LoginSignup
0

More than 3 years have passed since last update.

httpdのconfをより安全に

Posted at

close welcome page

cd /etc/httpd/conf.d/
sudo mv welcome.conf welcome.conf.org

iconsフォルダ無効化

cd /etc/httpd/conf.d/
sudo mv autoindex.conf autoindex.conf.org
#check if error
sudo httpd -t
sudo systemctl restart httpd
#confrim http://サイトのURL/icons/README changed to be not found

TLS1.0 と TLS1.1 を無効にし、TLS1.2 のみ利用する設定

#confirm  ciphers
openssl ciphers -v

sudo emacs /etc/httpd/conf.d/ssl.conf
---
#edit as below
#SSLProtocol all -SSLv2
#SLProtocol -all +TLSv1.3 +TLSv1.2
SSLProtocol -all +TLSv1.2

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCipherSuite HIGH:MEDIUM:!aNULL:eNULL:!MD5:!SEED:!IDEA:!3DES:!RC4:!ADH:!DH
#SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305

#Perfect Forward Security
SSLSessionTickets off

SSLHonorCipherOrder on 

#turnoff compression
SSLCompression off
---

#restart sshd
sudo systemctl restart sshd

Apache 環境変数を変更

emacs /etc/sysconfig/httpd
---
export OPEN_NO_DEFAULT_ZLIB=1
---

ディレクトリ内容一覧表示off、バージョン表示offなど

sudo emacs /etc/httpd/conf/httpd.conf
---
# modified_as bellow
# index off
# Options Indexes FollowSymLinks
Options FollowSymLinks
# Apacheバージョン表示の無効化
ServerTokens ProductOnly
ServerSignature off
#HTTP TRACE of
TraceEnable off
#X-Frame-Optionsヘッダ
Header append X-FRAME-OPTIONS "SAMEORIGIN"

#set 404
ErrorDocument 404 /missing.html

---
#restart httpd
sudo systemctl restart httpd

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
What you can do with signing up
0