Aus immerda
Zur Navigation springen Zur Suche springen

With a few configuration tweaks we can harden apache more, to not disclosure too much information, as well as to make unused stuff inaccessible. Maybe you will not need all of these tweaks and some may even break your setup, however, it is good to be aware of all of this.

This wiki page is not complete nor can you be sure that these tweaks will make your apache completly secure. However, if you know or get to learn additional tweaks, come across mistakes etc. please feel free to add, change and correct them. Thanks!

Global options

These options should be set globally and not within any VirtualHost or Directory directives

Server Signature

ServerSignature Off

Prevents server from giving version info on error pages.


ServerTokens Prod

Prevents server from giving version info in HTTP headers

user / group

User foo
Group foo

drop priviledges to these UID and GID. This should be included per default.


UserDir disabled

This will disable any$user access requests.

On older Apache versions this is a module which can be deactivated altogether.


Let apache only access the files it should have access to. First we have to disable access to the root file system.

<Directory />
    Order deny,allow
    Deny from all

and then we let apache only access our webroot (for example: /var/www/) with very restrictive settings, you can change them late per directory where needed:

<Directory "/var/www/">
  Options FollowSymLinks -Includes -Indexes  -MultiViews
  AllowOverride None
  Order allow,deny
  Allow from all


remove the manual alias as this would disclosure too much infos and isn't needed.

Alias /manual (remove)


the following settings should be set in any VirtualHost-Directive


To deny trace and track requests add the following:

RewriteEngine on
   RewriteRule .* - [F]


redirect any authentication to an ssl-secured VirtualHost. You can ensure this by using the Redirect directive in your VirtualHost:

Redirect permanent /secure/

SSL / https

The following things are for ssl-secure VirtualHosts

certificate storage

As for practical reasons you might not protect your certifcate private key by a password (logrotation etc.) You should therefore store it on a encrypted harddisk as if it might get stolen any traffic ever secured by this certificate can get disclosured. For example see Autistici / Inventati Crackdown

To create encrypted harddisks, please have a look at the EcnryptedHD pages for Linux or OpenBSD

ssl cipher suite

To avoid that unsecure protocols or keylengths are used add the following in your VirtualHost-setting:



This was about to secure your Apache installation. However you should still look forward to secure your web-applications with mod_security, and for example PHP with the PHP-Hardening Guide.

Maybe also have a look at these Apache-Modules: