Serveur Web
Apache & Sécurisation 🌐
Fail2Ban
Cette page a été bougée ici : Firewall
Hardenning de base 💪
Toutes les modifications effectuées ici se font dans le fichier /etc/apache2/apache2.conf sur un serveur basé sur Debian.
Serveurs Tokens et Signature:
# Sécurisation Tokens et Signature
ServerTokens Prod
ServerSignature Off
Vulnérabilité Etag
# Vulnérabilité Etag
FileETag None
Anti-XSS
# Anti-XSS
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Anti-ClickJacking
# Anti-ClickJacking
Header always append X-Frame-Options SAMEORIGIN
Désactivation HTTP 1.0
# Désactivation HTTP 1.0
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
Teamplate fichier de conf Apache2
<VirtualHost *:80>
ServerName toto.lan
Redirect permanent / https://toto.lan
RewriteEngine on
RewriteCond %{SERVER_NAME} =toto.lan
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
<VirtualHost *:443>
ServerName toto.lan
DocumentRoot "/var/www/toto"
DirectoryIndex index.html
<Directory /var/www/toto>
Options FollowSymlinks -Indexes
AllowOverride None
Require all granted
</Directory>
# Logs
ErrorLog /var/log/apache2/error.toto.log
CustomLog /var/log/apache2/access.toto.log combined
# SSL & Sécurisation
Include /etc/letsencrypt/options-ssl-apache.conf
SSLUseStapling on
Header always set Strict-Transport-Security "max-age=31536000"
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "frame-ancestors 'none';"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "accelerometer=(), geolocation=('self'), fullscreen=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=('self')"
SSLCertificateFile /etc/ssl/certs/toto.crt
SSLCertificateKeyFile /etc/ssl/private/toto.key
</VirtualHost>