Sam Stelfox

Thoughts from a software engineer, systems hacker and Linux gubernāre.

HTTPd

Apache or httpd is a strong and well tested webserver.

Installation

To install the Apache web server for this hardening guide on fedora run the following command as root:

[[email protected]] ~# yum install httpd mod_evasive mod_gnutls mod_security \
  mod_selinux -y

A few modules I need to look into (TODO):

Security Notes

Apache starts up using root privileges initially. Dropping the privileges is highly recommended as soon as possible (which it does if alternative credentials are supplied in it's configuration).

Additionally, the Apache web server can be used to remotely execute dynamic code if a vulnerability is found with the privileges the process is running as. This could be very dangerous... The languages allowed to be executed should be chosen wisely and hardened appropriately.

User credentials can be passed through the web server so it is strongly recommended that SSL certificates be used. If SSL certificates are available there are very few reasons not to use SSL everywhere.

The only exception I have been able to come up with is for an application that is extremely latency sensitive, contains no sensitive data, and have the data verified in a different way (through data signatures like HMAC or GPG). The latter is not necessarily required.

Firewall Adjustments

By default Apache only runs on port 80 using TCP, if SSL is enabled it will also use port 443 over SSL. Additional ports can be configured by the admin.

-A SERVICES -m tcp -p tcp --dport 80 -j ACCEPT
-A SERVICES -m tcp -p tcp --dport 443 -j ACCEPT

This service is very sensitive to the flood attack rules. It is recommended these be adjusted to allow twice the maximum number of connections expected during a time frame or alternatively to allow traffic on these two ports too bypass the anti-flood rules.

Performance Notes

If you use mod_security you should note that in my testing each Apache thread increases it's resident memory size by ~27Mb using the stock configuration. For servers that need to handle a high volume of requests this may not be acceptable. If using mod_security you DEFINITELY need to adjust the ServerLimit and MaxClients (they are aliases of each other so should always be the same).

Tuning ServerLimit/MaxClients with the worker MPM

An example of this is provided below:

[[email protected] ~]# /etc/init.d/httpd start
Starting httpd:                                            [  OK  ]
[[email protected] ~]# ps aux -u apache | grep httpd
root      2238  0.7  0.4 177132  9312 ?        Ss   10:45   0:00 /usr/sbin/httpd
apache    2240  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2241  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2242  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2243  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2244  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2245  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2246  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
apache    2247  0.0  0.2 177132  5124 ?        S    10:45   0:00 /usr/sbin/httpd
root      2249  0.0  0.0 103376   832 pts/0    S+   10:45   0:00 grep --color=auto httpd
[[email protected] ~]# PARENTMEMORY=$((9312/1024))
[[email protected] ~]# CHILDMEMORY=$((5124/1024))
[[email protected] ~]# APACHERAM=1024
[[email protected] ~]# echo $(($(($APACHERAM-$PARENTMEMORY))/$CHILDMEMORY))
203

The parent process will have a running user of 'root', all of the children processes will have 'apache'. In the above example the parent process is using 9312Kb of memory or ~9Mb, the child process is using 5124Kb or ~5Mb, and we're allowing Apache to use up to 1Gb of memory (1024Mb). With that knowledge we can see that we should set ServerLimit and MaxClients to "203" each.

Configuration

/etc/httpd/conf/httpd.conf

This is the main configuration file. This differs quite a bit from the configuration files that come with most distributions, most notably most of the modules are disabled and sections of the config are only applicable if certain modules are loaded. This preserves compatibility with any functionality I may need in the future while removing the bloat of the modules.

To use this configuration you'll need to create the directory /var/www/html/default. Any additional domains should be created in /var/www/html with their domain name as the folder name.

