.

AllowOverride is valid only in < directory > sections specified without regular expressions. When this directive is set to None - .htaccess files are completely ignored. When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.

Let’s examine the every kind of security configs you can apply in order to protect your application:

A. Setting Up the Authentication Request

To set the authentication to your Apache application or to just separate a directory in your application, follow these next steps.

  1. Generate hash from your password. For that you can use any htpasswd tool or online service (for example, http://www.htpasswdgenerator.net/).
  2. Create simple text file with previously generated hash.
  3. Click Config button for your server.
  4. Upload the created file to the /var/www/webroot/ROOT folder.

In the /etc/httpd/conf folder open httpd.conf file (or .htaccess file, if you use it) perform the following configurations:

  • authentication for the whole application
  • Add the following strings to the Directory as it is shown in the image below:

    AuthName "Restricted area"
    AuthType Basic
    AuthBasicProvider file
    AuthUserFile /var/www/webroot/ROOT/.htpasswd
    Require valid-user

    apache authentication
  • authentication for the separate directory

Add the following Location strings stating the path to the required directory:

<Location /directory_path>
AuthName "Restricted area"
AuthType Basic
AuthBasicProvider file
AuthUserFile /var/www/webroot/ROOT/.htpasswd
Require valid-user
</Location>

apache directory authentication


5. Save the changes and Restart the Apache server.

Note: if you use httpd.conf file for setting up your security configuration, you need to restart Apache after making every change in configuration. In the case of .htaccess files usage, changes made in these files take immediate effect, because these files are read on every request.

As a result, while accessing the application or the protected directory a user will be requested to authenticate.

authentication required

B. Security Through Setting Up Criteria

You can provide security for your application through setting up different criteria, for example, allow or deny access by IP address or domain.

  1. The Allow and Deny directives are used to specify which clients are or are not allowed to access the server, while the Order directive sets the default access state, and configures how the Allow and Deny directives interact with each other. The Order directive controls a three-pass access control system. The first pass processes either all Allow or all Deny directives, as specified by the Order directive. The second pass parses the rest of the directives (Deny or Allow). The third pass applies to all requests which do not match either of the first two.

  2. There are three types of ordering:
    • Allow,Deny
    • First, all Allow directives are evaluated; at least one must match, or the request is rejected.
      Next, all Deny directives are evaluated. If any matches, the request is rejected.
      Last, any requests which do not match an Allow or a Deny directive are denied by default.
    • Deny,Allow
    • All Deny directives are evaluated; if any match, the request is denied unless it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
    • Mutual-failure
    • This order has the same effect as Order Allow,Deny and is deprecated in its favor.

  3. Navigate to the /etc/httpd/conf folder and open httpd.conf or .htaccess file.
  4. In order to set up, for example, the IP access criteria, add necessary directives as it is shown below. To deny access to:
    • whole application

    Modify the Directory option by adding the next strings as it is shown in the image:

    Order Allow,Deny
    Allow from xx.xx.xx.x
    Deny from all

    access deny apache
    • separate directory

    Modify the Directory option by stating the path to the required directory and the following strings as it is shown in the image:

    Order Allow,Deny
    Allow from xx.xx.xx.x
    Deny from all

    deny access ip

    5. Save the changes and Restart the Apache server.

    As a result, a user with any IP except of the allowed ones will see the 403 error while trying to open your application.

Note:
  • Denying access through IP makes sense only if you use Public IP feature.
  • Both criteria access restrictions and password-based authentication may be implemented simultaneously. In that case, the Satisfy directive is used to determine how the two sets of restrictions interact. More information you can get here.

C. Configuring mod_security Module

mod_security is a super handy Apache module which provides such abilities as simple filtering, URL and Unicode encoding validation, auditing, null byte attack prevention, upload memory limits, server identity masking, built in chroot support and many more.

This module is available in Jelastic by default and can be configured via /etc/httpd/conf.d/mod_security.conf file.

modsecurity


Here you can edit the default configurations or add your own custom.

For example, you can add some extra ModSecurity Rules by uploading them to the /etc/httpd/modsecurity.d folder (e.g. modsecurity_crs_11_brute_force.conf).

modsecurity rules

The rules uploaded to modsecurity.d or to activated_rules folders will be automatically activated without any extra settings. This is configured by the following default parameters in the /etc/httpd/conf.d/mod_security.conf file:

Include modsecurity.d/*.conf
Include modsecurity.d/activated_rules/*.conf

D. Hide Apache Server Version

Usually with default configurations, the Apache server version is publicly shown. As a result, the information about the version of your Apache and operating system/version, or even the details about installed Apache Modules can be used to perform an attack.

To avoid this, Jelastic automatically adds the following configurations to your httpd.conf file:
  • ServerSignature Off - shows 404 page instead of directory listings and other such pages generated by Apache
  • ServerTokens Prod - determines Apache Server HTTP response header; with the Prod value the HTTP response header will be as follows - Server: Apache