Page tree
Skip to end of metadata
Go to start of metadata

概要

Apacheのセキュリティ関連のメモをまとめております。


目次:

共通設定例


設定例
# バージョン情報の隠蔽
ServerTokens Prod

# X-Powered-By の削除 (PHP versionの隠蔽等)
Header unset "X-Powered-By"

# httpoxy脆弱性対策
RequestHeader unset Proxy

# クリックジャッキング対策
Header append X-Frame-Options DENY
## iframeで表示したい場合は「DENY」から「SAMEORIGIN」に変更

# XSS対策
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff

# XST対策
TraceEnable Off

# DoS 攻撃対策
LimitRequestBody 10485760
LimitRequestFields 20

# Slowloris HTTP DoS 攻撃対策
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

補足

上記の設定は予めheadersモジュールをApache HTTP Serverにてロードする必要があります。

ヘッダー確認例
curl -I -v -X GET http://localhost/
確認例
root@localhost:/# curl -I -v -X GET http://localhost/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Fri, 04 Jan 2019 17:45:37 GMT
Date: Fri, 04 Jan 2019 17:45:37 GMT
< Server: Apache
Server: Apache
< Link: <http://localhost/index.php?rest_route=/>; rel="https://api.w.org/"
Link: <http://localhost/index.php?rest_route=/>; rel="https://api.w.org/"
< Link: <http://localhost/>; rel=shortlink
Link: <http://localhost/>; rel=shortlink
< Vary: Accept-Encoding
Vary: Accept-Encoding
< X-Frame-Options: DENY
X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8

<
* Excess found in a non pipelined read: excess = 8311 url = / (zero-length body)
* Connection #0 to host localhost left intact
  • No labels
Write a comment…