### Section 1: Global Environment

ServerTokens Prod
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 60
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5

<IfModule prefork.c>
  StartServers    8
  MinSpareServers   5
  MaxSpareServers   20
  ServerLimit   256
  MaxClients    256
  MaxRequestsPerChild 5000
</IfModule>

# This isn't used by default in Fedora but can be by adjusting
# /etc/sysconfig/httpd
<IfModule worker.c>
  StartServers    4
  MaxClients    300
  MinSpareThreads   25
  MaxSpareThreads   75
  ThreadsPerChild   25
  MaxRequestsPerChild 0
</IfModule>

Listen 80

# Use to restrict by IP Address/Range
LoadModule authz_host_module modules/mod_authz_host.so

# Logging Modules
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so

# Allow sending and detecting of mime types
LoadModule mime_module modules/mod_mime.so

# Header magic and compression
LoadModule headers_module modules/mod_headers.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so

# Provides DirectoryIndex directive
LoadModule dir_module modules/mod_dir.so

# Disable if you don't need directory indexes
LoadModule autoindex_module modules/mod_autoindex.so

# Used by most MVC stuff
LoadModule rewrite_module modules/mod_rewrite.so

#LoadModule env_module modules/mod_env.so
#LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authn_alias_module modules/mod_authn_alias.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
#LoadModule authn_default_module modules/mod_authn_default.so
#LoadModule authz_user_module modules/mod_authz_user.so
#LoadModule authz_owner_module modules/mod_authz_owner.so
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
#LoadModule authz_default_module modules/mod_authz_default.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule alias_module modules/mod_alias.so
#LoadModule cache_module modules/mod_cache.so
#LoadModule disk_cache_module modules/mod_disk_cache.so
#LoadModule ext_filter_module modules/mod_ext_filter.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule actions_module modules/mod_actions.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule suexec_module modules/mod_suexec.so
#LoadModule cgi_module modules/mod_cgi.so
#LoadModule ldap_module modules/mod_ldap.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
#LoadModule userdir_module modules/mod_userdir.so
#LoadModule status_module modules/mod_status.so
#LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
#LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
#LoadModule asis_module modules/mod_asis.so
#LoadModule unique_id_module modules/mod_unique_id.so

Include conf.d/*.conf

<IfModule status_module>
  ExtendedStatus Off
</IfModule>

User apache
Group apache

### Section 2: 'Main' server configuration

ServerAdmin [email protected]
UseCanonicalName Off
DocumentRoot "/var/www/html/default"

<Directory />
  Options FollowSymLinks
  AllowOverride None

  Order Deny,Allow
  Deny from all
</Directory>

<Directory "/var/www/html">
  # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
  Options Indexes SymLinksifOwnerMatch

  AllowOverride FileInfo AuthConfig Limit

  Order allow,deny
  Allow from all
</Directory>

<IfModule mod_userdir.c>
  # This module won't get loaded unless we want to use it so we should
  # make sure that it's properly configured
  UserDir disabled root
  UserDir public_html

  <Directory /home/*/public_html>
    AllowOverride AuthConfig Limit
    Options Indexes SymLinksIfOwnerMatch
    <Limit GET POST>
      Order allow,deny
      Allow from all
    </Limit>
    <LimitExcept GET POST>
      Order deny,allow
      Deny from all
    </LimitExcept>
  </Directory>
</IfModule>

DirectoryIndex index.html

AccessFileName .htaccess
<Files ~ "^\.ht">
  Order allow,deny
  Deny from all
</Files>

TypesConfig /etc/mime.types
DefaultType text/plain

<IfModule mod_mime_magic.c>
  MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

# Disable these if we need to serve files from NFS
EnableMMAP On
EnableSendfile On

ErrorLog logs/error_log
LogLevel warn

LogFormat "%v %h %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{forensic-id}n\" %I %O %T" combined
LogFormat "%v %h %t \"%r\" %>s %b" common
LogFormat "%v %{Referer}i -> %U" referer
LogFormat "%v %{User-agent}i" agent

CustomLog logs/access_log combined
ForensicLog logs/forensic_log

ServerSignature Off

<IfModule mod_dav_fs.c>
  DAVLockDB /var/lib/dav/lockdb
</IfModule>

<IfModule autoindex_module>
  Alias /icons/ "/var/www/icons/"
  <Directory "/var/www/icons">
    Options SymLinksIfOwnerMatch
    AllowOverride None

    Order allow,deny
    Allow from all
  </Directory>

  IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable Charset=UTF-8

  AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

  AddIconByType (TXT,/icons/text.gif) text/*
  AddIconByType (IMG,/icons/image2.gif) image/*
  AddIconByType (SND,/icons/sound2.gif) audio/*
  AddIconByType (VID,/icons/movie.gif) video/*

