Question: We are working on hardening Apache web server on all app servers. As a part of this process we want to add some of the Apache response headers for security purpose. We are testing the settings one by one on all app servers. As per details mentioned below enable these headers for Apache:
Install httpd package on App Server 3 using yum and configure it to run on 6100 port, make sure to start its service.
Create an index.html file under Apache's default document root i.e /var/www/html and add below given content in it.
Welcome to the xFusionCorp Industries!
Configure Apache to enable below mentioned headers:
X-XSS-Protection header with value 1; mode=block
X-Frame-Options header with value SAMEORIGIN
X-Content-Type-Options header with value nosniff
Note: You can test using curl on the given app server as LBR URL will not work for this task.
1. Login on App server as per the task & switch to root user
thor@jump_host ~$ ssh banner@stapp03 The authenticity of host 'stapp03 (172.16.238.12)' can't be established. ECDSA key fingerprint is SHA256:jQBzPUeKPaiyjrpKdy6e4PG/2IswOUaZYIogb7o1SHE. ECDSA key fingerprint is MD5:1f:11:06:a6:ec:6c:f5:37:38:31:79:ad:a6:70:94:37. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'stapp03,172.16.238.12' (ECDSA) to the list of known hosts. banner@stapp03's password: [banner@stapp03 ~]$ sudo su - We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for banner: [root@stapp03 ~]# |
2. Install httpd package on the server
[root@stapp03 ~]# yum install httpd -y Loaded plugins: fastestmirror, ovl Determining fastest mirrors * base: mirror.us-midwest-1.nexcess.net * extras: centos.mirrors.hoobly.com * updates: mirrors.tummy.com base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 153 kB 00:00:00 Dependencies Resolved ====================================================================================================================== Package Arch Version Repository Size ====================================================================================================================== Installing: httpd x86_64 2.4.6-97.el7.centos updates 2.7 M Installing for dependencies: apr x86_64 1.4.8-7.el7 base 104 k apr-util x86_64 1.5.2-6.el7 base 92 k centos-logos noarch 70.0.6-3.el7.centos base 21 M httpd-tools x86_64 2.4.6-97.el7.centos updates 93 k mailcap noarch 2.1.41-2.el7 base 31 k
Transaction Summary ====================================================================================================================== Install 1 Package (+5 Dependent packages)
Total download size: 24 M Installed size: 32 M Downloading packages: (1/6): apr-1.4.8-7.el7.x86_64.rpm | 104 kB 00:00:00 (2/6): apr-util-1.5.2-6.el7.x86_64.rpm | 92 kB 00:00:00 (3/6): mailcap-2.1.41-2.el7.noarch.rpm | 31 kB 00:00:00 (4/6): httpd-tools-2.4.6-97.el7.centos.x86_64.rpm | 93 kB 00:00:00 (5/6): centos-logos-70.0.6-3.el7.centos.noarch.rpm | 21 MB 00:00:01 (6/6): httpd-2.4.6-97.el7.centos.x86_64.rpm | 2.7 MB 00:00:01 ---------------------------------------------------------------------------------------------------------------------- Total 18 MB/s | 24 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : apr-1.4.8-7.el7.x86_64 1/6 Installing : apr-util-1.5.2-6.el7.x86_64 2/6 Installing : httpd-tools-2.4.6-97.el7.centos.x86_64 3/6 Installing : centos-logos-70.0.6-3.el7.centos.noarch 4/6 Installing : mailcap-2.1.41-2.el7.noarch 5/6 Installing : httpd-2.4.6-97.el7.centos.x86_64 6/6 Verifying : mailcap-2.1.41-2.el7.noarch 1/6 Verifying : apr-1.4.8-7.el7.x86_64 2/6 Verifying : apr-util-1.5.2-6.el7.x86_64 3/6 Verifying : httpd-2.4.6-97.el7.centos.x86_64 4/6 Verifying : httpd-tools-2.4.6-97.el7.centos.x86_64 5/6 Verifying : centos-logos-70.0.6-3.el7.centos.noarch 6/6 Installed: httpd.x86_64 0:2.4.6-97.el7.centos Dependency Installed: apr.x86_64 0:1.4.8-7.el7 apr-util.x86_64 0:1.5.2-6.el7 centos-logos.noarch 0:70.0.6-3.el7.centos httpd-tools.x86_64 0:2.4.6-97.el7.centos mailcap.noarch 0:2.1.41-2.el7 Complete! [root@stapp03 ~]# |
