What he trusts in is fragile; what he relies on is a spider’s web.

—Job 8:14, Holy Bible,New International Version

The World Wide Web: to many people, it is the Internet. Few machines in your network are so blatantly visible if they are compromised. Your router might be weak, your mail server might be compromised, but it is hard for the average person to see that. If your web server is compromised, however, all manner of things go very wrong very fast. Your organization might be publically humiliated, it might lose money or sales, or your server might be commandeered to attack another site. Additionally, it is a core server in your network that probably has many non-administrators working on it. You know that if your mail server suddenly breaks or if the firewall starts denying everything, it was either an administrator or a hacker who did it. With web servers, you have any number of sources of code and configurations that are managed by a wide variety of people with varying skill sets. The potential for inadvertent problems is high. The system is critical and there are a lot of sources for problems, both inside and outside your organization. Fortunately, with FreeBSD and OpenBSD, you have an outstanding tool chest full of diverse tools for securing your web servers.

In this chapter, we focus on Internet-facing web servers, because FreeBSD and OpenBSD systems thrive there, despite the hostile environment. First, we cover a variety of topics ...