  AddIcon /icons/binary.gif .bin .exe
  AddIcon /icons/binhex.gif .hqx
  AddIcon /icons/tar.gif .tar
  AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
  AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
  AddIcon /icons/a.gif .ps .ai .eps
  AddIcon /icons/layout.gif .html .shtml .htm .pdf
  AddIcon /icons/text.gif .txt
  AddIcon /icons/c.gif .c
  AddIcon /icons/p.gif .pl .py
  AddIcon /icons/f.gif .for
  AddIcon /icons/dvi.gif .dvi
  AddIcon /icons/uuencoded.gif .uu
  AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
  AddIcon /icons/tex.gif .tex
  AddIcon /icons/bomb.gif core

  AddIcon /icons/back.gif ..
  AddIcon /icons/hand.right.gif README
  AddIcon /icons/folder.gif ^^DIRECTORY^^
  AddIcon /icons/blank.gif ^^BLANKICON^^

  DefaultIcon /icons/unknown.gif

  AddDescription "GZIP compressed document" .gz
  AddDescription "tar archive" .tar
  AddDescription "GZIP compressed tar archive" .tgz
  AddDescription "BZIP2 compressed tar archive" .tar.bz2

  ReadmeName README.html
  HeaderName HEADER.html

  IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
</IfModule>

AddDefaultCharset UTF-8

# Compressed
AddType application/x-tar      .tgz
AddType application/x-compress .Z
AddType application/x-gzip     .gz .tgz

# Certificates
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

# Audio
AddType audio/ogg     oga ogg

# Video
AddType video/ogg     ogv
AddType video/mp4     mp4
AddType video/webm    webm

# SVG
AddType image/svg+xmlsvg svgz
AddEncoding gzip         svgz

# Web Fonts
AddType application/vnd.ms-fontobject eot
AddType font/truetype                 ttf
AddType font/opentype                 otf
AddType application/x-font-woff       woff

# Assorted
AddType image/x-icon                   ico
AddType image/webp                     webp
AddType text/cache-manifest            appcache manifest
AddType text/x-component               htc
AddType application/x-chrome-extension crx
AddType application/x-xpinstall        xpi
AddType application/octet-stream       safariextz

# Add a bunch of compression directives
<IfModule mod_deflate.c>
  # 0 - 9 CPU/Bandwidth tradeoff
  DeflateCompressionLevel 7

  <IfModule mod_setenvif.c>
    <IfModule mod_headers.c>
      SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s,?\s(gzip|deflate)?|X{4,13}|~{4,13}|-{4,13})$ HAVE_Accept-Encoding
      RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
  </IfModule>

  # html, txt, css, js, json, xml, etc:
  <IfModule filter_module>
    FilterDeclare COMPRESS
    FilterProvider  COMPRESS DEFLATE resp=Content-Type /text/(html|css|javascript|plain|x(ml|-component))/
    FilterProvider  COMPRESS DEFLATE resp=Content-Type /application/(javascript|json|xml|x-javascript)/
    FilterChain COMPRESS
    FilterProtocol  COMPRESS change=yes;byteranges=no
  </IfModule>

  # webfonts and svg:
  <FilesMatch "\.(ttf|otf|eot|svg)$" >
    SetOutputFilter DEFLATE
  </FilesMatch>
</IfModule>

<IfModule mod_include>
  AddType text/html .shtml
  AddOutputFilter INCLUDES .shtml
</IfModule>

#ErrorDocument 500 "The server just diagnosed itself with schizophrenia."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html

<IfModule mod_setenvif>
  BrowserMatch "Mozilla/2" nokeepalive
  BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
  BrowserMatch "RealPlayer 4\.0" force-response-1.0
  BrowserMatch "Java/1\.0" force-response-1.0
  BrowserMatch "JDK/1\.0" force-response-1.0

  BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
  BrowserMatch "^gnome-vfs/1.0" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
  BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

<IfModule status_module>
  <Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 10.13.37.
        </Location>
</IfModule>

<IfModule info_module>
  <Location /server-info>
    SetHandler server-info
    Order deny,allow
    Deny from all
    Allow from 10.13.37.
  </Location>
</IfModule>

<IfModule mod_proxy>
  ProxyRequests On
  ProxyVia Block

  <Proxy *>
    Order deny,allow
    Deny from all
    Allow from 10.13.37.
  </Proxy>
  <IfModule mod_disk_cache.c>
    CacheEnable disk /
    CacheRoot "/var/cache/mod_proxy"
  </IfModule>
</IfModule>

/etc/httpd/conf.d/php.conf

This file is being included here as it will be needed most places that I run Apache. Please refer to the PHP section below for more information.

