In the first part of this series, we showed you how to harden your server by configuring your firewall and SSH. In this part, we show you how to secure your web server software.
Always stay in the loop!
Subscribe to our RSS/Atom feeds.
- server configured like we described in part 1
- web server software (Apache, nginx etc.)
- SSH client on your computer
Step by step guide for a more secure web server
Last time, we configured a general-purpose operating system. You can use this setup to install your own Nextcloud server, OpenVPN server and more. In the following, we use the setup described in part 1 to install an Apache web server (Apache httpd).
In this series, will use Apache httpd 2.4.25 on Debian 9. You can also use Debian 10 or other operating systems. Keep in mind that some parameters in configuration files or names of files/folders may differ on your operating system.
Step 1: Install Apache and configure Certbot
Web server software processes HTTP and HTTPS requests and sends responses. There are different methods defined in the protocols which we will discuss later. As mentioned before, we use the Apache web server. Nginx is also very common.
Choose the web server you like and install it according to its documentation. On Debian 9, we install Apache:
sudo apt update
sudo apt install apache2
This installs Apache 2.4.25 (on Debian 9) or Apache 2.4.38 (on Debian 10) and several packages needed by Apache. Furthermore, the setup enables several Apache modules by default.
sudo apt install python-certbot-apache
After installing Certbot, we have to configure our firewall “ufw” again. In the first part of this series, we only allowed an IP subnet to connect to port 22 of our server. Common ports for HTTP and HTTPS are port 80 and port 443. Allow all IP addresses to connect to these ports:
sudo ufw allow 80(HTTP)
sudo ufw allow 443(HTTPS)
sudo certbot --apache -d www.[your-domain-name],[your-domain-name] --rsa-key-size 4096
This request tells Certbot to use the Apache installer and authentication module. Furthermore, we tell Certbot to request a 4096 bit RSA certificate. We have to enter the domain name twice (once with “www.” appended, and once without “www.").
Then, you have to enter a valid e-mail address that allows Let's Encrypt to contact you. For instance, they will send you a reminder if your certificate is about to expire. Follow the instructions on your screen and read the official Certbot documentation, if needed. Since Certbot and the way of requesting certificates change from time to time, we won't list every single step here.
If you need to enter your “webroot”, it is likely
/var/www/html/ on Debian. Certbot tries to get the certificate and offers to configure HTTPS-only: “2: Secure - Make all requests redirect to secure HTTPS access”. You can either tell Certbot to configure HTTPS-only or you can configure it manually (see below).
After the setup, open the web browser on your client and enter your domain name. If everything worked, you should be automatically redirected to your HTTPS-only demo website of Apache. We still have to configure either a “www to non-www” or “non-www to www” redirect in the next step.
Step 2: Configure apache2.conf
HTTPS is only one of many security-related topics when you set up and run your own web server. Let's continue with other important settings. You find your
apache2.conf file in
/etc/apache2/apache2.conf on Debian 9. This file contains all basic settings for Apache.
In order to enable HTTP/2 over TLS, you have to enable the HTTP/2 module of Apache first:
sudo a2enmod http2.
Then, apply the settings below (or change them according to your needs):
apache2.conf and restart the web server:
sudo systemctl restart apache2. Fix any errors. Check the status of Apache to see whether there are any problems:
systemctl status apache2.
Step 3: Configure security.conf
Most of your configuration files are located in
/etc/apache2/conf-enabled/. This folder contains files of enabled modules.
In order to manipulate HTTP headers, you have to enable the headers module of Apache first:
sudo a2enmod headers.
security.conf file and apply the following settings (or change them according to your needs):
We discuss all of these settings in part 3 of our series.
security.conf and restart the web server:
sudo systemctl restart apache2. Again, fix any errors and use
systemctl status apache2 to check for errors.
Step 4: Configure security2.conf
In step 3, we reduced the server signature to “Apache”. To completely disable the signature, we have to install ModSecurity. ModSecurity is an open-source web application firewall which we discuss in part 4 of our guide.
sudo apt install libapache2-modsecurity and open the
security2.conf file in
/etc/apache2/mods-enabled/. Apply the following setting:
security2.conf and restart the web server:
sudo systemctl restart apache2. Please note that removing your server signature doesn't protect your server from fingerprinting. There are still ways to identify the web server software running on your server. However, this may block some automated attacks that look for the signature.
Step 5: Validate your configuration
After configuring, it is important to test whether the configuration was successfully applied. We wrote an article dedicated to online assessment tools for web server security. Use these tools to check your configuration. You don't have to achieve 100% ratings everywhere. Some settings may be irrelevant for you. Don't try to achieve 100% by blindly following any guides on the internet.
Follow us on Mastodon:
Step 6: Back up your configuration
Finally, we want to back up our configuration. This is really useful in case of errors or lockout since you can reinstall your server and web server without configuring everything from scratch.
We use a small bash script for this:
Save this to a file on your local computer, modify it and execute it after configuration changes. This script creates a local copy of your Apache and Let's Encrypt configuration.
This article is part of the Web server security series.
Read other articles of this series.
You can start to place your website in
/var/www/html. We installed Apache and hardened its configuration. However, this isn't all about web server security. In the next part, we discuss certificates, TLS, OCSP and other security-related headers in detail.
Remember: Your web server is publicly accessible and just another computer. This means that you have to regularly check for updates and keep your server software up to date!
- Jul 27, 2019: Added information about legacy HTTP response headers (X-Xss-Protection and X-Frame-Options).
- Jul 14, 2019: Rewrote several sections due to the release of Debian 10 and part 0 of this series.