appwiki:apache

Differences

This shows you the differences between two versions of the page.


Previous revision
appwiki:apache [2021/08/28 08:00] (current) – [Web Security Check Guide] ying
Line 1: Line 1:
 +====== Web Security Check Guide ======
 +
 +  * Is My Website Hacked? Find Out With This Checklist
 +    * ref: http://www.whoishostingthis.com/resources/website-hacked-checklist/
 +    * Google web check: http://www.google.com/safebrowsing/diagnostic?site=yourdomain.com
 +    * sucuri check: http://sitecheck.sucuri.net/
 +
 +  * ref:
 +    * https://www.nutsandboltsmedia.com/how-to-find-out-if-your-wordpress-site-has-been-hacked/
 +    * http://www.chriswiegman.com/2013/06/how-to-tell-if-your-site-has-been-hacked/
 +====== Apache Web Server intro ======
 +  * a common and popular php web server
 +
 +====== httpd.conf ======
 +
 +  * notes:
 +    * path uses / as seperator
 +    * .htaccess is per-folder httpd.conf (if allowed), but all-in-one config in httpd.conf is faster for server to process. 
 +
 +**Info Configure Syntax**
 +
 +  * define apache root path.
 +  * define listen port <code>
 +Listen 80
 +</code>
 +
 +----
 +
 +**Directory Config**
 +
 +  * define http root directory and its directory rights <code>
 +DocumentRoot "D:/my_Server/htdocs"
 +
 +<Directory "D:/my_Server/htdocs">
 +    AllowOverride All
 +    Require all granted
 +</Directory>
 +</code>
 +
 +----
 +
 +**Multiple Sites on Single IP**
 +
 +  * VirtualHost config in httpd.conf and hosts file config<code>
 +NameVirtualHost 127.0.0.1:80
 +
 +# allow that directory access if not under http root
 +<Directory "D:/my_Server/test01_com/htdocs">
 +    Require all granted
 +</Directory>
 +
 +<VirtualHost test01.com:80>
 +    ServerName www.test01.com
 +    ServerAlias test01.com
 +    DocumentRoot "D:/my_Server/test01_com/htdocs"
 +    CustomLog "D:/my_Server/log/test01.com.access" combined
 +</VirtualHost>
 +
 +# allow that directory access if not under http root
 +<Directory "D:/my_Server/test02_com/htdocs">
 +    Require all granted
 +</Directory>
 +
 +# test02.com:80 for that domain or IP, *:80 for any IP
 +# server admin for optional providing admin contact if error
 +<VirtualHost test02.com:80>
 +    ServerName www.test02.com
 +    ServerAlias test02.com
 +    ServerAdmin admin@test02.com
 +    DocumentRoot "D:/my_Server/test02_com/htdocs"
 +    CustomLog "D:/my_Server/log/test02.com.access" combined
 +</VirtualHost>
 +
 +</code>
 +    * hosts <code>
 +127.0.0.1 test01.com
 +127.0.0.1 test02.com
 +</code>  
 +  
 +====== .htaccess tutorial ======
 +
 +  * a text file that config how Apache server do with the directory
 +
 +  * tutorial: 
 +    * http://www.freewebmasterhelp.com/tutorials/htaccess/
 +    * https://httpd.apache.org/docs/current/howto/htaccess.html
 +    * http://www.htaccess-guide.com/
 +    * https://code.tutsplus.com/tutorials/the-ultimate-guide-to-htaccess-files--net-4757
 +    * https://www.branded3.com/blog/htaccess-mod_rewrite-ultimate-guide/
 +
 +  * turn off apache version note:
 +    * ref: https://www.tecmint.com/apache-security-tips/
 +    * example <code>ServerSignature Off
 +ServerTokens Prod
 +</code>
 +====== Advanced Website Security Setup ======
 +
 +  * read more on [[appwiki:apache|Apache Web Server intro]]
 +
 +  * limit website access through certain IP or IP range
 +    * change Apache site directory .htaccess file <code>
 +<Directory /docroot>
 +order deny,allow
 +deny from all
 +allow from yourIP
 +allow from yourIPv6
 +</Directory> 
 +</code>
 +    * ref: http://httpd.apache.org/docs/2.0/sections.html#filesystem
 +    * http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow