Apache安全模块配置指南(以CentOS/Ubuntu为例)
配置Apache安全模块需通过安装模块→启用模块→调整规则→加固周边防护的流程,以下是具体步骤:
sudo yum update -y
sudo yum install mod_security mod_evasive -y
sudo apt update && sudo apt upgrade -y
sudo apt install apache2 libapache2-mod-security2 libapache2-mod-evasive -y
编辑Apache主配置文件(/etc/httpd/conf/httpd.conf),取消以下模块加载行的注释(或添加):
LoadModule security2_module modules/mod_security2.so
LoadModule evasive20_module modules/mod_evasive20.so
通过a2enmod命令启用模块(自动处理依赖):
sudo a2enmod security2 # 启用mod_security
sudo a2enmod evasive # 启用mod_evasive
mod_security的核心配置文件路径:
/etc/httpd/conf.d/security2.conf;/etc/apache2/conf-available/security2.conf(需通过sudo a2enconf security2启用)。# 开启规则引擎(On=拦截,DetectionOnly=仅检测)
SecRuleEngine On
# 允许访问请求体(如表单数据)
SecRequestBodyAccess On
# 允许记录响应体(用于审计)
SecResponseBodyAccess On
# 审计日志路径(记录拦截的请求)
SecAuditLog /var/log/httpd/security_audit.log # CentOS
SecAuditLog /var/log/modsec_audit.log # Ubuntu
# 日志包含的字段(如请求头、响应状态等)
SecAuditLogParts ABIJDEFHZ
# 存储临时数据的目录(需可写)
SecDataDir /var/cache/mod_security # CentOS
SecDataDir /var/lib/modsecurity # Ubuntu
# 下载CRS(以v3.4.0为例)
wget https://github.com/coreruleset/coreruleset/archive/v3.4.0.tar.gz
tar -xzf v3.4.0.tar.gz
mv coreruleset-3.4.0/rules /etc/apache2/modsecurity.d/owasp-crs/
# 包含CRS配置
Include /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf
Include /etc/apache2/modsecurity.d/owasp-crs/rules/*.conf
SecRuleEngine设为DetectionOnly(仅记录不拦截),待调试后再开启。mod_evasive的配置文件路径:
/etc/httpd/conf.d/evasive.conf;/etc/apache2/mods-available/evasive.conf。<IfModule mod_evasive20.c>
# 哈希表大小(存储IP请求记录)
DOSHashTableSize 3097
# 单IP单页面1秒内超过2次请求则触发拦截
DOSPageCount 2
DOSPageInterval 1
# 单IP全站1秒内超过50次请求则触发拦截
DOSSiteCount 50
DOSSiteInterval 1
# 拦截时长(秒)
DOSBlockingPeriod 10
</IfModule>
使用Let’s Encrypt免费获取SSL证书,加密HTTP流量:
# 安装Certbot(CentOS/Ubuntu通用)
sudo yum install certbot python2-certbot-apache -y # CentOS
sudo apt install certbot python3-certbot-apache -y # Ubuntu
# 获取证书并自动配置Apache
sudo certbot --apache -d yourdomain.com -d www.yourdomain.com
证书到期前会自动提醒续期,也可手动执行sudo certbot renew。
编辑Apache安全配置文件(/etc/apache2/conf-available/security.conf,Ubuntu)或/etc/httpd/conf/httpd.conf(CentOS),添加以下头信息:
<IfModule mod_headers.c>
# 防止浏览器MIME类型嗅探
Header always set X-Content-Type-Options "nosniff"
# 防止点击劫持(仅允许同源iframe嵌入)
Header always set X-Frame-Options "SAMEORIGIN"
# 启用XSS防护(拦截反射型XSS)
Header always set X-XSS-Protection "1; mode=block"
# 限制Referer信息泄露
Header always set Referrer-Policy "no-referrer-when-downgrade"
</IfModule>
启用配置:
sudo a2enconf security # Ubuntu
sudo systemctl restart apache2
编辑虚拟主机配置文件(如/etc/apache2/sites-available/yourdomain.conf),限制目录访问:
<Directory /var/www/html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted # 允许所有IP访问(生产环境建议缩小范围)
</Directory>
对/admin等敏感目录启用Basic认证:
<Directory /var/www/html/admin>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Directory>
创建密码文件(首次需用-c创建,后续添加用户无需-c):
sudo htpasswd -c /etc/apache2/.htpasswd admin
<Directory /var/www/html>
Require ip 192.168.1.100 192.168.1.101
</Directory>
<Directory /var/www/html>
Require not ip 192.168.1.200
</Directory>
完成所有配置后,重启Apache使更改生效:
# CentOS
sudo systemctl restart httpd
# Ubuntu
sudo systemctl restart apache2
检查审计日志是否有记录(如正常访问会生成日志):
# CentOS
tail -f /var/log/httpd/security_audit.log
# Ubuntu
tail -f /var/log/modsec_audit.log
使用ab(Apache Benchmark)模拟高频请求,若被拦截会返回403:
ab -n 100 -c 10 http://yourdomain.com/ # 10秒内发送100个请求(并发10)
sudo yum update(CentOS)或sudo apt update && sudo apt upgrade(Ubuntu),修复安全漏洞;# CentOS
sudo tar -czvf /backup/apache2_backup.tar.gz /etc/httpd
# Ubuntu
sudo tar -czvf /backup/apache2_backup.tar.gz /etc/apache2
fail2ban等工具监控security_audit.log和error.log,及时发现异常请求。通过以上步骤,可显著提升Apache服务器的安全性,抵御常见Web攻击(如SQL注入、XSS、DDoS等)。需根据实际业务场景调整规则(如放宽敏感目录的访问限制),避免误拦截正常请求。