Fresh install of\u00a0CentOS-6.3-x86_64-minimal<\/a>\u00a0with the latest updates\u00a0 I used\u00a0nano<\/strong>\u00a0as the text editor, but you can just as easily use\u00a0vi<\/strong><\/p>\n Configure Firewall<\/strong><\/p>\n Make sure you add any other rules not listed here which you are using.<\/em><\/p>\n Install Apache (httpd)<\/strong><\/p>\n Apache Configuration Files – A quick explanation<\/strong><\/p>\n When Apache starts, it reads one or more configuration files to see what settings it should have. The first file it normally reads is There is a special line in a configuration file that tells Apache to pause reading the current file and to read one or more other configuration files before continuing; this line starts with\u00a0 If you also had a value for ‘fruit’ in one of the included configuration files, then that value would overwrite the current value for ‘fruit’, however, the final value of ‘fruit’ is only determined once Apache has finished reading to the bottom of it’s initial configuration file, which as mentioned before, is normally\u00a0 Creating a Global config file<\/strong><\/p>\n The best way to manage Apache’s settings is to create your own configuration files in\u00a0 By default, Apache reads\u00a0 Inside this file, add the following which I will explain further on:<\/p>\n Modify main config file<\/strong><\/p>\n The following settings appear after the\u00a0 The following line is inside the\u00a0 Compress Content<\/strong><\/p>\n This configures Apache to compress content if the web browser supports it. Images and PDF’s are already compressed so are excluded.\u00a0[Click here to learn more]<\/a><\/p>\n Vary: Accept-Encoding<\/strong><\/p>\n This configures Apache to tell web browsers that content could come in different formats such as compressed and uncompressed but to treat it the same.\u00a0[Click here to learn more]<\/a><\/p>\n Cache-Control<\/strong><\/p>\n This configures Apache to tell web browsers to cache certain types of files for a specified period of time\u00a0[Click here to learn more]<\/a><\/p>\n Prevent ClickJacking<\/strong><\/p>\n This protects visitors to your web server from being redirected to malicious sites\u00a0[Click here to learn more]<\/a><\/p>\n Disable HTTP TRACE<\/strong><\/p>\n This stops a very basic attack whereby a person can see the response of a server request.\u00a0[Click here to learn more]<\/a><\/p>\n Reduce advertised information<\/strong><\/p>\n These two settings reduce the amount of information your server advertises. Not really a major security concern but the less someone knows about your server, the better in my opinion.\u00a0[Click here to learn more]<\/a><\/p>\n Disable directory browsing<\/strong><\/p>\n This setting prevents the server from listing files in a directory that doesn’t have a default document such as ‘index.php’.\u00a0[Click here to learn more]<\/a><\/p>\n There are many sites out there for testing but here are some of my favourite<\/p>\n Performance<\/strong><\/p>\n Pingdom Tools<\/a>\u00a0– Tests the load time of your page and offers recommendations<\/p>\n Google PageSpeed –<\/a><\/p>\n Load Impact<\/a>\u00a0– Load testing and reporting<\/p>\n Blitz<\/a>\u00a0– Load testing and reporting<\/p>\n Security<\/strong><\/p>\n Kyplex<\/a>\u00a0– I’ve known this company since it started and their security scanner has always proved worthwhile.<\/p>\nyum update -y<\/code><\/p>\n\n
# uname -sro\nLinux 2.6.32-279.22.1.el6.x86_64 GNU\/Linux<\/pre>\n<\/blockquote>\n
\n
Prerequisites<\/h3>\n
\n
