3 liens privés
Préconisation OWASP dans un module (Apache / Nginx)
https://coreruleset.org/installation/
Nginx sécurisé
https://github.com/bunkerity/bunkerized-nginx
(via Korben)
Serve all requests via proxy except a specific one
ProxyPass /lib !
ProxyPass / http://127.0.0.1:5012/
ProxyPassReverse / http://127.0.0.1:5012/Test if user is not able to open a shell or login
Petite commande pour savoir si un user a accès à un répertoire.
sudo -u www-data ls /home/user
Guide et snippet .htaccess (via https://shaar.libox.fr/?jlyXOQ)
Protection d'URL pour Apache
<Location /admin>
AuthUserFile /var/www/htpasswd/.htpasswd
AuthName "Password Protected Area"
AuthType Basic
Require valid-user
</Location>Now create new htpasswd file using below command and add a new user.
htpasswd -cm /var/www/htpasswd/.htpasswd myuser
Analyser log Apache en ligne de commandes :
Top 50 des urls :
awk -F'[ "]+' '{ urls[$7]++ } END { for (i in urls) {printf "%15s - %d\n", i, urls[i] } }' file_log | sort -nk 3 | tail -n 50Top 50 des ips :
awk -F'[ "]+' '{ ipcount[$1]++ } END { for (i in ipcount) {printf "%15s - %d\n", i, ipcount[i] } }' file_log | sort -nk 3 | tail -n 50Hardening Apache : limiter les données en entrées (taille des headers, taille des requêtes....
Attention sur la taille des headers, avec les cookies chiffrés, on dépasse rapidement les 4000 caractères.
Apache module pagespeed
apache permissions
apache user, group and directories
f only one user is responsible for maintaining the site, set them as the user owner on the website directory and give the user full rwx permissions. Apache still needs access so that it can serve the files, so set www-data as the group owner and give the group r-x permissions.
chown -R eve contoso.com
chgrp -R www-data contoso.com
chmod -R 750 contoso.com
chmod g+s contoso.com
ls -l
drwxr-s--- 2 eve www-data 4096 Feb 5 22:52 contoso.com
If you have folders that need to be writable by Apache, you can just modify the permission values for the group owner so that www-data has write access.
chmod g+w uploads
ls -l
drwxrws--- 2 eve www-data 4096 Feb 5 22:52 uploads
apache custom log format
Exemple :
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b %D" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
_ : Waiting for Connection,
S : Starting up,
R: Reading Request,
W : Sending Reply,
K : Keepalive (read),
D : DNS Lookup,
C : Closing connection,
L : Logging,
G : Gracefully finishing,
I : Idle cleanup of worker,
. : Open slot with no current process
Rappel rapide :
a2enmod proxy
a2enmod proxy_http
a2enmod rewriteDans le fichier de configuration apache :
Proxy /redirect http://localhost:9875apache page speed