Apache is web server software built along the open-source concept. Web server software helps receive connection requests and processes them. When a user keys a web page address into their web browser, that query is directed towards the Apache web server.
Apache is a popular open-source web server compatible with Linux servers with up to a 60% market share. Apache has plenty of modules that can be configured in numerous ways to meet the user’s goals. It can be used for anything, from primary HTML sites to the more complex process of proxying requests as a reverse proxy gateway. Since Apache is extremely user-friendly and popular, users need to be cautious and ensure that their environment is safe for their data.
In a nutshell, Apache is:
- Free and open source
- Multi-platform capable
- Able to cope with high traffic volume
- Highly configurable
While there are some basic best practice configurations to help harden your Apache instance, to truly harden your Apache HTTP server, it is recommended to enlist the services of an Apache expert like Pantek. It’s also vital that whoever manages your Apache web server follow Apache Server Announcements to stay up to date. Below are some configurations to help you get started with hardening your server.
- Ensure that Apache only runs with the necessary permissions.
- Disable configuration that exposes server and software version and other information.
- Ensure that Apache runs as an unprivileged user.
- Ensure SSL/TLS protocols and ciphers are set to only the most secure versions.
- Ensure traffic is encrypted with SSL certificates and redirecting non-encrypted traffic.
- Add any additional software solutions that work with Apache to prevent attacks like Denial of Service.
- Keep Apache updated. Any version before 2.4.X is not supported, and that can create risk factors for users who haven’t upgraded. Often, the new versions include ways to eliminate those risks or minimize them, which is why the developer encourages users to update.
Ultimately, how you harden your Apache HTTP instance will be determined by your specific use case. For more information about hardening your Apache HTTP instance, check out our website