Apache Security

Apache Security

Chapter 1. Apache Security Principles
 SectionSection 1.1. Security Definitions
 SectionSection 1.2. Web Application Architecture Blueprints

Chapter 2. Installation and Configuration
 SectionSection 2.1. Installation
 SectionSection 2.2. Configuration and Hardening
 SectionSection 2.3. Changing Web Server Identity
 SectionSection 2.4. Putting Apache in Jail

Chapter 3. PHP
 SectionSection 3.1. Installation
 SectionSection 3.2. Configuration
 SectionSection 3.3. Advanced PHP Hardening

Chapter 4. SSL and TLS
 SectionSection 4.1. Cryptography
 SectionSection 4.2. SSL
 SectionSection 4.3. OpenSSL
 SectionSection 4.4. Apache and SSL
 SectionSection 4.5. Setting Up a Certificate Authority
 SectionSection 4.6. Performance Considerations

Chapter 5. Denial of Service Attacks
 SectionSection 5.1. Network Attacks
 SectionSection 5.2. Self-Inflicted Attacks
 SectionSection 5.3. Traffic Spikes
 SectionSection 5.4. Attacks on Apache
 SectionSection 5.5. Local Attacks
 SectionSection 5.6. Traffic-Shaping Modules
 SectionSection 5.7. DoS Defense Strategy

Chapter 6. Sharing Servers
 SectionSection 6.1. Sharing Problems
 SectionSection 6.2. Distributing Configuration Data
 SectionSection 6.3. Securing Dynamic Requests
 SectionSection 6.4. Working with Large Numbers of Users

Chapter 7. Access Control
 SectionSection 7.1. Overview
 SectionSection 7.2. Authentication Methods
 SectionSection 7.3. Access Control in Apache
 SectionSection 7.4. Single Sign-on

Chapter 8. Logging and Monitoring
 SectionSection 8.1. Apache Logging Facilities
 SectionSection 8.2. Log Manipulation
 SectionSection 8.3. Remote Logging
 SectionSection 8.4. Logging Strategies
 SectionSection 8.5. Log Analysis
 SectionSection 8.6. Monitoring

Chapter 9. Infrastructure
 SectionSection 9.1. Application Isolation Strategies
 SectionSection 9.2. Host Security
 SectionSection 9.3. Network Security
 SectionSection 9.4. Using a Reverse Proxy
 SectionSection 9.5. Network Design

Chapter 10. Web Application Security
 SectionSection 10.1. Session Management Attacks
 SectionSection 10.2. Attacks on Clients
 SectionSection 10.3. Application Logic Flaws
 SectionSection 10.4. Information Disclosure
 SectionSection 10.5. File Disclosure
 SectionSection 10.6. Injection Flaws
 SectionSection 10.7. Buffer Overflows
 SectionSection 10.8. Evasion Techniques
 SectionSection 10.9. Web Application Security Resources

Chapter 11. Web Security Assessment
 SectionSection 11.1. Black-Box Testing
 SectionSection 11.2. White-Box Testing
 SectionSection 11.3. Gray-Box Testing

Chapter 12. Web Intrusion Detection
 SectionSection 12.1. Evolution of Web Intrusion Detection
 SectionSection 12.2. Using mod_security
Appendix A. Tools
 SectionSection A.1. Learning Environments
 SectionSection A.2. Information-Gathering Tools
 SectionSection A.3. Network-Level Tools
 SectionSection A.4. Web Security Scanners
 SectionSection A.5. Web Application Security Tools
 SectionSection A.6. HTTP Programming Libraries

Preface There is something about books that makes them one of the most precious things in the world. I've always admired people who write them, and I have always wanted to write one myself. The book you are now holding is a result of many years of work with the referenced Internet technologies and almost a year of hard work putting the words on paper. The preface may be the first thing you are reading, but it is the last thing I am writing. And I can tell you it has been quite a ride.

Aside from my great wish to be a writer in the first place, which only helped me in my effort to make the book as good as possible, there is a valid reason for its existence: a book of this profile is greatly needed by all those who are involved with web security. I, and many of the people I know, need it. I've come to depend on it in my day-to-day work, even though at the time of this writing it is not yet published. The reason this book is needed is that web security is affected by some diverse factors, which interact with each other in web systems and affect their security in varied, often subtle ways. Ultimately, what I tried to do was create one book to contain all the information one needs to secure an Apache-based system.

My goal was to write a book I could safely recommend to anyone who is about to deploy on Apache, so I would be confident they would succeed provided they followed the advice in the book. You have, in your hands, the result of that effort.