Apache

Block or redirect using mod_geoip

PDF

Installing mod_geoip allows you to block or redirect traffic based on the geografical location of the client using the IP-address of the client. mod_geoip for CentOS is available at the EPEL repository. If you haven't setup the EPEL repository follow the instructions explained on their website. I asume you allready installed Apache. Download and install mod_geoip, GeoIP and the related libraries:

 

Prevent hotlinking with mod_rewrite

PDF
To prevent that someone is hotlinking to your content (images, video ect) you can use mod_rewrite.Create a .htaccess file in the root directory of your webserver (or edit your if you allready have one) and add these lines:
 

Basic Apache security

PDF

A very basic thing you should do if you are running a webserver is hiding the operating system and software version. By default Apache shows the operating system, Apache version and the used modules. To change the full exposure you have to change the value of ServerTokens directive in /etc/httpd/conf/httpd.conf

Open /etc/httpd/conf/httpd.conf and find and change the line:

 

Setup user/password authentication for Apache

PDF

If you don't want everybody to access your website, you can restrict access to your website or part of it with user/password based authentication. First you should change the Directory directive in the config file of Apache. Open /etc/httpd/conf/httpd.conf and find the Directory directive for which you want to use user/password based authentication, i.e. <directory />, add or change the line starting with AllowOverride:

Tags:
 

Running Apache in chroot jail

PDF
Running Apache chrooted and configured right Apache and it's child processes (php, cgi scripts) cann't access anything above the ChrootDir if running as a non-root user. You can easily setup an Apache chroot jail using mod_chroot. You should keep in mind that you never create special device files, suid binaries and hardlinks with the chroot directories and do not run apache, php or perl as root.

 

How to setup Apache in a chroot jail?

In this how-to I assume you already have apache installed on your system.

Setup Apache's jail directory

Create a directory and it's subdirectories for Apache's jail;

mkdir /apachejail
mkdir -p /apachejail/var/run
mkdir -p /apachejail/home/httpd
mkdir -p /apachejail/var/www/html
mkdir -p /apachejail/tmp
chmod 1777 /apachejail/tmp
mkdir -p /apachejail/var/lib/php/session
chown -R root.root /apachejail/var/run
chown root.apache /apachejail/var/lib/php/session

Edit /etc/php.ini;

Find the line:

session.save_path = "/var/lib/php/session"

replace with:

session.save_path = "/apachejail/var/lib/php/session"

Download and install mod_chroot

As far as I know there is no mod_chroot rpm available for CentOS/RedHat

Download the latest source from http://core.segfault.pl/~hobbit/mod_chroot/dist/, and unpack the source. At the time of this writing version 0.5 is the most recent package.

cd /tmp
wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar -zxvf mod_chroot-0.5.tar.gz

go to the source directory, compile and install mod_chroot using apxs

cd mod_chroot-0.5
apxs -cia mod_chroot.c

Edit httpd.conf for using mod_chroot

Edit /etc/httpd/conf/httpd.conf, find the line:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Add the line:

ChrootDir /apachejail

Find the line:

ServerRoot "/etc/httpd"

And add:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

Disable Apache SELinux Protection

Edit /etc/selinux/targeted/booleans change or add the value for httpd_disable_trans to

httpd_disable_trans=1

Enter the following command:

setsebool httpd_disable_trans 1

Edit apache's startup script

Edit /etc/init.d/httpd

Find the lines:

stop() {
echo -n $"Stopping $prog: "

and change it to:

stop() {
/bin/ln -s /apachejail/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
In this how-to I asume you already have apache installed on your system.

Setup Apache's jail directory

Create a directory and it's subdirectories for Apache's jail;

mkdir /apachejail
mkdir -p /apachejail/var/run
mkdir -p /apachejail/home/httpd
mkdir -p /apachejail/var/www/html
mkdir -p /apachejail/tmp
chmod 1777 /apachejail/tmp
mkdir -p /apachejail/var/lib/php/session
chown -R root.root /apachejail/var/run
chown root.apache /apachejail/var/lib/php/session

Edit /etc/php.ini;

Find the line:

session.save_path = "/var/lib/php/session"

replace with:

session.save_path = "/apachejail/var/lib/php/session"

Download and install mod_chroot

As far as I know there is no mod_chroot rpm available for CentOS/RedHat

Download the latest source from http://core.segfault.pl/~hobbit/mod_chroot/dist/, and unpack the source. At the time of this writing version 0.5 is the most recent package.

cd /tmp
wget http://core.segfault.pl/~hobbit/mod_chroot/dist/mod_chroot-0.5.tar.gz
tar -zxvf mod_chroot-0.5.tar.gz

go to the source directory, compile and install mod_chroot using apxs

cd mod_chroot-0.5
apxs -cia mod_chroot.c

Edit httpd.conf for using mod_chroot

Edit /etc/httpd/conf/httpd.conf, find the line:

PidFile run/httpd.pid

Replace with:

PidFile /var/run/httpd.pid

Add the line:

ChrootDir /apachejail

Find the line:

ServerRoot "/etc/httpd"

And add:

LockFile /var/run/httpd.lock
CoreDumpDirectory /var/run
ScoreBoardFile /var/run/httpd.scoreboard
LoadModule chroot_module /usr/lib64/httpd/modules/mod_chroot.so

Disable Apache SELinux Protection

Edit /etc/selinux/targeted/booleans change or add the value for httpd_disable_trans to

httpd_disable_trans=1

Enter the following command:

setsebool httpd_disable_trans 1

Edit apache's startup script

Edit /etc/init.d/httpd

Find the lines:

stop() {
echo -n $"Stopping $prog: "

and change it to:

stop() {
/bin/ln -s /apachejail/var/run/httpd.pid /var/run/httpd.pid
echo -n $"Stopping $prog: "
 
Page 2 of 2

Search






You are here: Home Howtos and FAQs Apache