Diferencia entre revisiones de «Apache HTTP Server»

Revisión actual - 01:31 23 feb 2026

Hardening

Quitar exposición de versión

Cambiar en:

/etc/apache2/conf-available/security.conf

ServerTokens Prod
ServerSignature Off
TraceEnable Off
FileETag None

Securizar SSL

Cambiar en:

nano /etc/apache2/mods-available/ssl.conf

SSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLProtocol -all +TLSv1.2 +TLSv1.3

SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000)

SSLHonorCipherOrder on

Más mejoras:

/etc/apache2/conf-available/security.conf

Añade esto:

#################################################
# TRANSPORT SECURITY EXTREMA
#################################################

Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

#################################################
# BROWSER HARDENING
#################################################

Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options "SAMEORIGIN"

Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Resource-Policy "same-origin"

#################################################
# PERMISSIONS POLICY
#################################################

Header always set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), screen-wake-lock=(), fullscreen=self"

#################################################
# CSP DIOS MODE (CORREGIDO - AUDITORÍAS)
#################################################

Header always set Content-Security-Policy " \
default-src 'self'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
style-src 'self' https: 'unsafe-inline'; \
img-src 'self' https: data: blob:; \
font-src 'self' https: data:; \
connect-src 'self' https: wss:; \
media-src 'self' https:; \
frame-src 'self' https:; \
frame-ancestors 'self'; \
object-src 'none'; \
base-uri 'self'; \
form-action 'self'; \
upgrade-insecure-requests; \
"

#################################################
# PROTECCIÓN DESCARGAS + MIME
#################################################

Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"

Activar módulos:

a2enmod headers ssl rewrite http2 ratelimit remoteip
systemctl restart apache2

Optimización para 3GB de RAM

nano /etc/apache2/mods-available/mpm_event.conf

StartServers            2
MinSpareThreads         25
MaxSpareThreads         75 
ThreadLimit             64
ThreadsPerChild         20
MaxRequestWorkers       120
MaxConnectionsPerChild  2000

/etc/php/8.3/fpm/pool.d/www.conf

pm = dynamic
pm.max_children = 35
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 15
pm.max_requests = 500

Optimización extra:

a2enmod deflate
a2enmod expires
a2enmod headers

MYSQL:

sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

[mysqld]

# RAM usage control
innodb_buffer_pool_size = 600M
innodb_buffer_pool_instances = 1

# Logs (mejor estabilidad que velocidad pura)
innodb_flush_log_at_trx_commit = 2
sync_binlog = 0

# Connections
max_connections = 60
thread_cache_size = 16

# Tables + performance
table_open_cache = 400
table_definition_cache = 400

# Temp tables
tmp_table_size = 64M
max_heap_table_size = 64M

# Slow queries (útil para optimizar WP + MediaWiki)
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2

Vulnerabilidades

apache2buddy

curl -O https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl
chmod +x apache2buddy.pl
./apache2buddy.pl

Nikto

sudo apt install nikto
nikto -h https://techshareroom.com

Adgellida (discusión | contribs.)

Revisión actual - 01:31 23 feb 2026

Hardening

Optimización para 3GB de RAM

Vulnerabilidades