Debian/Ubuntu: Basic Apache 2 security

Update 2010-10-25: I’ve added “TraceEnable Off” to the configuration (which is not the default on Debian).

If you run an Apache 2 web server on a production system, it is always a good idea to make some easy configuration changes in /etc/apache2/conf.d/security to increase the server’s security:

# Disable access, directory indexing and .htaccess files by default
<Directory />
  Options -Indexes
  AllowOverride None
  Order Deny,Allow
  Deny from all
</Directory>
 
# Disable system information be included in the HTTP responses
ServerTokens Prod
 
# Disable system information to be included in server-generated pages
ServerSignature Off
 
# Disable HTTP TRACE requests
TraceEnable Off

The directory directive could break the compatibility with your current configuration. In detail, you have override the directive for all of your configured virtual hosts to enable access to the resources in the document root path, like:

<VirtualHost *:80>
  [...]
  <Directory /path/to/www/htdocs>
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

Comments

  1. Daniel

    Thanks a lot !

Leave a comment

Your email address will not be published. Required fields are marked *

*