在CentOS系统上设置Apache2的安全配置,可以遵循以下步骤:
sudo setenforce 0
sudo nano /etc/selinux/config
# 将SELINUX=enforcing改为SELINUX=disabled,然后保存退出
sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo yum install httpd mod_ssl
/etc/httpd/conf/httpd.conf 文件,设置用户和用户组为 webuser:User webuser
Group webuser
/etc/systemd/system/multi-user.target.wants/httpd.service 文件,限制Apache使用的内存:memory_limit_in_bytes=500*1024*1024
sudo systemctl daemon-reload
sudo systemctl restart httpd
sudo openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/apache-selfsigned.key -out /etc/pki/tls/certs/apache-selfsigned.crt
/etc/httpd/conf.d/ssl.conf 中添加或修改以下内容:<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/pki/tls/private/apache-selfsigned.key
SSLCertificateChainFile /etc/pki/tls/certs/ca-bundle.crt
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
.htaccess 文件,添加以下内容:RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L]
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
sudo firewall-cmd --reload
sudo systemctl enable firewalld
sudo systemctl start firewalld
在 /etc/httpd/conf/httpd.conf 中添加或修改以下行:
ServerTokens Prod
ServerSignature Off
使用 htpasswd 命令创建认证口令文件:
sudo htpasswd -cm /etc/httpd/conf/passwd users
然后在 httpd.conf 中配置认证:
<Directory "/var/www/html">
AuthName "Restricted Access"
AuthType Basic
AuthUserFile /etc/httpd/conf/passwd
Require valid-user
</Directory>
完成所有配置后,重启Apache服务以应用更改:
sudo systemctl restart httpd
以上步骤可以帮助你增强CentOS上Apache2服务器的安全性。请根据实际需求调整配置,并定期更新和检查安全设置。