<IfModule prefork.c>
  LoadModule php5_module modules/libphp5.so
</IfModule>
<IfModule worker.c>
  LoadModule php5_module modules/libphp5-zts.so
</IfModule>

AddHandler php5-script .php
AddType text/html .php
AddType application/x-httpd-php-source .phps

DirectoryIndex index.php

/etc/httpd/conf.d/mod_evasive.conf

mod_evasive is a crafty little module designed to limit the impact of DoS and DDoS attacks. This won't stop them but it will help defend against them. It will also send notices to an admin if desired (it's an optional feature which can be disabled).

The one potential problem I can see cropping up is with AJAX requests. Those can come in fast and hard, and they are intentional and necessary, if that becomes a problem (you'll get a 403 response when you trip and it will last for DOSBlockingPeriod seconds) then play with the DOSPageCount setting and the DOSSiteCount setting. Alternatively you can just program your AJAX clients to understand what happened and to react accordingly.

LoadModule evasive20_module modules/mod_evasive20.so

<IfModule mod_evasive20.c>
  DOSHashTableSize  3097
  DOSPageCount    2
  DOSSiteCount    50
  DOSPageInterval   1
  DOSSiteInterval   1
  DOSBlockingPeriod 10
  #DOSEmailNotify   [email protected]
  DOSLogDir   "/var/lock/mod_evasive"
  #DOSWhitelist   192.168.0.*
</IfModule>

/etc/httpd/conf.d/mod_gnutls.conf

The GnuTLS module provides SSL encryption for web requests. It's quite a bit more flexible than mod_ssl though it hasn't been audited as thoroughly. It is also considered an 'experimental' module for apache even though it's been in the wild for two years.

LoadModule gnutls_module modules/mod_gnutls.so

GnuTLSCache dbm "/var/cache/mod_gnutls"
GnuTLSCacheTimeout 300

Listen 443

/etc/httpd/conf.d/mod_security.conf

WARNING: While this is a good module to have loaded it sextuples the amount of memory used by child processes. You will need to tune the server's performance settings accordingly. This may have a huge impact on high-traffic sites.

With that out of the way this is a very good application firewall to have as part of the defense-in-depth doctrine, though it's configuration can be a burden. The mod_security module gives your Apache Web server increased ability to inspect and process input from Web clients before it's acted on by the scripts or processes waiting for the input.

The mod_security module even lets you inspect Web server output before it's transmitted back to clients. I love this feature: it allows you to watch out for server responses that might indicate that other filters have failed and an attack has succeeded!

With that said this isn't the file you should actually be looking at. Yes this is where everything will get loaded but the stock Fedora mod_security for the most parts loads up mod_security rules in other places including the Core ModSecurity Rule Set which will get updated with the rest of your server.

The variables that you'll want to play around with are located in /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf and if you want to write your own rules in /etc/httpd/modsecurity.d/modsecurity_localrules.conf.

Some changes I'd recommend in /etc/httpd/modsecurity.d/modsecurity_crs_10_config.conf:

After keeping an eye on the logs for a few weeks and ensuring that there aren't any false positives, you should change the line SecDefaultAction "phase:2,pass to SecDefaultAction "phase:2,deny,log,status:403".

/etc/httpd/conf.d/mod_selinux.conf

The mod_selinux module allows us to extend SELinux contexts into individual web applications or virtual hosts without impacting the memory usage of individual child processes (The parent process seems to use about 100Kb of memory more but this is negligible).

Since I don't use the built in apache authentication I'm limited to restrictions based on virtual hosts, which is still a rather large gain of security.

You can additionally adjust contexts based on the IP the user is connecting from.

LoadModule selinux_module modules/mod_selinux.so

selinuxServerDomain *:s0
selinuxDomainEnv  SELINUX_DOMAIN

If you enable the environment module (env_module) in apache the domain may be available for use within the application (it would be SELINUX_DOMAIN). This hasn't been tested. With PHP you may need to add the E to the string variable_order, and adjust auto_globals_jit in the php.ini file.

