Apache HTTP Server

From Indie IT Wiki
Jump to: navigation, search

HOWTO: Secure Apache SSL

sudo nano /etc/apache2/mods-available/ssl.conf

SSLProtocol all -SSLv2 -SSLv3 -TLSV1

sudo service apache2 restart



HOWTO: Fix Error In Apache 2.4.3+ "Client Denied By Server Configuration"

Make sure you have this new Apache 2.4.3+ directive in your Virtual Host config:-

require all granted

Thanks - http://stackoverflow.com/questions/10351167/apache-client-denied-by-server-configuration

HOWTO: Upgrade To Apache 2.4 On Ubuntu 12.04 LTS

sudo aptitude remove ~iapache
sudo apt-add-repository ppa:ondrej/apache2
sudo aptitude update
sudo aptitude install apache2
sudo aptitude install libapache2-mod-php5

HOWTO: Test POST Requests

curl -X POST http://www.website.co.uk/PAULLY.php

HOWTO: Stop POST Requests

<VirtualHost *:80>
 <Directory /var/www/site/unsafe>
   AllowOverride ALL
sudo a2enmod rewrite

Add the following to a file called .htaccess in the web site root directory. This example shows a Contact Us PHP page which IS allowed to POST...

# deny all POST requests
<IfModule mod_rewrite.c>
  RewriteRule .* - [F,L]
<LimitExcept GET HEAD>
  Order Allow,Deny
  Deny from all
#  allow the contact us page
<Files contact_submit.php>
  order allow,deny
  allow from all

Restart Apache...

sudo service apache2 restart

HOWTO: Fix Error: The timeout specified has expired: SSL input filter read failed

If you see the following lines in your Apache logs...

The timeout specified has expired: SSL input filter read failed.

...then you need to do 2 things to fix it.

1. Change all your VirtualHost directives to a specific IP address instead of *:443...


2. Add the following line to the end of your VirtualHost SSL port 443 directives blocks...

  SetEnv nokeepalive ssl-unclean-shutdown

Thanks - http://serverfault.com/questions/539961/apache-request-header-read-timeout-reverse-proxy

HOWTO: Convert Apache SSL Certificate to Windows IIS





HOWTO: Fix POODLEbleed Bug

SSLProtocol all -SSLv2 -SSLv3
SSLCompression off
SSLHonorCipherOrder On
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Thanks - http://poodlebleed.com

HOWTO: Remove Unwanted Modules


sudo apache2ctl -M


sudo a2dismod


sudo apache2ctl configtest


sudo service apache2 restart

HOWTO: Generate SSL Certificate

Log in to your web server via SSH, create an 'ssl' directory, and then run the following.


su - root
mkdir ssl
cd ssl
openssl req -nodes -newkey rsa:2048 -keyout mydomain.key -out mydomain.csr -subj "/C=GB/ST=Kent/L=Folkestone/O=The Company Name/OU=IT/CN=mydomain.co.uk"

Now copy the text of the mydomain.csr file and log in to your SSLs.com account, and following the prompts.


http://www.rosehosting.com/blog/set-up-ssl-encrypted-connection-in-postfix-dovecot-and-apache/ (Apache + Dovecot)


HOWTO: Install SSL Certificate


Comodo Positive SSL CA Bundle



HOWTO: Benchmark

ab -n 100 -c 10 http://your.domain.com/

HOWTO: Add The Missing HTPasswd Application

The application htpasswd is not installed by default. To add it, run this command...

sudo aptitude install apache2-utils

HOWTO: Stop Unwanted Unnecessary And Exploitable Cpanel Scripts

cd /usr/local/cpanel/cgi-sys/
chmod 0000 Formmail* formail* guestbook* Count*



HOWTO: Block w00tw00t Vulneribility Scanner

/sbin/iptables -I INPUT -d MY.IP.ADDRESS -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.' -j DROP


HOWTO: Secure Tighten

  1. examine
  2. general
  3. mod_evasive
  4. mod_security
  5. testing


NEW - Use Kali Linux USB Distro - NEW

Download the Nikto software from here...


