This all-purpose guide for locking down Apache arms readers with all the information they need to securely deploy applications. Administrators and programmers alike will benefit from a concise introduction to the theory of securing Apache, plus a wealth of practical advice and real-life examples. Topics covered include installation, server sharing, logging and monitoring, web applications, PHP and SSL/TLS, and more.
“The single best Apache security book in print”
Richard Bejtlich, author of The Tao of Network Security Monitoring: Beyond Intrusion Detection and Extrusion Detection: Security Monitoring for Internal Intrusions“Everyone running Apache needs this book”
Rich Bowen, author of Apache Administrator's Handbook and coauthor of Apache Cookbook
Preface to Digital Reprint
Preface
1. Apache Security Principles
Security Definitions
Architecture Blueprints
2. Installation and Configuration
Installation
Configuration and Hardening
Changing Web Server Identity
Putting Apache in Jail
3. PHP
Installation
Configuration
Advanced PHP Hardening
4. SSL and TLS
Cryptography
SSL
OpenSSL
Apache and SSL
Setting Up a Certificate Authority
Performance Considerations
5. Denial of Service Attacks
Network Attacks
Self-Inflicted Attacks
Traffic Spikes
Attacks on Apache
Local Attacks
Traffic-Shaping Modules
DoS Defense Strategy
6. Sharing Servers
Sharing Problems
Distributing Configuration Data
Securing Dynamic Requests
Mass Hosting
7. Access Control
Overview
Authentication Methods
Access Control in Apache
Single Sign-on
8. Logging and Monitoring
Apache Logging Facilities
Log Manipulation
Remote Logging
Logging Strategies
Log Analysis
Monitoring
9. Infrastructure
Application Isolation Strategies
Host Security
Network Security
Using a Reverse Proxy
Network Design
10. Web Application Security
Session Management Attacks
Attacks on Clients
Application Logic Flaws
Information Disclosure
File Disclosure
Injection Flaws
Buffer Overflows
Evasion Techniques
Web Application Security Resources
11. Web Security Assessment
Black-Box Testing
White-Box Testing
Gray-Box Testing
12. Web Intrusion Detection
Evolution of Web Intrusion Detection
Using mod_security
Appendix A: Tools
Learning Environments
Information-Gathering Tools
Network-Level Tools
Web Security Scanners
Web Application Security Tools
HTTP Programming Libraries
Index
About Ivan Ristić
Ivan Ristić is a security researcher, engineer, and author, known especially for his contributions to the web application firewall field and development of ModSecurity, an open source web application firewall, and for his SSL/TLS and PKI research, tools and guides published on the SSL Labs web site.
He is the author of three books—Apache Security, ModSecurity Handbook, and Bulletproof SSL and TLS—which he publishes via Feisty Duck, his own platform for continuous writing and publishing. You'll often find him speaking at computer security conferences such as Black Hat, RSA, OWASP AppSec, and others. His latest project, Hardenize, is a security posture analysis service that makes security fun again.