android加固apache,Apache安全加固(3)修改httpd.conf文件
1.为Apache使用专门的用户和用户组
默认
#
# If you
wish httpd to run as a different user or group, you must
run
# httpd as
root initially and it will switch.
#
#
User/Group: The name (or #number) of the user/group to run httpd
as.
# . On SCO (ODT 3) use "User nouser" and
"Group nogroup".
# . On HPUX you may not be able to use
shared memory as nobody, and the
# suggested workaround is to create a user www and use that
user.
# NOTE that some kernels refuse to
setgid(Group) or semctl(IPC_SET)
# when the value of (unsigned)Group is
above 60000;
# don't use Group #-1 on these
systems!
#
User
apache
Group
apache
2.限定监听端口
默认
#
# Listen:
Allows you to bind Apache to specific IP addresses
and/or
# ports,
in addition to the default. See also the 《VirtualHost》
#
directive.
#
# Change
this to Listen on specific IP addresses as shown below
to
# prevent
Apache from glomming onto all bound IP addresses
(0.0.0.0)
#
#Listen
12.34.56.78:80
Listen
80
3.限制客户端对服务器资源的消耗
默认
#
# Timeout:
The number of seconds before receives and sends time
out.
#
Timeout
60
#
#
KeepAlive: Whether or not to allow persistent connections (more
than
# one
request per connection). Set to "Off" to deactivate.
#
KeepAlive
Off
#
#
MaxKeepAliveRequests: The maximum number of requests to
allow
# during a
persistent connection. Set to 0 to allow an unlimited
amount.
# We
recommend you leave this number high, for maximum
performance.
#
MaxKeepAliveRequests 100
#
#
KeepAliveTimeout: Number of seconds to wait for the next request
from the
# same
client on the same connection.
#
KeepAliveTimeout 15
4.对客户端进行域名验证
默认
#
#
HostnameLookups: Log the names of clients or just their IP
addresses
# e.g.,
www.apache.org (on) or 204.62.129.132 (off).
# The
default is off because it'd be overall better for the net if
people
# had to
knowingly turn this feature on, since enabling it means
that
# each
client request will result in AT LEAST one lookup request to
the
#
nameserver.
#
HostnameLookups Off
HostnameLookups on|off|double
如果是使用on,那么只有进行一次反查,如果用double,那么进行反查之后还要进行一次正向解析,只有两次的结果互相符合才行,而off就是不进行域名验证
5.修改默认的错误页面
默认
#
#
Customizable error responses come in three flavors:
# 1) plain
text 2) local redirects 3) external redirects
#
# Some
examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402
http://www.example.com/subscription_info.html
#
#
# Putting
this all together, we can internationalize error
responses.
#
# We use
Alias to redirect any /error/HTTP_《error》.html.var response to
# our
collection of by-error message multi-language
collections. We use
# includes
to substitute the appropriate text.
#
# You can
modify the messages' appearance without changing any of
the
# default
HTTP_《error》.html.var files by adding the line:
#
# Alias /error/include/
"/your/include/path/"
#
# which
allows you to create your own set of files by starting with
the
#
/var/www/error/include/ files and
# copying
them to /your/include/path/, even on a per-VirtualHost
basis.
#
Alias
/error/ "/var/www/error/"
《IfModule
mod_negotiation.c》
《IfModule
mod_include.c》
《Directory
"/var/www/error"》
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en es de fr
ForceLanguagePriority Prefer Fallback
《/Directory》
# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
# ErrorDocument 405
/error/HTTP_METHOD_NOT_ALLOWED.html.var
# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
# ErrorDocument 410 /error/HTTP_GONE.html.var
# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
# ErrorDocument 412
/error/HTTP_PRECONDITION_FAILED.html.var
# ErrorDocument 413
/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
# ErrorDocument 414
/error/HTTP_REQUEST_URI_TOO_LARGE.html.var
# ErrorDocument 415
/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
# ErrorDocument 500
/error/HTTP_INTERNAL_SERVER_ERROR.html.var
# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
# ErrorDocument 503
/error/HTTP_SERVICE_UNAVAILABLE.html.var
# ErrorDocument 506
/error/HTTP_VARIANT_ALSO_VARIES.html.var
6.默认的日志记录级别
默认:
#
#
LogLevel: Control the number of messages logged to the
error_log.
# Possible
values include: debug, info, notice, warn, error, crit,
# alert,
emerg.
#
LogLevel
warn