apache-php-security

Securing Apache and PHP on Ubuntu 22.04

Review

In this post we will aim at secucuring Apache and PHP on our Ubuntu Server 22.04 through various configuration directives. Let’s review what we did so far:

  • We installed and set up WordPress on an AWS EC2 instance and its database on an AWS RDS MySQL instance (see this post)
  • We then proceeded to enable ElastiCache for Memcached to optimize database and object cache for this installation (in this post).
  • We looked at how to improve the security of the WordPress installation by changing some of its settings, as described in this other post.
  • And finally, here we are, looking at how to improve our Apache and PHP configuration from a security and performance point of view.

We are going to edit some Apache configuration files and update the PHP configuration in php.ini to improve the security of the server.

Apache Configuration

Let’s start by enabling some additional Apache modules, some of configuration lines below may rely on one or more of these modules.

sudo a2enmod headers
sudo a2enmod deflate
sudo a2enmod expires headers
sudo a2enmod http2
sudo systemctl restart apache2

Now, you can edit your security.conf Apache configuration which you should find at this location: /etc/apache2/conf-available/security.conf by modifying or adding the following lines:

ServerTokens Prod
ServerSignature Off
Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
LimitRequestBody 1000000000

Please note that the LimitRequestBody is set very generously above (about 1GB). You can reduce it as per your needs.

Restart Apache and check your headers with the following commands:

sudo systemctl restart apache2
curl -I http://your_domain_or_IP

It is possible that your site may not load anymore due to the configuration changes below. Let’s edit your site .conf file in Apache. Mine is located at /etc/apache2/sites-enabled/wordpress-le-ssl.conf by adding or amending as per the following. If AllowOverride exists, you can add Indexes to it after the other options.

AllowOverride Indexes

# Set up caching on media files if desired (optional)
<FilesMatch "\.(flv|ico|pdf|avi|mov|ppt|doc|mp3|wmv|wav)$">
ExpiresDefault A29030400
Header append Cache-Control "public"
</FilesMatch>

In the same .conf file, add the following headers:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header always set Referrer-Policy "strict-origin"

Then restart Apache:

sudo systemctl restart apache2

Your site should load properly now.

You can use https://securityheaders.com/ to check the implementation above and your results should not be dissimilar from this:

PHP configuration

At this time, I will not explain in detail these changes, in php.ini itself you will see an explanation for each of the settings below. Let’s edit the php.ini file.

sudo nano /etc/php/8.1/apache2/php.ini

We will update some of the settings therein as follows:

session.cookie_httponly = True
session.use_strict_mode = 1
display_errors = Off
display_startup_errors = Off
allow_url_fopen = Off
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

open_basedir = /path/to/your/web/root

session.gc_probability = 1
session.gc_divisor = 1000
session.save_handler = files

If you have not enabled OPCache, please see this article on the steps required (search for OPCache). Do not forget to restart Apache after making the changes above.

sudo systemctl restart apache2

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share to...