O'Reilly logo

Building Secure Servers with Linux by Michael D. Bauer

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Setup Time: Configuring Apache

Configuring a web server is like configuring an email or DNS server — small changes can have unforeseen consequences. Most web security problems are caused by configuration errors rather than exploits of the Apache code.

Apache Configuration Files

I mentioned that Apache’s configuration files could be found under /etc/httpd/conf, /usr/local/apache/conf, or some less well-lit place. The most prominent file is httpd.conf, but you will also see access.conf and srm.conf. These are historic remnants from the original NCSA web server. You can put any of Apache’s configuration directives in any of these files. In practice, people usually throw everything into httpd.conf . If you’d like to separate security-related directives from others, put them in access.conf . This has some advantages: access.conf is smaller, an editing error won’t break everything else, and security settings are more visible. But everything will work fine if you make your changes in httpd.conf.

Tip

There are also GUI tools to modify the Apache configuration, such as Red Hat’s X-based Apache Configuration Tool or the web-based webmin . Here, we’ll do it the old-fashioned text way and supply more information in place of screenshots.

Any time you change Apache’s configuration, check it before restarting the server:

# apachectl configtest

If this succeeds, start Apache:

# apachectl start

Before starting Apache, let’s see how secure we can make it.

Configuration Options

To see what options your ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required