Apacheの設定とか
  • とりあえず
<IfModule prefork.c>
StartServers            10 
MinSpareServers         10
MaxSpareServers         20
ServerLimit           1050
MaxClients            1000
MaxRequestsPerChild  10000
</IfModule>
  • 余計な情報は与えない
ServerTokens Prod
ServerSignature Off
  • 過去の脆弱性対応など
MaxRanges none  (2.2.21+)
TraceEnable Off
FileETag MTime Size
RequestHeader unset Proxy
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'"
  • SSLの設定
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
SSLHonorCipherOrder  on
SSLCompression  off  (2.2.24+)
  • 2.2.23以前のSSL圧縮OFF
echo "export OPENSSL_NO_DEFAULT_ZLIB=1" >> /etc/sysconfig/httpd
  • symlink攻撃関連の何か
apr_finfo_t oinfo, finfo;
    if (apr_file_info_get(&oinfo, APR_FINFO_USER, fd) == 0
        && apr_stat(&finfo, r->filename, APR_FINFO_LINK | APR_FINFO_OWNER, r->pool) == APR_SUCCESS
    ) {
        if (apr_uid_compare(oinfo.user, finfo.user) != APR_SUCCESS) {
            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
                          "link permissions deny server access: %s [o:%d] [f:%d]", r->filename, oinfo.user, finfo.user);
            apr_file_close(fd);
            return HTTP_FORBIDDEN;
        }
    }

  • Prev
  • Next