Cayu - Wiki de Sergio Cayuqueo

Herramientas de usuario

Herramientas del sitio

Traza: apache
notas:apache

¡Esta es una revisión vieja del documento!

Tabla de Contenidos

Tips de Apache

Cosas varias con las que me tope cuando tuve que modificar la configuración de Apache.

Directorio sin autenticacion dentro de otro con autenticacion

Ejemplo en algunos casos tenemos un directorio autenticado 

<Directory "/usr/local/nagios/share">
    AuthType    Basic
    AuthName    "Nagios Access"
    Options     All
    Order       allow,deny
    Allow       from all
    AllowOverride None
    AuthUserFile  /usr/local/nagios/etc/passwd.nagios
    require     valid-user
</Directory>

Pero a la vez dentro de el tenemos un directorio que no precisa privilegios y queremos que sea visible para los demas usuarios de la red sin necesidad de autenticación, para ello deberemos configurarlo de la siguiente manera : 

<Directory "/usr/local/nagios/share/wiki">
    Options     +Indexes
    Satisfy     Any
    Allow       from All
    AllowOverride All
</Directory>

Redireccionar de HTTP a HTTPS

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Autenticacion LDAP

Fragmento de configuración para Nagios 

LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600

ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
    SSLRequireSSL
    Options ExecCGI
    AllowOverride None
    Order allow,deny
    Allow from all
    AuthType               	Basic
    AuthName               	"Ingrese usuario y contraseña de Nagios"
    AuthBasicProvider 		ldap
    AuthLDAPURL 		"ldap://10.1.1.15:389/ou=users,dc=organizacion?uid"
    AuthLDAPURL 		"ldap://10.1.1.16:389/ou=users,dc=organizacion?uid"
    AuthLDAPBindDN 		uid=ldapadmin,ou=users,dc=organizacion
    AuthLDAPBindPassword 	123456
    Require 			valid-user
    Require group 		cn=linux-admin,ou=groups,dc=organizacion
</Directory>

Seguridad

En el blog sherekan http://sherekan.com.ar/2009/08/11/securizando-servidor-apache-parte-iv/ hay una nota simple sobre phpsu.

/etc/apache2/conf.d/security 

#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages. It will be made the default for the release after lenny.
#
#<Directory />
#	AllowOverride None
#	Order Deny,Allow
#	Deny from all
#</Directory>

# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
# En Prod no mostramos ninguna info de version ni nada
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
# No mostrar info de version ni nada
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
#
TraceEnable Off

/etc/php5/apache2/php.ini 

expose_php = Off
notas/apache.1299073460.txt.gz · Última modificación: 2011/03/02 13:44 por cayu