Setting handler
Let's imagine that you are accessing .pl file from your browser and instead of opening the page, browser suggests you to save this .pl file. In this case you have to configure the right handler for your type of the file, in our case this is cgi-script handler. So add the following line to your httpd.conf or virtual host configuration:
AddHandler cgi-script .pl
Sample Kerberos configuration
AuthType Kerberos
KrbAuthRealms DOMAIN.DOM
KrbServiceName HTTP
Krb5Keytab /root/keytab.file
KrbMethodNegotiate on
KrbMethodK5Passwd off
Require valid-user
Configure access based on subnets
Order Deny, Allow
Deny from All
Allow from 192.168.0.0/16
Sample basic auth
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/passwdRequire valid-user
Sample Digest auth
AuthType Digest
Simple redirect
Let's imagine that you are accessing .pl file from your browser and instead of opening the page, browser suggests you to save this .pl file. In this case you have to configure the right handler for your type of the file, in our case this is cgi-script handler. So add the following line to your httpd.conf or virtual host configuration:
AddHandler cgi-script .pl
Sample Kerberos configuration
AuthType Kerberos
KrbAuthRealms DOMAIN.DOM
KrbServiceName HTTP
Krb5Keytab /root/keytab.file
KrbMethodNegotiate on
KrbMethodK5Passwd off
Require valid-user
Configure access based on subnets
Order Deny, Allow
Deny from All
Allow from 192.168.0.0/16
Sample basic auth
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/passwdRequire valid-user
Sample Digest auth
AuthType Digest
AuthName "kb"
AuthDigestProvider file
AuthUserFile /etc/apache2/digest_pw
Require valid-user
Active Directory authentication via LDAP
AuthName "Access"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://domain.com:389/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "user@domain.com"
AuthLDAPBindPassword yourpassword
require valid-user - access for any user in AD
require ldap-user "admin" - access for certain user in AD
If there is HTTP 500 error after LDAP auth and the following string is in the logs:
auth_ldap authenticate: user user authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]
Then you can try to change port number in the AuthLDAPURL to 3268
AuthDigestProvider file
AuthUserFile /etc/apache2/digest_pw
Require valid-user
Active Directory authentication via LDAP
AuthName "Access"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://domain.com:389/DC=domain,DC=com?sAMAccountName?sub?(objectClass=*)" NONE
AuthLDAPBindDN "user@domain.com"
AuthLDAPBindPassword yourpassword
require valid-user - access for any user in AD
require ldap-user "admin" - access for certain user in AD
If there is HTTP 500 error after LDAP auth and the following string is in the logs:
auth_ldap authenticate: user user authentication failed; URI / [ldap_search_ext_s() for user failed][Operations error]
Then you can try to change port number in the AuthLDAPURL to 3268
Enable X-Frame-Options
First enable header module
Then add the following string to Apache configuration file
Header always append X-Frame-Options SAMEORIGIN
Add Secure and HTTP only attributes to cookies
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
If Apache is older than 2.2.24
Header set Set-Cookie HttpOnly;Secure
Add Secure and HTTP only attributes to cookies
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
If Apache is older than 2.2.24
Header set Set-Cookie HttpOnly;Secure
Disable Apache Content Negotiation
Comment string
#AddHandler type-map .var
And add
Options -Multiviews
SSLCertificateKeyFile /etc/apache2/ssl/myserver.key
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
DocumentRoot /var/www
Options IncludesNoExec
Options SymLinksIfOwnerMatch
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Watch loaded and compiled in modules in Apache(Ubuntu & Debian)
apache2ctl -t -D DUMP_MODULES
Comment string
#AddHandler type-map .var
And add
Options -Multiviews
Typical secure SSL configuration:
SSEngine on
SSLCertificateFile /etc/apache2/ssl/site.crtSSEngine on
SSLCertificateKeyFile /etc/apache2/ssl/myserver.key
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
DocumentRoot /var/www
Options IncludesNoExec
Options SymLinksIfOwnerMatch
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Watch loaded and compiled in modules in Apache(Ubuntu & Debian)
apache2ctl -t -D DUMP_MODULES
or
apache2ctl -M
Watch only compiled in modules:
apache2 -lSimple redirect
Redirect permanent / https://domain.com/
Monitor Apache connections
netstat -tc
apachetop
Monitor Apache connections
netstat -tc
apachetop
No comments:
Post a Comment