Changing contexts with the stock SELinux rules is denied! You will need to create a SELinux policy to allow it.

Virtual Host Contexts

To make use of this feature you need to define contexts within each of the virtual host configuration directives after enabling mod_selinux by adding the following line:

selinuxDomainVal    *:s0:c1

The trailing domain should be different for virtual host (the next one would be c2).

IP Based Contexts

You can set contexts based on the IP address being connected from by adding the following line within a Directory definition:

SetEnvIf Remote_Addr "10.13.37.(25[0-5]|2[0-4][0-9]|[1-9]?[0-9])$" SELINUX_DOMAIN=*:s0:c1

/etc/httpd/conf.d/virtual_hosts.conf

This does not exist upon the default installation and will need to be created. No certificates are automatically generated when you install the GnuTLS module, if you need them you will need to generate them yourself.

NameVirtualHost *:80

<IfModule gnutls_module>
  NameVirtualHost *:443

  # Redirect all unencrypted connections which haven't been defined to the secure ones
  <VirtualHost _default_:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
  </VirtualHost>
</IfModule>

<VirtualHost _default_:443>
  GnuTLSEnable On
  GnuTLSPriorities SECURE
  GnuTLSCertificateFile /etc/pki/tls/certs/localhost.crt
  GnuTLSKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>

<VirtualHost *:443>
  ServerName something.example.org
  GnuTLSEnable On
  GnuTLSPriorities SECURE
  GnuTLSCertificateFile /etc/pki/tls/certs/something.example.org.crt
  GnuTLSKeyFile /etc/pki/tls/private/something.example.org.key
  DocumentRoot "/var/www/html/something.example.org"
</VirtualHost>

/etc/httpd/conf.d/welcome.conf

Delete this file, it has no use and should be removed.

Virtual Hosts

Please note that name based virtual hosts are not supported on SSL connections when using mod_ssl. They work quite well with mod_gnutls and browsers that support SNI (Server Name Indication, as described in section 3.1 of RFC3546). Compatibility with older browsers may be impacted.

Name Based

Name based virtual hosts allow you to re-use an IP to host multiple websites. This is only officially supported for unencrypted connections, however by using the GnuTLS module you can easily set this up with SSL based hosts as well. An example of how to use this can be seen in the virtual_hosts.conf file on this page.

IP Based

I don't really use these so I'm not including documentation, this section is mostly so other people referencing this documentation can be aware that they can have different virtual hosts bound to specific IP addresses rather than hostnames.

PHP

[[email protected]] ~# yum install php php-suhosin

Additional PHP packages that may be needed and that I've found very useful:

/etc/php.ini

The following is for production use, display_errors, display_startup_errors, mysql.trace_mode may be useful in development.

[PHP]
short_open_tag = Off
asp_tags = Off
precision = 14
y2k_compliance = On
output_buffering = 4096
zlib.output_compression = Off
implicit_flush = Off
serialize_precision = 100
allow_call_time_pass_reference = Off
safe_mode = Off
open_basedir /var/www/html:/tmp
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, escapeshellarg, escapeshellcmd, pcntl_exec, phpinfo
expose_php = Off
max_execution_time = 30
max_input_time = 60
memory_limit = 128M
error_reporting = E_ALL | E_STRICT
display_errors = Off
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
ignore_repeated_source = Off
report_memleaks = On
track_errors = Off
variables_order = "GPCS"
request_order = "GP"
register_globals = Off
register_long_arrays = Off
register_argc_argv = Off
auto_globals_jit = On
post_max_size = 8M
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off
default_mimetype = "text/html"
enable_dl = Off
file_uploads = On
upload_max_filesize = 2M
allow_url_fopen = Off
allow_url_include = Off
default_socket_timeout = 15

[Date]
date.timezone = America/Montreal

[Syslog]
define_syslog_variables  = Off

[mail function]
sendmail_path = /usr/sbin/sendmail -t -i
mail.add_x_header = Off

[SQL]
sql.safe_mode = Off

[ODBC]
odbc.allow_persistent = On
odbc.check_persistent = On
odbc.max_persistent = -1
odbc.max_links = -1
odbc.defaultlrl = 4096
odbc.defaultbinmode = 1