*filter\n:INPUT ACCEPT [0:0]\n:FORWARD ACCEPT [0:0]\n:OUTPUT ACCEPT [0:0]\n-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n-A INPUT -p icmp -j ACCEPT\n-A INPUT -i lo -j ACCEPT\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT\n-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\nCOMMIT<\/pre>\n<\/blockquote>\n
Install<\/h3>\n
\n
Tune and Secure<\/h3>\n
\/etc\/httpd\/conf\/httpd.conf<\/code>\u00a0which it processes line by line overwriting any previously set variables. For example, if you had on line 6 ‘fruit apple’ and then on line 10 ‘fruit orange’, then when Apache has finished reading all configuration files, the value of fruit would be orange as it was the last value for fruit that was read.<\/p>\nInclude<\/code>\u00a0such as\u00a0Include conf.d\/*.conf<\/code>\u00a0which tells Apache to read all the files ending in ‘.conf’ in the directory ‘\/etc\/httpd\/conf.d\/’, and is the normal procedure on a standard install.<\/p>\n\/etc\/httpd\/conf\/httpd.conf<\/code>, so if on the last line of ‘httpd.conf’ you had\u00a0fruit none<\/code>, then the final value Apache uses would be ‘none’.<\/p>\n\/etc\/httpd\/conf.d\/<\/code>. This way you can easily see what changes you have made to the system should something need changing, and you can easily revert the system back should something go wrong.<\/p>\n\/etc\/httpd\/conf\/httpd.conf<\/code>\u00a0as mentioned earlier. Part way through this file, is an\u00a0Include<\/code>\u00a0line which instructs Apache to read all configuration files in the directory ‘\/etc\/httpd\/conf.d\/’. So a good place to create a global configuration file would be inside the ‘\/etc\/httpd\/conf.d\/’ directory. As Apache reads files in alphanumeric order, we will prefix characters that will ensure it is read first.<\/p>\n\n
SetOutputFilter DEFLATE\nBrowserMatch ^Mozilla\/4 gzip-only-text\/html\nBrowserMatch ^Mozilla\/4\\.0[678] no-gzip\nBrowserMatch \\bMSI[E] !no-gzip !gzip-only-text\/html\nSetEnvIfNoCase Request_URI \\.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary\nHeader append Vary User-Agent env=!dont-vary\n\nHeader append Vary Accept-Encoding<\/strong>\n\n<filesMatch \"\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$\">\n Header set Cache-Control \"max-age=604800, public\"\n<\/filesMatch>\n\nHeader always append X-Frame-Options SAMEORIGIN\n\nTraceEnable off\n\nServerTokens Minimal<\/pre>\n<\/blockquote>\n
Include conf.d\/*.conf<\/code>\u00a0line in the\u00a0\/etc\/httpd\/conf\/httpd.conf<\/code>\u00a0file and therefore can’t be set in our Global config file, as explained earlier.<\/p>\n\n
ServerSignature Off<\/pre>\n<\/blockquote>\n
<Directory \"\/var\/www\/html\"><\/code>\u00a0around line 331.<\/p>\n\n
Options -Indexes FollowSymLinks<\/pre>\n<\/blockquote>\n
Explanation<\/h3>\n
\n
SetOutputFilter DEFLATE\nBrowserMatch ^Mozilla\/4 gzip-only-text\/html\nBrowserMatch ^Mozilla\/4\\.0[678] no-gzip\nBrowserMatch \\bMSI[E] !no-gzip !gzip-only-text\/html\nSetEnvIfNoCase Request_URI \\.(?:gif|jpe?g|png|pdf)$ no-gzip dont-vary\nHeader append Vary User-Agent env=!dont-vary<\/pre>\n<\/blockquote>\n
Header append Vary Accept-Encoding<\/pre>\n
\n
<filesMatch \"\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf|js|css|eot|svg|ttf|woff)$\">\n Header set Cache-Control \"max-age=604800, public\"\n<\/filesMatch><\/pre>\n<\/blockquote>\n
\n
Header always append X-Frame-Options SAMEORIGIN<\/pre>\n<\/blockquote>\n
\n
TraceEnable off<\/pre>\n<\/blockquote>\n
\n
ServerTokens Minimal\nServerSignature Off<\/pre>\n<\/blockquote>\n
\n
Options -Indexes FollowSymLinks<\/pre>\n<\/blockquote>\n
Test<\/h3>\n