Board logo

標題: httpd 安全性設定 [打印本頁]

作者: danny    時間: 2007-4-19 17:19     標題: httpd 安全性設定


配置HTTP(Apache)

接下來,為了使服務器更安全以及更加符合我們的實際要求,對默認的設置進行一些必要的更改。尤其在一些細節方面,越少向外界透露服務器的信息,就越能保證服務器的安全。

[root@sample ~]# vi /etc/httpd/conf/httpd.conf ← 編輯Apache的設定檔
#
# Don't give away too much information about all the subcomponents
# we are running. Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running

ServerTokens OS
← 找到這一行,將“OS”改為“Prod”(在出現錯誤頁的時候不顯示服務器操作繫統的名稱)

ServerTokens Prod ← 變為此狀態

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#

ServerSignature On
← 找到這一行,將“On”改為“Off”

ServerSignature Off ← 在錯誤頁中不顯示Apache的版本

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. [email protected]
#

ServerAdmin root@localhost
← 將管理員郵箱設置為自己常用的電子郵件

ServerAdmin [email protected] ← 根據實際情況修改預設值

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#

#ServerName new.host.name:80
← 修改主機名

ServerName www.centospub.com:80 ← 根據實際情況修改,端口號保持默認的80

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#

Options Indexes FollowSymLinks
← 找到這一行,刪除“Indexes”,並添加“Includes”、“ExecCGI”

Options Includes ExecCGI FollowSymLinks
← 允許執行CGI及SSI

#
# AddHandler allows you to map certain file extensions to "handlers":
# actions unrelated to filetype. These can be either built into the server
# or added with the Action directive (see below)
#
# To use CGI scripts outside of ScriptAliased directories:
# (You will also need to add "ExecCGI" to the "Options" directive.)
#

#AddHandler cgi-script .cgi
← 找到這一行,去掉行首的“#”,並在行尾添加“.pl”

AddHandler cgi-script .cgi .pl ← 允許擴展名為.pl的CGI腳本運行

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#

AllowOverride None
← 找到這一行,將“None”改為“All”

AllowOverride All ← 變為此狀態,允許.htaccess

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
← 找到這一行

LogFormat "%h %l %u %t \"%!414r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined ← 改為此狀態(添加“!414”到規則中,對於過長的日志不記錄)

#
# Specify a default charset for all pages sent out. This is
# always a good idea and opens the door for future internationalisation
# of your web site, should you ever want it. Specifying it as
# a default does little harm; as the standard dictates that a page
# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
# are merely stating the obvious. There are also some security
# reasons in browsers, related to javascript and URL parsing
# which encourage you to always set a default char set.
#

AddDefaultCharset UTF-8
← 找到這一行,在行首添加“#”

#AddDefaultCharset UTF-8 ← 不使用UTF-8作為網頁的默認編碼,由網頁上的指定語系決定


<Directory "/var/www/icons"> ← 找到這一個標簽,並在標簽中更改相應選項
Options Indexes MultiViews ← 找到這一行,將“Indexes”刪除

Options MultiViews ← 變為此狀態(不在瀏覽器上顯示樹狀目錄結構)
AllowOverride None
Order allow,deny
Allow from all
</Directory>


[root@sample ~]# rm -f /etc/httpd/conf.d/welcome.conf /var/www/error/noindex.html
← 刪除測試頁

啟動HTTP服務

然後,啟動HTTP服務。

[root@sample ~]# chkconfig httpd on ← 設置HTTP服務自啟動

[root@sample ~]# chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off ← 確認2--5為on的狀態就OK

[root@sample ~]# /etc/rc.d/init.d/httpd start ← 啟動HTTP服務
Starting httpd: [ OK ] ← 啟動成功會出現OK
如果啟動失敗的話,會出現錯誤信息。原因可能是因為httpd.conf文件編輯過程中的失誤,請檢查httpd.conf。






歡迎光臨 ihao論壇 (https://ihao.org/dz5/) Powered by Discuz! 6.0.0