freebsd 9.1.1_在FreeBSD 12.0上强化Apache HTTP的推荐步骤

freebsd 9.1.1

介绍 (Introduction)

Although the default installation of an Apache HTTP server is already safe to use, its configuration can be substantially improved with a few modifications. You can complement already present security mechanisms, for example, by setting protections around cookies and headers, so connections can’t be tampered with at the user’s client level. By doing this you can dramatically reduce the possibilities of several attack methods, like Cross-Site Scripting attacks (also known as XSS). You can also prevent other types of attacks, such as Cross-Site Request Forgery, or session hijacking, as well as Denial of Service attacks.

尽管Apache HTTP服务器的默认安装已经可以安全使用，但只需进行一些修改即可大大改善其配置。 您可以补充已经存在的安全机制，例如，通过在Cookie和标头周围设置保护，这样就不会在用户的客户端级别篡改连接。 通过这样做，您可以大大减少几种攻击方法的可能性，例如跨站点脚本攻击 (也称为XSS)。 您还可以防止其他类型的攻击，例如跨站点请求伪造或会话劫持，以及拒绝服务攻击。

In this tutorial you’ll implement some recommended steps to reduce how much information on your server is exposed. You will verify the directory listings and disable indexing to check the access to resources. You’ll also change the default value of the timeout directive to help mitigate Denial of Service type of attacks. Furthermore you’ll disable the TRACE method so sessions can’t be reversed and hijacked. Finally you’ll secure headers and cookies.

在本教程中，您将实施一些建议的步骤，以减少公开服务器上的信息量。 您将验证目录列表并禁用索引以检查对资源的访问。 您还将更改timeout指令的默认值，以帮助缓解拒绝服务类型的攻击。 此外，您将禁用TRACE方法，以使会话不会被反向和劫持。 最后，您将保护标题和cookie。

Most of the configuration settings will be applied to the Apache HTTP main configuration file found at /usr/local/etc/apache24/httpd.conf.

大多数配置设置将应用于/usr/local/etc/apache24/httpd.conf的Apache HTTP主配置文件。

先决条件 (Prerequisites)

Before you begin this guide you’ll need the following:

在开始本指南之前，您需要满足以下条件：

• A FreeBSD 12 server set up by following this tutorial on How To Get Started with FreeBSD.

  按照本教程“ 如何开始使用FreeBSD”来设置FreeBSD 12服务器。

• A firewall set up following the Configuring a Firewall Section in the Recommended Steps for New FreeBSD 12.0 Servers article.

  在“ 为新的FreeBSD 12.0服务器推荐的步骤” 一文中的“ 配置防火墙”部分之后设置了防火墙 。

• A complete FAMP stack installed by following How To Install an Apache, MySQL, and PHP (FAMP) Stack on FreeBSD 12.0 tutorial.

  遵循如何在FreeBSD 12.0教程上安装Apache，MySQL和PHP(FAMP)堆栈来安装完整的FAMP堆栈。

• A Let’s Encrypt certificate installed by following the tutorial How To Secure Apache with Let’s Encrypt on FreeBSD.

  通过遵循如何在FreeBSD上使用Let's Encrypt保护Apache安全教程来安装Let's Encrypt证书。

With the prerequisites in place you have a FreeBSD system with a stack on top able to serve web content using anything written in PHP, such as major CMS software. Furthermore, you’ve encrypted safe connections through Let’s Encrypt.

具备前提条件后，您便有了一个FreeBSD系统，该系统具有一个顶部堆栈，能够使用PHP编写的任何内容(例如主要的CMS软件)来提供Web内容。 此外，您还通过“加密”对安全连接进行了加密。

减少服务器信息 (Reducing Server Information)

The operating system banner is a method used by computers, servers, and devices of all kinds to present themselves into networks. Malicious actors can use this information to gain exploits into the relevant systems. In this section you’ll reduce the amount of information published by this banner.

操作系统标语是计算机，服务器和各种类型的设备用来将自己呈现到网络中的一种方法。 恶意行为者可以使用此信息来获取对相关系统的攻击。 在本节中，您将减少此标语发布的信息量。

Sets of directives control how this information is displayed. For this purpose the ServerTokens directive is important; by default it displays all details about the operating system and compiled modules to the client that’s connecting to it.

指令集控制如何显示此信息。 为此， ServerTokens指令很重要。 默认情况下，它将向与之连接的客户端显示有关操作系统和编译模块的所有详细信息。

You’ll use a tool for network scanning to check what information is currently revealed prior to applying any changes. To install nmap run the following command:

您将使用网络扫描工具在应用任何更改之前检查当前显示的信息。 要安装nmap运行以下命令：

To get your server’s IP address, you can run the following command:

要获取服务器的IP地址，可以运行以下命令：

You can check the web server response by using the following command:

您可以使用以下命令检查Web服务器响应：

You invoke nmap to make a scan (hence the -s flag), to display the version (the -V flag) on port 80 (the -p flag) on the given IP or domain.