3. Edit the configuration file change port as per the task & add Header at end
|
[root@stapp03
~]# vi / etc/httpd/conf/httpd.conf [root@stapp03
~]# [root@stapp03
~]# cat /etc/httpd/conf/httpd.conf
|grep Listen # Listen: Allows
you to bind Apache to specific IP addresses and/or # Change this to
Listen on specific IP addresses as shown below to #Listen
12.34.56.78:80 Listen 6100 [root@stapp03
~]# [root@stapp03
~]# cat /etc/httpd/conf/httpd.conf
|grep X Header set
X-XSS-Protection "1; mode=block" Header always
append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options
nosniff [root@stapp03
~]# |
4. Create Index file with given content in task
|
[root@stapp03
~]# ll /var/www/html/ total 0 [root@stapp03
~]# vi /var/www/html/index.html [root@stapp03
~]# cat /var/www/html/index.html Welcome to the
xFusionCorp Industries! [root@stapp03
~]# |
5. Start httpd & check the status
|
[root@stapp03
~]# systemctl start httpd [root@stapp03
~]# systemctl status httpd ● httpd.service
- The Apache HTTP Server Loaded: loaded
(/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Sat
2021-07-17 07:31:12 UTC; 3s ago Docs: man:httpd(8) man:apachectl(8) Process: 846 ExecStop=/bin/kill -WINCH
${MAINPID} (code=exited, status=0/SUCCESS) Main PID: 849 (httpd) Status: "Processing requests..." CGroup:
/docker/ca626cd24e8751a8de7d5bd4437816e73bb469629bd472504ef7e34d0bb3c7ae/system.slice/httpd.service ├─849 /usr/sbin/httpd
-DFOREGROUND ├─850 /usr/sbin/httpd
-DFOREGROUND ├─851 /usr/sbin/httpd
-DFOREGROUND ├─852 /usr/sbin/httpd
-DFOREGROUND ├─853 /usr/sbin/httpd
-DFOREGROUND └─854 /usr/sbin/httpd -DFOREGROUND
Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com httpd[849]: [Sat Jul 17 07:31:12.959638 2021]
[so:warn] [pid 849...ing Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com httpd[849]: AH00558: httpd: Could not
reliably determine the ser...age Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: Got notification message for unit
httpd.service Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: Got notification
message from PID 849...49) Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: got MAINPID=849 Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: got READY=1 Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service changed start ->
running Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: Job httpd.service/start finished,
result=done Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: Started The Apache HTTP Server. Jul 17 07:31:12
stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: got
STATUS=Processing requests... Hint: Some lines
were ellipsized, use -l to show in full. [root@stapp03 ~]# |
6. Validate the task by Curl
|
[root@stapp03
~]# curl http://localhost:8083 Welcome to the
xFusionCorp Industries! [root@stapp03
~]# [root@stapp03
~]# curl -i http://localhost:8083 HTTP/1.1 200 OK Date: Sat, 17
Jul 2021 07:32:26 GMT Server:
Apache/2.4.6 (CentOS) X-Frame-Options:
SAMEORIGIN Last-Modified:
Sat, 17 Jul 2021 07:31:44 GMT ETag:
"27-5c74cb2316a2c" Accept-Ranges:
bytes Content-Length:
39 X-XSS-Protection:
1; mode=block X-Content-Type-Options:
nosniff Content-Type:
text/html; charset=UTF-8 Welcome to the xFusionCorp Industries! [root@stapp03
~]# |
7. Click on Finish & Confirm to complete the task successful
Happy Learning!!!!
0 Comments