Format: PDF / Kindle (mobi) / ePub
With more than 67% of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one.
To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it-whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site.
Our new guide, Apache Security, gives administrators and webmasters just what they crave-a comprehensive security source for Apache. Successfully combining Apache administration and web security topics, Apache Security speaks to nearly everyone in the field. What's more, it offers a concise introduction to the theory of securing Apache, as well as a broad perspective on server security in general.
But this book isn't just about theory. The real strength of Apache Security lies in its wealth of interesting and practical advice, with many real-life examples and solutions. Administrators and programmers will learn how to:
- install and configure Apache
- prevent denial of service (DoS) and other attacks
- securely share servers
- control logging and monitoring
- secure custom-written web applications
- conduct a web security assessment
- use mod_security and other security-related modules
And that's just the tip of the iceberg, as mainstream Apache users will also gain valuable information on PHP and SSL/ TLS. Clearly, Apache Security is packed and to the point, with plenty of details for locking down this extremely popular and versatile web server.
traversal. It can exist in a web server (though most web servers have fixed these problems) or in application code. Programmers often make this mistake. If it is a web server flaw, an attacker only needs to ask for a file she knows is there: http://www.example.com/../../etc/passwd Even when she doesn't know where the document root is, she can simply increase the number of backreferences until she finds it. Tip Apache 1 will always respond with a 404 response code to any request that
if you are maintaining an Apache-based reverse proxy to protect IIS servers. UTF-8, a transformation format of ISO 10646 (http://www.ietf.org/rfc/rfc2279.txt) allows most files to stay as they are and still be Unicode compatible. Until a special byte sequence is encountered, each byte represents a character from the Latin-1 character set. When a special byte sequence is used, two or more (up to six) bytes can be combined to form a single complex Unicode character. One aspect of UTF-8 encoding
whether something should be allowed. Therefore, a change to a setting can have unexpected consequences. As an example, including Options as one of the AllowOverride options will allow PHP configuration directives to be used in .htaccess files. In theory, every directive of every module should fit into one of the AllowOverride settings, but in practice it depends on whether their respective developers have considered it. Enabling CGI Scripts Only enable CGI scripts when you need them.
this point, you can type an HTTP request just as you would if connecting via a Telnet command: HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Fri, 23 Jul 2004 11:36:49 GMT Server: Apache Connection: close Content-Type: text/html closed Apache and SSL If you are using Apache from the 2.x branch, the support for SSL is included with the distribution. For Apache 1, it is a separate download of one of two implementations. You can use mod_ssl (http://www.modssl.org) or Apache-SSL
protected at all. Images are almost never protected. Often applications contain large amounts of code that are executed prior to authentication. The chances of an intruder finding a hole are much higher when application-level authentication is used. Tip When deploying private applications on the public Internet, consider using web-server authentication in addition to the existing application-based authentication. In most cases, just a simple outer protection layer where everyone from the