Several Apache related security vulnerability fixes

Recently, the website has been scanned for several vulnerabilities , Most of them are apache Configuration induced , Record here how to repair .

1. Target detected URL There is http host Head attack loopholes

Head attack loopholes , Common vulnerabilities , The method of repair also provides

A detailed description of the vulnerability ： In order to get the website domain name conveniently , Developers generally rely on HTTP Host header. for example , stay php In the use _SERVER["HTTP_HOST"]. But this header Is not trustworthy , If the application is not correct host header Value to process , It is possible to cause the incoming of malicious code .

terms of settlement ： web Applications should use SERVER_NAME instead of host header. stay Apache and Nginx You can set up a virtual machine to record all illegal host header. stay Nginx You can also specify a SERVER_NAME list ,Apache You can also specify a SERVER_NAME List and open UseCanonicalName Options .

We use exactly apache, So it should be OK to add related configurations .

ServerName www.xxxxxx.com
UseCanonicalName On

2. HTTP Security Header Not Detected

The main reason here is that some parameters are missing from the header , The fix method vulnerability documentation also provides , Add the missing parameter . Can be in nginx add , It can also be in apache add .

Here you can have a look at ：https://www.linux.org/threads/fixing-http-security-header-not-detected.12462/

Apache Repair method ：

Header always append X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Nginx Repair method ：

add_header x-frame-options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
add_header X-Content-Type-Options nosniff;

After modification curl To test , The parameters are taken with

3. Directory Listing

This vulnerability mainly means that the website now has some directories that can be accessed directly , For example, some js、css Folder , This is a serious problem . Perform the following ：

My first reaction to this problem was Nginx Open the autoindex, Then I went to see Nginx Configuration file for , The discovery is not .

Then guess is apache Caused by the configuration of , Check it online , That's true . Look at the configuration file , The configuration is ：Options Indexes FollowSymLinks The information found is changed to ：Options FollowSymLinks , hold Indexes Get rid of

DocumentRoot "/var/www/html"
<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride AuthConfig FileInfo Indexes Limit Options=All,MultiViews
    Require all granted
</Directory>

After the test environment was changed, I found that , When I visit again, I will 403 Forbidden

Then start applying for production , Here comes the problem , After the production machine is changed, it is found that the directory can still be accessed . Embarrassed

Continue to look at the configuration file , I found that there are other places configured with directory access ,

About apache I haven't thoroughly understood the configuration of , There is something wrong with it , After I tried it locally, I found that it was really caused by this , So it also needs to be modified , Change it to Options FollowSymLinks

Here I guess the above Directory Inside is apache Default configuration ,VirtualHost Here is the configuration of a port we set , So the configuration requested to read in should be VirtualHost Inside , So the configuration inside also needs to be modified .

<VirtualHost *:80>
    DocumentRoot F:\workspace_sz\new_svn\dev\var\www\html
        <Directory "F:\workspace_sz\new_svn\dev\var\www\html">
            #Options -Indexes
            #Options All
        Options FollowSymLinks
            AllowOverride All
            #Order allow,deny
            #allow from all
        </Directory>
</VirtualHost>

Because I am not too familiar with this configuration , Record here , If you have any questions, I hope you can correct them , thank you

4. Apache Restart method

httpd -k graceful
httpd -k restart

Recommended httpd -k graceful

USR1 or graceful The signal causes the parent process to suggest that the child process exit after completing their current request ( If they don't do the service , Will exit immediately ). The parent process re reads the configuration file and reopens the log file . Whenever a child process dies , The parent process immediately generates a new child process with the new configuration file and immediately starts processing new requests .

httpd -k graceful It is also called graceful restart. Here you can see ：https://www.cnblogs.com/zjzhuwenbo/archive/2013/12/12/3471231.html

1. stop it 

    apachectl -k stop

　　  send out TERM or stop A signal to the parent process causes it to kill all child processes immediately . This will take some time to kill all child processes . Then the parent process exits itself . All requests in progress will be forcibly aborted , And no other requests will be accepted .

2. restart 

    apachectl -k restart 

　　  Send... To the parent process HUP or restart The signal will make it seem to receive TERM Kill all child processes like a signal , The difference is that the parent process itself does not exit . It rereads the configuration file 、 Reopen the log file . Then a series of new subprocesses are generated to continue the service .

3. Elegant restart 

    apachectl -k graceful 

　　 USR1 or graceful The signal causes the parent process to suggest that the child process exit after completing their current request ( If they don't do the service , Will exit immediately ). The parent process re reads the configuration file and reopens the log file . Whenever a child process dies , The parent process immediately generates a new child process with the new configuration file and immediately starts serving the new request .


4. Elegant stop 

    apachectl -k graceful-stop

　　 WINCH or graceful-stop The signal causes the parent process to suggest that the child process exit after completing their current request ( If they don't do the service , Will exit immediately ). Then the parent process deletes PidFile And stop listening on all ports . The parent process continues to run and monitors the child process that is processing the request , Once all child processes have completed their tasks and exited or exceeded by GracefulShutdownTimeout The time specified in the directive ,
     The parent process will exit . In case of timeout , All child processes will receive TERM Signal and forced to exit .

Copyright: use Creative Commons signature 4.0 International license agreement to license Links:https://lixj.fun/archives/apache Security vulnerability repair