Apache HTTP Server
De TechShareRoom wiki
Más acciones
Hardening
- Quitar exposición de versión
Cambiar en:
/etc/apache2/conf-available/security.confServerTokens Prod
ServerSignature Off
TraceEnable Off
FileETag None- Securizar SSL
Cambiar en:
nano /etc/apache2/mods-available/ssl.confSSLCipherSuite HIGH:!aNULL:!MD5:!3DES
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(128000)
SSLHonorCipherOrder on- Más mejoras:
/etc/apache2/conf-available/security.confAñade esto:
#################################################
# TRANSPORT SECURITY EXTREMA
#################################################
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
#################################################
# BROWSER HARDENING
#################################################
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Cross-Origin-Opener-Policy "same-origin"
Header always set Cross-Origin-Embedder-Policy "require-corp"
Header always set Cross-Origin-Resource-Policy "same-origin"
#################################################
# PERMISSIONS POLICY
#################################################
Header always set Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), screen-wake-lock=(), fullscreen=self"
#################################################
# CSP DIOS MODE (CORREGIDO - AUDITORÍAS)
#################################################
Header always set Content-Security-Policy " \
default-src 'self'; \
script-src 'self' 'unsafe-inline' 'unsafe-eval'; \
style-src 'self' https: 'unsafe-inline'; \
img-src 'self' https: data: blob:; \
font-src 'self' https: data:; \
connect-src 'self' https: wss:; \
media-src 'self' https:; \
frame-src 'self' https:; \
frame-ancestors 'self'; \
object-src 'none'; \
base-uri 'self'; \
form-action 'self'; \
upgrade-insecure-requests; \
"
#################################################
# PROTECCIÓN DESCARGAS + MIME
#################################################
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"Activar módulos:
a2enmod headers ssl rewrite http2 ratelimit remoteip
systemctl restart apache2Optimización para 3GB de RAM
nano /etc/apache2/mods-available/mpm_event.confStartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 20
MaxRequestWorkers 120
MaxConnectionsPerChild 2000/etc/php/8.3/fpm/pool.d/www.confpm = dynamic
pm.max_children = 35
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 15
pm.max_requests = 500Optimización extra:
a2enmod deflate
a2enmod expires
a2enmod headersMYSQL:
sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf[mysqld]
# RAM usage control
innodb_buffer_pool_size = 600M
innodb_buffer_pool_instances = 1
# Logs (mejor estabilidad que velocidad pura)
innodb_flush_log_at_trx_commit = 2
sync_binlog = 0
# Connections
max_connections = 60
thread_cache_size = 16
# Tables + performance
table_open_cache = 400
table_definition_cache = 400
# Temp tables
tmp_table_size = 64M
max_heap_table_size = 64M
# Slow queries (útil para optimizar WP + MediaWiki)
slow_query_log = 1
slow_query_log_file = /var/log/mysql/slow.log
long_query_time = 2Vulnerabilidades
- apache2buddy
curl -O https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl
chmod +x apache2buddy.pl
./apache2buddy.pl- Nikto
sudo apt install nikto
nikto -h https://techshareroom.com