Diferencia entre revisiones de «Apache HTTP Server»
De TechShareRoom wiki
Más acciones
Sin resumen de edición |
Sin resumen de edición |
||
| (No se muestran 9 ediciones intermedias del mismo usuario) | |||
| Línea 9: | Línea 9: | ||
ServerTokens Prod | ServerTokens Prod | ||
ServerSignature Off | ServerSignature Off | ||
TraceEnable Off | |||
FileETag None | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Línea 21: | Línea 23: | ||
SSLProtocol -all +TLSv1.2 +TLSv1.3 | SSLProtocol -all +TLSv1.2 +TLSv1.3 | ||
SSLUseStapling on | |||
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000) | SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000) | ||
SSLHonorCipherOrder on | SSLHonorCipherOrder on | ||
</syntaxhighlight> | |||
*Más mejoras: | |||
<syntaxhighlight lang="bash" copy> | |||
/etc/apache2/conf-available/security.conf | |||
</syntaxhighlight> | |||
Añade esto: | |||
<syntaxhighlight lang="bash" copy> | |||
################################################# | |||
# TRANSPORT SECURITY EXTREMA | |||
################################################# | |||
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" | |||
################################################# | |||
# BROWSER HARDENING | |||
################################################# | |||
Header always set X-Content-Type-Options "nosniff" | |||
Header always set Referrer-Policy "strict-origin-when-cross-origin" | |||
Header always set X-Frame-Options "SAMEORIGIN" | |||
Header always set Cross-Origin-Opener-Policy "same-origin" | |||
Header always set Cross-Origin-Embedder-Policy "require-corp" | |||
Header always set Cross-Origin-Resource-Policy "same-origin" | |||
################################################# | |||
# PERMISSIONS POLICY | |||
################################################# | |||
Header always set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), screen-wake-lock=(), fullscreen=self" | |||
################################################# | |||
# CSP DIOS MODE (CORREGIDO - AUDITORÍAS) | |||
################################################# | |||
Header always set Content-Security-Policy " \ | |||
default-src 'self'; \ | |||
script-src 'self' 'unsafe-inline' 'unsafe-eval'; \ | |||
style-src 'self' https: 'unsafe-inline'; \ | |||
img-src 'self' https: data: blob:; \ | |||
font-src 'self' https: data:; \ | |||
connect-src 'self' https: wss:; \ | |||
media-src 'self' https:; \ | |||
frame-src 'self' https:; \ | |||
frame-ancestors 'self'; \ | |||
object-src 'none'; \ | |||
base-uri 'self'; \ | |||
form-action 'self'; \ | |||
upgrade-insecure-requests; \ | |||
" | |||
################################################# | |||
# PROTECCIÓN DESCARGAS + MIME | |||
################################################# | |||
Header always set X-Download-Options "noopen" | |||
Header always set X-Permitted-Cross-Domain-Policies "none" | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Activar módulos: | Activar módulos: | ||
<syntaxhighlight lang="bash" copy> | <syntaxhighlight lang="bash" copy> | ||
a2enmod rewrite | a2enmod headers ssl rewrite http2 ratelimit remoteip | ||
systemctl restart apache2 | systemctl restart apache2 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Optimización para 3GB de RAM == | |||
<syntaxhighlight lang="bash" copy> | <syntaxhighlight lang="bash" copy> | ||
/etc/apache2/ | nano /etc/apache2/mods-available/mpm_event.conf | ||
</syntaxhighlight> | </syntaxhighlight> | ||
<syntaxhighlight lang="bash" copy> | |||
StartServers 2 | |||
MinSpareThreads 25 | |||
MaxSpareThreads 75 | |||
ThreadLimit 64 | |||
ThreadsPerChild 20 | |||
MaxRequestWorkers 120 | |||
MaxConnectionsPerChild 2000 | |||
</syntaxhighlight> | |||
< | <syntaxhighlight lang="bash" copy> | ||
/etc/php/8.3/fpm/pool.d/www.conf | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" copy> | <syntaxhighlight lang="bash" copy> | ||
pm = dynamic | |||
pm.max_children = 35 | |||
pm.start_servers = 5 | |||
pm.min_spare_servers = 5 | |||
pm.max_spare_servers = 15 | |||
pm.max_requests = 500 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Optimización extra: | |||
