Any tips for securing and increasing the speed of apache?


My current Setup:

APACHE:
Compile:

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-mods-shared='rewrite ssl' --enable-rewrite --enable-ssl --with-ssl --disable-env --disable-status --disable-autoindex --disable-cgi --disable-userdir --disable-actions --disable-asis --enable-deflate --enable-so

Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_filter.c
mod_log_config.c
prefork.c
http_core.c
mod_mime.c
mod_dir.c
mod_actions.c
mod_alias.c
mod_so.c


httpd.conf

ServerRoot "/usr/local/apache2"
Listen 80
LoadModule php5_module    modules/libphp5.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule deflate_module modules/mod_deflate.so
<IfModule !mpm_netware_module>
<IfModule !mpm_winnt_module>
User daemon
Group daemon
</IfModule>
</IfModule>
ServerAdmin admin@domain.org
ServerName domain.org:80
DocumentRoot "/www"
UseCanonicalName Off 
ServerSignature Off 
HostnameLookups Off 
ServerTokens Prod  
PidFile /usr/local/apache2/logs/httpd.pid 
ScoreBoardFile /usr/local/apache2/logs/httpd.scoreboard 
Timeout 300 
KeepAlive On 
MaxKeepAliveRequests 100 
KeepAliveTimeout 15 
<IfModule prefork.c> 
    MinSpareServers 5 
    MaxSpareServers 10 
    StartServers 5 
    MaxClients 150 
    MaxRequestsPerChild 0 
</IfModule> 
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby text/html 
DeflateFilterNote ratio
DeflateCompressionLevel 3
</IfModule>
<Directory />
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory /www>
    Options None
    AllowOverride None
    Order deny,allow
    Deny from all
</Directory>
<Directory "/www/domain.org/html">
    Options All
    AllowOverride All
    Order allow,deny
    Allow from all
SetOutputFilter DEFLATE
SetInputFilter DEFLATE
AddOutputFilterByType DEFLATE application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby text/html
</Directory>
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>
ErrorLog "logs/error_log"
LogLevel debug
<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" common
</IfModule>
<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/usr/local/apache2/cgi-bin/"
</IfModule>
<IfModule cgid_module>
</IfModule>
<Directory "/usr/local/apache2/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>
DefaultType text/plain
<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php
</IfModule>
NameVirtualHost domain.org:80
<VirtualHost domain.org:80>
    DocumentRoot "/www/domain.org/html"
    ServerName "domain.org"
    ServerAlias "domain.org"
    ErrorLog /www/domain.org/logs/error_log
    CustomLog /www/domain.org/logs/access_log combined
</VirtualHost>
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

PHP:
Compile:
Default

php.ini

engine = On
zend.ze1_compatibility_mode = Off
short_open_tag = On
asp_tags = Off
precision    =  14
y2k_compliance = On
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
unserialize_callback_func=
serialize_precision = 100
allow_call_time_pass_reference = Off
safe_mode = On
safe_mode_gid = Off
safe_mode_include_dir =
safe_mode_exec_dir =
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH
disable_functions = phpinfo,dir,readfile,shell_exec,exec,virtual,passthru,proc_close,proc_get_status,proc_open,proc_terminate,syste
disable_classes = ni_get(), phpinfo(), shell_exec(), popen()
expose_php = Off
max_execution_time = 30     ; Maximum execution time of each script, in seconds
max_input_time = 60   ; Maximum amount of time each script may spend parsing request data
memory_limit = 16M      ; Maximum amount of memory a script may consume
error_reporting  =  E_ALL
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
variables_order = "EGPCS"
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
auto_prepend_file =
auto_append_file =
default_mimetype = "text/html"
doc_root =
user_dir =
extension_dir = "/usr/lib/php/modules"
enable_dl = On
file_uploads = Off
upload_max_filesize = 20M
allow_url_fopen = On
default_socket_timeout = 60

One thing pops right out

allow_url_fopen = On 

Very, very bad idea having this enabled

If you need the functionality use Curl

Thanks, fixed. I pretty much only need core features to display PHP pages.

What's so bad about that?

Google is your friend

From PHPSec.org:
If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.

_________________
/ Peter

Did some more research and found out about mod_security and mod_suphp, so I guess I'll be giving those a try for some extra security.

Out of curiosity, did you ever manage to get mod_sec installed? If so, how is it?

I answered my own question (:->) I had forgotten to set up a domain zone for the second domain name in DNS manager!

Do I have to wait for a bit before this takes effect, or do I have to reboot the linode?

For php - I recommend using suhosin

http://www.hardened-php.net/suhosin/

It has a loadable module and a patch to php for what can not be done via loadable module.

It does break some software, however, in my experience - the software it breaks is typically doing things the wrong (insecure) way, and it breaks because suhosin is doing exactly what it should do.