Unpack, and then update...

perl nikto.pl -update

Run your first test...

perl nikto.pl -h server.name

During a scan, you can press these keys...

SPACE - Report current scan status
v - Turn verbose mode on/off
d - Turn debug mode on/off
e - Turn error reporting on/off
p - Turn progress reporting on/off
r - Turn redirect display on/off
c - Turn cookie display on/off
o - Turn OK display on/off
a - Turn auth display on/off
q - Quit
N - Next host
P - Pause

How to fix common issues...

+ Server leaks inodes via ETags, header found with file /, inode: 1049636, size: 536, mtime: 0x4e6d13349dea4
+ The anti-clickjacking X-Frame-Options header is not present.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-562: /server-info: This gives a lot of Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/index.html: Admin login page/section found.


+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /icons/README, inode: 21637505, size: 5108, mtime: 0x438c0358aae80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 3 item(s) reported on remote host
+ End Time:           2013-10-20 23:44:09 (GMT0) (24 seconds)

Edit the Apache Server security file...

sudo nano /etc/apache2/conf.d/security


sudo nano /etc/httpd/conf/httpd.conf


sudo nano /etc/apache2/conf-enabled/security.conf

Add these lines at the bottom...

# Paully's Security Tweaks
Header unset ETag
FileETag None
Header always append X-Frame-Options SAMEORIGIN
ServerSignature Off
ServerTokens Prod
TraceEnable Off

Enable mod_headers...

sudo a2enmod headers

Reload Apache...

sudo service apache2 reload
service httpd restart

Retest with Nikto...

nikto -host












In order to prove the setup is working, a test file called test.php with the following content can be used:

$secret_file = $_GET['secret_file'];
include ( $secret_file);

It’s supposed to be placed in the root of your web server, so that it can be accessed by http://yourserver.tld/test.php. To run the actual test, the following address will do:


If the content of /etc/passwd is displayed, ModSecurity is not working. A working installation will show a “403 Forbidden” error message.


Another test...

http://yourserver.tld/?id='23' or '1'='1'

HOWTO: Check The Server CN (CommonName) Of Your SSL Certificate

openssl x509 -in server.crt -noout -subject

HOWTO: Redirect Whole Web Site To Secure

Method 1

Using mod_rewrite

Edit your .htaccess file and add the following block of code...

# This checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on

# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e.  http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]


Method 2

Using virtual hosts (using redirect)

NameVirtualHost *:80
<VirtualHost *:80>
   ServerName www.example.com
   Redirect permanent / https://secure.example.com/

<VirtualHost _default_:443>
   ServerName secure.example.com
   DocumentRoot /usr/local/apache2/htdocs
   SSLEngine On
   # etc...


keywords: apache, rewrite, redirect http, https

HOWTO: Hide Files In A Directory Listing

Add the following line to your .htaccess file...

IndexIgnore filename.ext *.ico

Thanks to http://www.ducea.com/2006/06/08/apache-tips-tricks/



<IfDefine DAV>

<IfModule mod_dav.c>
   LimitXMLRequestBody 131072
   Alias /dav "/var/www/dav"
   <Directory /var/www/dav>
       Dav On
       Options +Indexes
       IndexOptions FancyIndexing
       AddDefaultCharset UTF-8
       AllowOverride None 
       Order allow,deny 
       Allow from all
       AuthType Basic
       AuthName "WebDAV"
       AuthUserFile /etc/apache2/dav.passwd
       Require valid-user

DavLockDB "/var/lib/dav/lockdb"

# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012345678]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully


Create the password file and restart Apache...

htpasswd -c /etc/apache2/dav.passwd test
/etc/init.d/apache2 restart

To test, install the software cadaver

emerge net-misc/cadaver


server.domain.com ~ $ cadaver

Authentication required for WebDAV on server `':
Username: test
dav:/dav/> ls
Listing collection `/dav/': succeeded.
       fish.txt                               5  Jan 24 15:22
dav:/dav/> cat fish.txt 
Displaying `/dav/fish.txt':
dav:/dav/> quit
Connection to `' closed.