<syntaxhighlight lang="bash" copy> | <syntaxhighlight lang="bash" copy> | ||
a2enmod deflate | |||
a2enmod expires | |||
a2enmod headers | a2enmod headers | ||
</syntaxhighlight> | |||
MYSQL: | |||
<syntaxhighlight lang="bash" copy> | |||
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" copy> | |||
[mysqld] | |||
# RAM usage control | |||
innodb_buffer_pool_size = 600M | |||
innodb_buffer_pool_instances = 1 | |||
# Logs (mejor estabilidad que velocidad pura) | |||
innodb_flush_log_at_trx_commit = 2 | |||
sync_binlog = 0 | |||
# Connections | |||
max_connections = 60 | |||
thread_cache_size = 16 | |||
# Tables + performance | |||
table_open_cache = 400 | |||
table_definition_cache = 400 | |||
# Temp tables | |||
tmp_table_size = 64M | |||
max_heap_table_size = 64M | |||
# Slow queries (útil para optimizar WP + MediaWiki) | |||
slow_query_log = 1 | |||
slow_query_log_file = /var/log/mysql/slow.log | |||
long_query_time = 2 | |||
</syntaxhighlight> | </syntaxhighlight> | ||
Revisión actual - 01:31 23 feb 2026
Hardening
- Quitar exposición de versión
Cambiar en:
/etc/apache2/conf-available/security.confServerTokens Prod
ServerSignature Off
TraceEnable Off
FileETag None- Securizar SSL
Cambiar en:
nano /etc/apache2/mods-available/ssl.confSSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000)
SSLHonorCipherOrder on- Más mejoras:
/etc/apache2/conf-available/security.confAñade esto:
#################################################
# TRANSPORT SECURITY EXTREMA
#################################################
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
#################################################
# BROWSER HARDENING
#################################################
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Resource-Policy "same-origin"
#################################################
# PERMISSIONS POLICY
#################################################
Header always set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), screen-wake-lock=(), fullscreen=self"
#################################################
# CSP DIOS MODE (CORREGIDO - AUDITORÍAS)
#################################################
Header always set Content-Security-Policy " \
default-src 'self'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
style-src 'self' https: 'unsafe-inline'; \
img-src 'self' https: data: blob:; \
font-src 'self' https: data:; \
connect-src 'self' https: wss:; \
media-src 'self' https:; \
frame-src 'self' https:; \
frame-ancestors 'self'; \
object-src 'none'; \
base-uri 'self'; \
form-action 'self'; \
upgrade-insecure-requests; \
"
#################################################
# PROTECCIÓN DESCARGAS + MIME
#################################################
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"Activar módulos:
a2enmod headers ssl rewrite http2 ratelimit remoteip
systemctl restart apache2Optimización para 3GB de RAM
nano /etc/apache2/mods-available/mpm_event.confStartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 20
MaxRequestWorkers 120
MaxConnectionsPerChild 2000/etc/php/8.3/fpm/pool.d/www.confpm = dynamic
pm.max_children = 35
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 15
pm.max_requests = 500Optimización extra:
a2enmod deflate
a2enmod expires
a2enmod headersMYSQL:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf[mysqld]
# RAM usage control
innodb_buffer_pool_size = 600M
innodb_buffer_pool_instances = 1
# Logs (mejor estabilidad que velocidad pura)
innodb_flush_log_at_trx_commit = 2
sync_binlog = 0
# Connections
max_connections = 60
thread_cache_size = 16
# Tables + performance
table_open_cache = 400
table_definition_cache = 400
# Temp tables
tmp_table_size = 64M
max_heap_table_size = 64M
# Slow queries (útil para optimizar WP + MediaWiki)
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2Vulnerabilidades
- apache2buddy
curl -O https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl
chmod +x apache2buddy.pl
./apache2buddy.pl- Nikto
sudo apt install nikto
nikto -h https://techshareroom.com