红帽全球峰会8.5. Securing HTTP servers
Harden your HTTP servers, such as Apache and Nginx, to mitigate security risks. This involves configuring security options in the main configuration files and checking that scripts run correctly.
8.5.1. Security enhancements in httpd.conf
You can enhance the security of the Apache HTTP server by configuring security options in the /etc/httpd/conf/httpd.conf file.
Always verify that all scripts running on the system work correctly before putting them into production.
Ensure that only the root user has write permissions to any directory containing scripts or Common Gateway Interfaces (CGI). To change the directory ownership to root with write permissions, enter the following commands:
# chown root <directory_name>
# chmod 755 <directory_name>
In the /etc/httpd/conf/httpd.conf file, you can configure the following options:
FollowSymLinks- This directive is enabled by default and follows symbolic links in the directory.
Indexes- This directive is enabled by default. Disable this directive to prevent visitors from browsing files on the server.
UserDir-
This directive is disabled by default because it can confirm the presence of a user account on the system. To activate user directory browsing for all user directories other than
/root/, use theUserDir enabledandUserDir disabledroot directives. To add users to the list of disabled accounts, add a space-delimited list of users on theUserDir disabledline. ServerTokensThis directive controls the server response header field which is sent back to clients. You can use the following parameters to customize the information:
ServerTokens FullProvides all available information such as web server version number, server operating system details, installed Apache modules, for example:
Apache/2.4.37 (Red Hat Enterprise Linux) MyMod/1.2ServerTokens Full-ReleaseProvides all available information with release versions, for example:
Apache/2.4.37 (Red Hat Enterprise Linux) (Release 41.module+el8.5.0+11772+c8e0c271)ServerTokens Prod / ServerTokens ProductOnlyProvides the web server name, for example:
ApacheServerTokens MajorProvides the web server major release version, for example:
Apache/2ServerTokens MinorProvides the web server minor release version, for example:
Apache/2.4ServerTokens Min/ServerTokens MinimalProvides the web server minimal release version, for example:
Apache/2.4.37ServerTokens OSProvides the web server release version and operating system, for example:
Apache/2.4.37 (Red Hat Enterprise Linux)Use the
ServerTokens Prodoption to reduce the risk of attackers gaining any valuable information about your system.
Do not remove the IncludesNoExec directive. By default, the Server Side Includes (SSI) module cannot run commands. Changing this can allow an attacker to enter commands on the system.
8.5.1.1. Removing httpd modules
You can remove the httpd modules to limit the functionality of the HTTP server. To do so, edit configuration files in the /etc/httpd/conf.modules.d/ or /etc/httpd/conf.d/ directory. For example, to remove the proxy module:
echo '# All proxy modules disabled' > /etc/httpd/conf.modules.d/00-proxy.conf8.5.2. Nginx server configuration hardening
Harden your Nginx HTTP and proxy server configuration by adjusting security options. This helps protect your system against common web application vulnerabilities.
Nginx is a high-performance HTTP and proxy server. You can harden your Nginx configuration with the following configuration options:
To disable version strings, modify the
server_tokensconfiguration option:server_tokens off;This option stops displaying additional details such as server version number. This configuration displays only the server name in all requests served by Nginx, for example:
$ curl -sI http://localhost | grep Server Server: nginxAdd extra security headers that mitigate certain known web application vulnerabilities in specific
/etc/nginx/conf files:For example, the
X-Frame-Optionsheader option denies any page outside of your domain to frame any content served by Nginx, mitigating clickjacking attacks:add_header X-Frame-Options "SAMEORIGIN";For example, the
x-content-typeheader prevents MIME-type sniffing in certain older browsers:add_header X-Content-Type-Options nosniff;For example, the
X-XSS-Protectionheader enables Cross-Site Scripting (XSS) filtering, which prevents browsers from rendering potentially malicious content included in a response by Nginx:add_header X-XSS-Protection "1; mode=block";
You can limit the services exposed to the public and limit what they do and accept from the visitors, for example:
limit_except GET { allow 192.168.1.0/32; deny all; }The snippet will limit access to all methods except
GETandHEAD.You can disable HTTP methods, for example:
# Allow GET, PUT, POST; return "405 Method Not Allowed" for all others. if ( $request_method !~ ^(GET|PUT|POST)$ ) { return 405; }- You can configure TLS to protect the data served by your Nginx web server, consider serving it over HTTPS only. Furthermore, you can generate a secure configuration profile for enabling TLS in your Nginx server using the Mozilla SSL Configuration Generator. The generated configuration ensures that known vulnerable protocols (for example, SSLv2 and SSLv3), ciphers, and hashing algorithms (for example, 3DES and MD5) are disabled. You can also use the SSL Server Test to verify that your configuration meets modern security requirements.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}