您调用nmap进行扫描(因此带有-s标志)，以在给定IP或域上的端口80 ( -p标志)上显示版本( -V标志)。

You’ll receive information about your web server, similar to the following:

您将收到有关Web服务器的信息，类似于以下内容：

   

    Output
   
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 00:30 CET
Nmap scan report for 206.189.123.232
Host is up (0.054s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((FreeBSD) OpenSSL/1.1.1d-freebsd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.59 seconds

This output shows that information such as the operating system, the Apache HTTP version, and OpenSSL are visible. This can be useful for attackers to gain information about the server and choose the right tools to exploit, for example, a vulnerability in the software running on the server.

此输出显示诸如操作系统，Apache HTTP版本和OpenSSL之类的信息。 这对于攻击者获取有关服务器的信息并选择正确的工具加以利用(例如，服务器上运行的软件中的漏洞)很有用。

You’ll place the ServerTokens directive in the main configuration file since it doesn’t come configured by default. The lack of this configuration makes Apache HTTP display the full information about the server as the documentation states. To limit the information that is revealed about your server and configuration, you’ll place the ServerTokens directive inside the main configuration file.

您将把ServerTokens指令放置在主配置文件中，因为默认情况下未对其进行配置。 缺少此配置使Apache HTTP在文档说明中显示有关服务器的完整信息。 为了限制显示的有关服务器和配置的信息，您可以将ServerTokens指令放置在主配置文件中。

You’ll place this directive following the ServerName entry in the configuration file. Run the following command to find the directive

您可以将此指令放置在配置文件中的ServerName条目之后。 运行以下命令以查找指令

You’ll find the line number that you can then search with vi:

您会找到行号，然后可以使用vi搜索：

   

    Output
   
226    #ServerName www.example.com:80

Run the following command:

运行以下命令：

Add the following highlighted line:

添加以下突出显示的行：

. . .
#ServerName www.example.com:80
ServerTokens Prod

Save and exit the file with :wq and ENTER.

使用:wq和ENTER保存并退出文件。

Setting the ServerTokens directive to Prod will make it only display that this is an Apache web server.

将ServerTokens指令设置为Prod将使其仅显示这是Apache Web服务器。

For this to take effect restart the Apache HTTP server:

为了使此方法生效，请重新启动Apache HTTP服务器：

To test the changes, run the following command:

要测试更改，请运行以下命令：

You’ll see similar output to the following with more minimal information on your Apache web server:

您将在Apache Web服务器上看到与以下类似的输出，其中包含最少的信息：

   

    Output
   
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 00:58 CET
Nmap scan report for WPressBSD (206.189.123.232)
Host is up (0.056s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.59 seconds

You’ve seen what information the server was announcing prior to the change and you’ve now reduced this to the minimum. With this you’re providing fewer clues about your server to an external actor. In the next step you’ll manage the directory listings for your web server.

您已经看到了更改前服务器要发布的信息，现在已将其减少到最少。 这样，您就可以向外部参与者提供有关服务器的更少线索。 在下一步中，您将管理Web服务器的目录列表。

管理目录列表 (Managing Directory Listings)

In this step you’ll ensure the directory listing is correctly configured, so the right parts of the system are publicly available as intended, while the remainder are protected.

在此步骤中，您将确保正确配置了目录列表，因此系统的正确部分可以按预期公开使用，而其余部分则受到保护。

Note: When an argument is declared it is active, but the + can visually reinforce it is in fact enabled. When a minus sign - is placed the argument is denied, for example, Options -Indexes.

注意：声明参数时，该参数是活动的，但+可以在视觉上对其进行增强，实际上是启用的。 放置减号- ，参数将被拒绝，例如， Options -Indexes 。

Arguments with + and/or - can not be mixed, it is considered bad syntax in Apache HTTP and it may be rejected at the start up.

带有+和/或-参数不能混合使用，在Apache HTTP中被认为是错误的语法，并且可能在启动时被拒绝。

Adding the statement Options -Indexes will set the content inside the data path /usr/local/www/apache24/data to not index (read listed) automatically if an .html file doesn’t exist, and not show if a URL maps this directory. This will also apply when using virtual host configurations such as the one used for the prerequisite tutorial for the Let’s Encrypt certificate.

如果不存在.html文件，则添加语句Options -Indexes会将数据路径/usr/local/www/apache24/data为不自动索引( 读取列出 )，如果URL不存在，则不显示该内容。目录。 这在使用虚拟主机配置(例如用于“加密”证书的先决条件教程中使用的配置)时也将适用。

You will set the Options directive with the -Indexes argument and with the +FollowSymLinks directive, which will allow symbolic links to be followed. You’ll use the + symbol in order to comply with Apache’s HTTP conventions.

