Short Notes on Security
Note - serving of local files
Note: Often the initial installation of Apache has <Directory /> directive (directive for the root of the filesystem) set to "Allow from All", in [Apache config dir]/sites-available/default! This means that server can server any file from the file system, not just the files in the htdocs document folder, which you typically want!
To avoid this, simply change this to "Deny from All".
Self-Signed SSL Certificate
They might not pass as customer-friendly - in fact, if you need https/ssl for customer communication, you should always use signed certificates, as those do induce trust - but often you have private sections/domains/sites where self-signed is just fine... or you might just wanna test the ssl while waiting for the signed certificate.
Here are only listed steps to get to your certificate; for details and explanations, see e.g. akadia.com.
# openssl genrsa -des3 -out server.key 1024 # openssl req -new -key server.key -out server.csr # cp server.key server.key.org # openssl rsa -in server.key.org -out server.key # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt # cp server.crt /etc/apache2/cert/ssl.crt # cp server.key /etc/apache2/cert/ssl.key # chmod 400 /etc/apache2/cert/ssl.crt /etc/apache2/cert/ssl.key
Enable SSL/HTTPS in Apache
HowTo: Use the following virtual host definition:
<VirtualHost *:443> ServerName ssl-name DocumentRoot /var/www/ssl/root SSLEngine on SSLCertificateFile /etc/apache2/server.crt SSLCertificateKeyFile /etc/apache2/server.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </VirtualHost>
where certificate file and the certificate key file are either authority-signed or self-signed certificate files (see above), and add
NameVirtualHost *:443 Listen 443
to /etc/apache2/ports.conf and restart Apache.
.htaccess and mod_rewrite Tricks
Mostly based on 17 Useful .htaccess Tricks and Tips
1. Set Timezone
2. SEO Friendly 301 Permanent Redirects
3. Skip the Download Dialogue
4. Skip or Force www.
5. Custom Error Pages
6. Compress Files
7. Cache Files
8. Disable Caching for Certain File Type
9. Redirect (Sections) to https://
10. Simple MVC using .htaccess
redirect all on handler script and act according to the request_uri
11. Provide Different Page Versions based on User Agent
redirect to light, full, ...
1. Hotlinking Protection with .htaccess
2. Prevent Hacks
3. Block Access to Your .htaccess File
4. Rename .htaccess Files
5. Disable Directory Browsing
6. Change Default Index Page
7. Block Unwanted Visitor based on Referring Domain
8. Blocking Request based on User-Agent Header
9. Secure Directories by Disabling Execution of Scripts
- PHP - replace the '16' with length of the generated password (28 is most you can get):
$password = substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);
or, terminal version:
$ php -r "echo substr(str_replace(array('$1$', '$2$', '$2a$', '$', '.', '/'), '', crypt(php_uname() . microtime())), 0, 16);"; echo 1hlNxRwBr4mCZWQF
- Bash - replace the '64' with length of the generated password (no real limit here), and change the characters class in tr -d as you please, to control what characters can be contained in the password; the characters class presented here are all characters that are treated as a part of the word in terminal (i.e. you can double-click the word and it gets selected as a whole):
$ cat /dev/urandom | tr -d -c "a-zA-Z0-9@#%&\-\_+=:,.?/" | head -c 64; echo uQ,XGSG4qPtE4.&UQT,jPA#=a8j-mhy+qjQUg:m#s7g1@c2-#J8D-,3zQFd+o_-W
- .htaccess files in Apache2
- htpasswd utility in Apache2
- Authentication, Authorization and Access Control in Apache2