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.default_port = 3306
mysql.connect_timeout = 15
mysql.trace_mode = Off

[MySQLi]
mysqli.max_links = -1
mysqli.default_port = 3306
mysqli.reconnect = Off

[PostgresSQL]
pgsql.allow_persistent = On
pgsql.auto_reset_persistent = Off
pgsql.max_persistent = -1
pgsql.max_links = -1
pgsql.ignore_notice = 0
pgsql.log_notice = 0

[Sybase-CT]
sybct.allow_persistent = On
sybct.max_persistent = -1
sybct.max_links = -1
sybct.min_server_severity = 10
sybct.min_client_severity = 10

[bcmath]
bcmath.scale = 0

[Session]
session.save_handler = files
session.save_path = "/var/lib/php/session"
session.use_cookies = 1
session.use_only_cookies = 1
session.name = UNCID
session.auto_start = 0
session.cookie_lifetime = 21600
session.cookie_path = /
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.entropy_length = 16
session.entropy_file = /dev/urandom
session.cache_limiter = nocache
session.cache_expire = 180
session.use_trans_sid = 0
session.hash_function = 1
session.hash_bits_per_character = 5

[MSSQL]
mssql.allow_persistent = On
mssql.max_persistent = -1
mssql.max_links = -1
mssql.min_error_severity = 10
mssql.min_message_severity = 10
mssql.compatability_mode = Off
mssql.connect_timeout = 5
mssql.timeout = 15
mssql.textlimit = 4096
mssql.textsize = 4096
mssql.batchsize = 0
mssql.datetimeconvert = On
; This may need to be adjusted
mssql.secure_connection = Off
mssql.max_procs = -1

[Assertion]
assert.active = On
assert.warning = On
assert.bail = Off
assert.callback = 0

[Tidy]
tidy.clean_output = Off

[soap]
soap.wsdl_cache_enabled=1
soap.wsdl_cache_dir="/tmp"
soap.wsdl_cache_ttl=86400

/etc/php.d/suhosin.ini

This is the config file for the suhosin extension. If an application isn't working check the logs generated by suhosin to see if it is the issue.

extension = suhosin.so

[suhosin]
suhosin.log.syslog.facility = LOG_LOCAL2
suhosin.executor.max_depth = 15
suhosin.executor.include.max_traversal = 2
suhosin.executor.disable_eval = On
suhosin.executor.disable_emodifier = On
suhosin.mail.protect = 2
suhosin.session.cryptraddr = 2
suhosin.cookie.cryptraddr = 2
; This is not an official response, just funny :D
suhosin.filter.action = 418
suhosin.upload.disallow_elf = On

Basic Authentication

Sometimes it's just needed to prevent access to something for a little while, HTTP basic authentication can help! If you're using the hardened configuration above you'll need to enable a few modules to actually use it and make sure that a .htaccess file has permission to override AuthConfig. Add the following lines if they aren't already there in the section where you load modules:

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_user_module modules/mod_authz_user.so

Additionally if you want to use group based authentication add:

LoadModule authz_groupfile_module modules/mod_authz_groupfile.so

First create a user to use for the login:

htpasswd -c .htpasswd demouser

Additional users can be added by omitting the -c.

Create or append the following to a .htaccess file in the directory you want to protect:

AuthType Basic
AuthName "Some Name Describing the site"
AuthUserFile /path/to/.htpasswd
Require valid-user

That's it you'll have HTTP Basic authentication. If you want to use a group file you'll need to change the setting in the .htaccess file to match:

AuthType Basic
AuthName "Some Name Describing the site"
AuthUserFile /path/to/.htpasswd
AuthGroupFile /path/to/.htgroups
Require group demogroup

And create a group file .htgroups with the following:

demogroup: demouser someotheruser

Kerberos Authentication

http://www.grolmsnet.de/kerbtut/

Passenger

Before going through this you need to ensure that the tools for compiling ruby are installed on the system these are listed in Ruby.

Ensure that ruby is installed on the system as well as the development headers needed to compile the passenger module, this is all done as root:

yum install ruby curl-devel ruby-devel httpd-devel apr-devel apr-util-devel -y
gem install passenger
passenger-install-apache2-module

I wasn't able to get this working at the current time as there is a bug in passenger 3.0.12 that prevents it from being compiled with GCC 4.6.