notas:apache
Diferencias
Muestra las diferencias entre dos versiones de la página.
Próxima revisión | Revisión previa | ||
notas:apache [2010/02/10 14:07] – creado cayu | notas:apache [2015/11/20 17:54] (actual) – cayu | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
====== Tips de Apache ====== | ====== Tips de Apache ====== | ||
+ | |||
+ | //Cosas varias con las que me tope cuando tuve que modificar la configuración de Apache.// | ||
===== Directorio sin autenticacion dentro de otro con autenticacion ===== | ===== Directorio sin autenticacion dentro de otro con autenticacion ===== | ||
Línea 7: | Línea 9: | ||
< | < | ||
< | < | ||
+ | AuthType | ||
+ | AuthName | ||
+ | Options | ||
+ | Order | ||
+ | Allow from all | ||
+ | AllowOverride None | ||
+ | AuthUserFile | ||
+ | require | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | Pero a la vez dentro de el tenemos un directorio que no precisa privilegios y queremos que sea visible para los demas usuarios de la red sin necesidad de autenticación, | ||
+ | |||
+ | < | ||
+ | < | ||
+ | Options | ||
+ | Satisfy | ||
+ | Allow from All | ||
+ | AllowOverride All | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Auto Autenticar Usuario ===== | ||
+ | |||
+ | A veces necesitamos que cierta aplicación web o un directorio en particular crea que esta autenticado con " | ||
+ | |||
+ | |||
+ | < | ||
+ | RewriteBase / | ||
+ | RewriteRule / | ||
+ | </ | ||
+ | ===== Redireccionar de HTTP a HTTPS ===== | ||
+ | |||
+ | < | ||
+ | RewriteEngine On | ||
+ | RewriteCond %{HTTPS} off | ||
+ | RewriteRule (.*) https:// | ||
+ | </ | ||
+ | |||
+ | ===== Autenticacion LDAP ===== | ||
+ | |||
+ | Fragmento de configuración para Nagios | ||
+ | |||
+ | < | ||
+ | LDAPSharedCacheSize 200000 | ||
+ | LDAPCacheEntries 1024 | ||
+ | LDAPCacheTTL 600 | ||
+ | LDAPOpCacheEntries 1024 | ||
+ | LDAPOpCacheTTL 600 | ||
+ | |||
+ | ScriptAlias / | ||
+ | |||
+ | < | ||
+ | SSLRequireSSL | ||
+ | Options ExecCGI | ||
+ | AllowOverride None | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | AuthType | ||
+ | AuthName | ||
+ | AuthBasicProvider ldap | ||
+ | AuthLDAPURL " | ||
+ | AuthLDAPURL " | ||
+ | AuthLDAPBindDN uid=ldapadmin, | ||
+ | AuthLDAPBindPassword 123456 | ||
+ | Require valid-user | ||
+ | Require group cn=linux-admin, | ||
+ | </ | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Autenticacion contra dos LDAP diferentes ===== | ||
+ | |||
+ | < | ||
+ | < | ||
+ | AuthLDAPBindDN usuarioconsulta@dominio.net | ||
+ | AuthLDAPBindPassword password | ||
+ | AuthLDAPURL ldap:// | ||
+ | </ | ||
+ | |||
+ | < | ||
+ | AuthLDAPBindDN usuarioconsulta@segundodominio.net | ||
+ | AuthLDAPBindPassword password | ||
+ | AuthLDAPURL ldap:// | ||
+ | </ | ||
+ | |||
+ | |||
+ | < | ||
+ | CustomLog ${APACHE_LOG_DIR}/ | ||
+ | ErrorLog ${APACHE_LOG_DIR}/ | ||
+ | SSLEngine on | ||
+ | SSLCertificateFile / | ||
+ | SSLCertificateKeyFile / | ||
+ | |||
+ | ServerName | ||
+ | ServerAlias | ||
+ | |||
+ | DocumentRoot / | ||
+ | |||
+ | < | ||
+ | AuthBasicProvider ldap-dominio ldap-segundodominio | ||
AuthType Basic | AuthType Basic | ||
- | AuthName "Nagios | + | |
+ | AuthzLDAPAuthoritative off | ||
+ | | ||
Options All | Options All | ||
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
+ | SSLRequireSSL | ||
AllowOverride None | AllowOverride None | ||
- | AuthUserFile | + | Require |
