Most folks in IT are familiar with Apache at some level. It’s an open source web server, created in 1999 and maintained by a community of developers under the guidance of the Apache Software Foundation. Based on the latest numbers Apache is used by 56.8% of all the websites, followed by Nginx (25.0%) and Microsoft IIS (13.1%). The numbers indicate the reliance that folks place on Apache to run their web services. It’s a proven, reliable tool that has stood the test of time, and really played a key role in the early growth of the internet.
During 2014 we all saw high impacts from cyber-crime and web attacks. Web servers are obviously the first line of defense for creating a secure environment for your business applications. Therefore, keeping Apache performance front and center will help secure your environment against the threats of a cyber-attack.
But security is not a stand-alone concern; it must go hand in hand with performance in the digital era. The point here is that at the end of the day (and in the middle and beginning too!) you want to make sure your websites and apps are running as smoothly as possible. In what follows we outline 6 best practices for fine-tuning your Apache setup to make sure things are running as optimally and as securely as possible.
Keep your Apache updated with the latest releases and patches
As mentioned, Apache is maintained through a community of developers who are committed to keeping the software current and robust. New fixes and security patches are added in every release. So one best practice is to always upgrade to the latest stable version of Apache. This will ensure that you keep your services and applications running securely.
Disable Directory Listing
By default Apache lists all the content of its Document root directory in the absence of the index file.
In other words, if the base file like index.html or index.php is not available then anyone can see all files and sub-directories listed in the browser. This creates a security vulnerability because an attacker could analyze the source code for possible security flaws or to obtain more information about an application, such as database connection strings, passwords to other systems; therefore it’s best to disable the directory listing. To disable directory browsing, you just need to set the Options directive in the Apache httpd.conf file as follows:
Disable unnecessary modules & services
By default Apache comes with a number of pre-installed and enabled modules. However, this creates an additional security vulnerability. In order to reduce your chances of becoming a victim of a web attack it’s best to disable the modules that are not currently being used. Unnecessary modules can be disabled by going into the httpd.conf file and adding a # character in front of the LoadModule line.
You can also disable unnecessary services CGI execution, symbolic links, and server side includes by using the Options directive from the httpd.conf configuration file. The image below example shows what you need to include in your config file to disable CGI and includes:
Ensure that Apache server-info is disabled
If the <Location /server-info> directive in the httpd.conf configuration file is enabled it displays information about the Apache configuration when the /server-info page is accessed from http://www.example.com/server-info. This could potentially include sensitive information about server settings such as the server version, system paths, database names, library information, and so on. This information can be disabled by commenting out the <Location /server-info> directive from the httpd.conf configuration file per below:
Disable Trace HTTP Request
‘TRACE’ is a HTTP request method used for debugging which echoes back the received request for a client so that he may see what changes or additions have been done. This functionality creates a security vulnerability because an attacker can exploit it and steal sensitive information via headers like cookies and website credentials. You can disable this simply by changing the directive in your httpd.conf file to TraceEnableOff.
Leverage Monitis Apache Tomcat Monitoring
If you’re looking for best-in-class web monitoring and performance tracking then you need to head over to Monitis. With its industry-leading global service, Monitis lets businesses monitor their network anytime and from anywhere, including website uptime monitoring, full page load and transaction monitoring, and web load testing. If you want less stress, then why not adopt Monitis Apache Tomcat Monitoring to help your team more effectively monitor their web server environment. Imagine being able to closely review application performance, availability, and get usage statistics and learn about potential problems before your customers find out. By keeping your infrastructure running smoothly and more effectively, Monitis alleviates the stress and helps you focus on running your business.
If you’re serious about application performance, and especially your Apache Tomcat environment, then come to Monitis today and start a free trial. Once you see the benefits of the Monitis monitoring platform, you’ll be glad you did!