android加固apache,Apache安全加固（3）修改httpd.conf文件

1．为Apache使用专门的用户和用户组

默认

#

# If you

wish httpd to run as a different user or group, you must

run

# httpd as

root initially and it will switch.

#

#

User/Group: The name (or #number) of the user/group to run httpd

as.

# . On SCO (ODT 3) use "User nouser" and

"Group nogroup".

# . On HPUX you may not be able to use

shared memory as nobody, and the

# suggested workaround is to create a user www and use that

user.

# NOTE that some kernels refuse to

setgid(Group) or semctl(IPC_SET)

# when the value of (unsigned)Group is

above 60000;

# don't use Group #-1 on these

systems!

#

User

apache

Group

apache

2．限定监听端口

默认

#

# Listen:

Allows you to bind Apache to specific IP addresses

and/or

# ports,

in addition to the default. See also the 《VirtualHost》

#

directive.

#

# Change

this to Listen on specific IP addresses as shown below

to

# prevent

Apache from glomming onto all bound IP addresses

(0.0.0.0)

#

#Listen

12.34.56.78:80

Listen

80

3．限制客户端对服务器资源的消耗

默认

#

# Timeout:

The number of seconds before receives and sends time

out.

#

Timeout

60

#

#

KeepAlive: Whether or not to allow persistent connections (more

than

# one

request per connection). Set to "Off" to deactivate.

#

KeepAlive

Off

#

#

MaxKeepAliveRequests: The maximum number of requests to

allow

# during a

persistent connection. Set to 0 to allow an unlimited

amount.

# We

recommend you leave this number high, for maximum

performance.

#

MaxKeepAliveRequests 100

#

#

KeepAliveTimeout: Number of seconds to wait for the next request

from the

# same

client on the same connection.

#

KeepAliveTimeout 15

4．对客户端进行域名验证

默认

#

#

HostnameLookups: Log the names of clients or just their IP

addresses

# e.g.,

www.apache.org (on) or 204.62.129.132 (off).

# The

default is off because it'd be overall better for the net if

people

# had to

knowingly turn this feature on, since enabling it means

that

# each

client request will result in AT LEAST one lookup request to

the

#

nameserver.

#

HostnameLookups Off

HostnameLookups on|off|double

如果是使用on，那么只有进行一次反查，如果用double，那么进行反查之后还要进行一次正向解析，只有两次的结果互相符合才行，而off就是不进行域名验证

5．修改默认的错误页面

默认

#

#

Customizable error responses come in three flavors:

# 1) plain

text 2) local redirects 3) external redirects

#

# Some

examples:

#ErrorDocument 500 "The server made a boo boo."

#ErrorDocument 404 /missing.html

#ErrorDocument 404 "/cgi-bin/missing_handler.pl"

#ErrorDocument 402

http://www.example.com/subscription_info.html

#

#

# Putting

this all together, we can internationalize error

responses.

#

# We use

Alias to redirect any /error/HTTP_《error》.html.var response to

# our

collection of by-error message multi-language

collections. We use

# includes

to substitute the appropriate text.

#

# You can

modify the messages' appearance without changing any of

the

# default

HTTP_《error》.html.var files by adding the line:

#

# Alias /error/include/

"/your/include/path/"

#

# which

allows you to create your own set of files by starting with

the

#

/var/www/error/include/ files and

# copying

them to /your/include/path/, even on a per-VirtualHost

basis.

#

Alias

/error/ "/var/www/error/"

《IfModule

mod_negotiation.c》

《IfModule

mod_include.c》

《Directory

"/var/www/error"》

AllowOverride None

Options IncludesNoExec

AddOutputFilter Includes html

AddHandler type-map var

Order allow,deny

Allow from all

LanguagePriority en es de fr

ForceLanguagePriority Prefer Fallback

《/Directory》

# ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var

# ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var

# ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var

# ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var

# ErrorDocument 405

/error/HTTP_METHOD_NOT_ALLOWED.html.var

# ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var

# ErrorDocument 410 /error/HTTP_GONE.html.var

# ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var

# ErrorDocument 412

/error/HTTP_PRECONDITION_FAILED.html.var

# ErrorDocument 413

/error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var

# ErrorDocument 414

/error/HTTP_REQUEST_URI_TOO_LARGE.html.var

# ErrorDocument 415

/error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var

# ErrorDocument 500

/error/HTTP_INTERNAL_SERVER_ERROR.html.var

# ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var

# ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var

# ErrorDocument 503

/error/HTTP_SERVICE_UNAVAILABLE.html.var

# ErrorDocument 506

/error/HTTP_VARIANT_ALSO_VARIES.html.var

6．默认的日志记录级别

默认：

#

#

LogLevel: Control the number of messages logged to the

error_log.

# Possible

values include: debug, info, notice, warn, error, crit,

# alert,

emerg.

#

LogLevel

warn