- | require | + | |
</ | </ | ||
+ | </ | ||
</ | </ | ||
- | Pero a la vez dentro de el tenemos un directorio que no precisa privilegios y queremos que sea visible para los demas usuarios de la red sin necesidad de autenticación, | + | ===== Seguridad ===== |
+ | **/ | ||
< | < | ||
- | < | + | # |
- | | + | # Disable access to the entire file system except for the directories that |
- | Satisfy Any | + | # are explicitly allowed later. |
- | Allow from All | + | # |
- | AllowOverride All | + | # This currently breaks the configurations that come with some web application |
- | </ | + | # Debian packages. It will be made the default for the release after lenny. |
+ | # | ||
+ | #< | ||
+ | # | ||
+ | # Order Deny,Allow | ||
+ | # | ||
+ | #</ | ||
+ | |||
+ | # Changing the following options will not really affect the security of the | ||
+ | # server, but might make attacks slightly more difficult in some cases. | ||
+ | |||
+ | # | ||
+ | # ServerTokens | ||
+ | # This directive configures what you return as the Server HTTP response | ||
+ | # Header. The default is ' | ||
+ | # and compiled in modules. | ||
+ | # Set to one of: Full | OS | Minimal | Minor | Major | Prod | ||
+ | # where Full conveys the most information, | ||
+ | # | ||
+ | # En Prod no mostramos ninguna info de version ni nada | ||
+ | ServerTokens Prod | ||
+ | |||
+ | # | ||
+ | # Optionally add a line containing the server version and virtual host | ||
+ | # name to server-generated pages (internal error documents, FTP directory | ||
+ | # listings, mod_status and mod_info output etc., but not CGI generated | ||
+ | # documents or custom error documents). | ||
+ | # Set to " | ||
+ | # Set to one of: On | Off | EMail | ||
+ | # | ||
+ | # No mostrar info de version ni nada | ||
+ | ServerSignature Off | ||
+ | |||
+ | # | ||
+ | # Allow TRACE method | ||
+ | # | ||
+ | # Set to " | ||
+ | # diagnostic purposes). | ||
+ | # | ||
+ | # Set to one of: On | Off | extended | ||
+ | # | ||
+ | TraceEnable Off | ||
</ | </ | ||
+ | **/ | ||
+ | < | ||
+ | expose_php = Off | ||
+ | </ | ||
+ | |||
+ | ==== Mod Security ==== | ||
+ | |||
+ | Mod Security es un módulo de Apache, que mediante del filtrado de los distintos métodos HTTP (GET, POST, etc) adquiere un comportamiento de Firewall Web, filtrando ataques potenciales a nuestros sitios web. | ||
+ | |||
+ | < | ||
+ | apt-get install libapache-mod-security | ||
+ | a2enmod mod-security | ||
+ | </ | ||
+ | **/ | ||
+ | < | ||
+ | ServerTokens Full | ||
+ | SecServerSignature Servidor HTTP Blablabla 7.0 | ||
+ | </ | ||
+ | |||
+ | ==== Mod SSL ==== | ||
+ | |||
+ | En la siguiente página wiki se pueden encontrar algunos tips de [[notas: | ||
+ | |||
+ | ===== Calcular Apache prefork ===== | ||
+ | |||
+ | * Determinar RAM disponible para Apache | ||
+ | * Determinar RAM usada por proceso de Apache | ||
+ | * MaxClients en concordancia con (RAM disponible para Apache) / (RAM usada por proceso Apache) | ||
+ | |||
+ | MaxClients: ((Total_Memory)(1024)(MB) - Other_processes_memory) / 73 | ||
+ | |||
+ | For Example: I have 16 GB RAM, I might leave free 2 GB for any other processes | ||
+ | |||
+ | MaxClients: ((16*1024) - 2048) / 73 | ||
+ | MaxClient: 196 | ||
+ | |||
+ | |||
+ | http:// | ||
+ | |||
+ | https:// | ||
notas/apache.1265810827.txt.gz · Última modificación: 2010/02/10 14:07 por cayu