您将使用-Indexes参数和+FollowSymLinks指令设置Options指令，这将允许跟随符号链接。 您将使用+符号以遵守Apache的HTTP约定。

Run the following command to find the line to edit in the configuration file:

运行以下命令在配置文件中找到要编辑的行：

You’ll see output similar to the following:

您将看到类似于以下内容的输出：

   

    Output
   
263 :    Options Indexes FollowSymLinks

Run this command to directly access the line for editing:

运行以下命令以直接访问要编辑的行：

Now edit the line as per the configuration:

现在根据配置编辑该行：

. . .
#
Options -Indexes +FollowSymLinks

#
. . .

Save and exit the file with :wq and ENTER.

使用:wq和ENTER保存并退出文件。

Restart Apache HTTP to implement these changes:

重新启动Apache HTTP以实现以下更改：

At your domain in the browser, you’ll see a forbidden access message, also known as the 403 error. This is due to the changes you’ve applied. Placing -Indexes into the Options directive has disabled the auto-index capability of Apache HTTP and therefore there’s no index.html file inside the data path.

在浏览器中的域中，您会看到一条禁止访问消息，也称为403错误。 这是由于您已应用更改。 将-Indexes放入Options指令已禁用了Apache HTTP的自动索引功能，因此数据路径内没有index.html文件。

You can solve this by placing an index.html file inside the VirtualHost you enabled in the prerequisite tutorial for the Let’s Encrypt certificate. You’ll use the default block within Apache HTTP and place it in the same folder as the DocumentRootthat you declared in the virtual host.

您可以通过将index.html文件放在在让我们加密证书的先决条件教程中启用的VirtualHost来解决此问题。 您将在Apache HTTP中使用默认块，并将其与您在虚拟主机中声明的DocumentRoot放在同一文件夹中。

<VirtualHost *:80>
    ServerAdmin your_email@your_domain.com
    DocumentRoot "/usr/local/www/apache24/data/your_domain.com"
    ServerName your_domain.com
    ServerAlias www.your_domain.com
    ErrorLog "/var/log/your_domain.com-error_log"
    CustomLog "/var/log/your_domain.com-access_log" common
</VirtualHost>

Use the following command to do this:

使用以下命令执行此操作：

Now you’ll see an It works! message when visiting your domain.

现在，您会看到一个“ 行之有效”的作品！ 访问您的域时出现提示信息。

In this section you’ve placed restrictions to the Indexes directive to not automatically enlist and display content other than what you intend. Now if there is not an index.html file inside the data path Apache HTTP will not automatically create an index of contents. In the next step you’ll move beyond obscuring information and customize different directives.

在本节中，您对Indexes指令施加了限制，使其不会自动征集和显示您想要的内容以外的内容。 现在，如果数据路径中没有index.html文件，Apache HTTP将不会自动创建目录索引。 在下一步中，您将超越模糊的信息并自定义不同的指令。

减少超时指令值 (Reducing the Timeout Directive Value)

The Timeout directive sets the limit of time Apache HTTP will wait for new input/output before failing the connection request. This failure can occur due to different circumstances such as packets not arriving to the server or data not being confirmed as received by the client.

Timeout指令设置在连接请求失败之前Apache HTTP等待新输入/输出的时间限制。 由于不同的情况(例如，数据包未到达服务器或客户端未确认数据)，可能会发生此故障。

By default the timeout is set to 60 seconds. In environments where the internet service is slow this default value may be sensible, but one minute is quite a long time particularly if the server is covering a target of users with faster internet service. Furthermore the time during which the server is not closing the connection can be abused to perform Denial of Service attacks (DoS). If a flood of these malicious connections occurs the server will stumble and possibly become saturated and irresponsive.

默认情况下，超时设置为60秒。 在Internet服务速度较慢的环境中，此默认值可能比较合理，但是一分钟的时间很长，尤其是如果服务器以较快的Internet服务覆盖目标用户时。 此外，服务器未关闭连接的时间可能会被滥用来执行拒绝服务攻击(DoS)。 如果发生这些恶意连接的泛滥，服务器将崩溃，并可能变得饱和且无响应。

To change the value you’ll find the Timeout entries in the httpd-default.conf file:

要更改该值，您可以在httpd-default.conf文件中找到Timeout条目：

You’ll see similar output to:

您将看到类似的输出：

   

    Output
   
 8  # Timeout: The number of seconds before receives and sends time out.
10  Timeout 60
26  # KeepAliveTimeout: Number of seconds to wait for the next request from the
29  KeepAliveTimeout 5
89  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500

In the output line 10 sets the Timeout directive value. To directly access this line run the following command:

在输出行10设置Timeout指令值。 要直接访问此行，请运行以下命令：

You’ll change it to 30 seconds, for example, like the following:

例如，您将其更改为30秒，如下所示：

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 30

Save and exit the file with :wq and ENTER.

使用:wq和ENTER保存并退出文件。

The value of the Timeout directive has to balance a time range large enough for those events to allow a legitimate and successful connection to happen, but short enough to prevent undesired connection attempts.

Timeout指令的值必须平衡一个足够大的时间范围，以使那些事件能够发生合法且成功的连接，但又要足够短，以防止发生不希望的连接尝试。

Note: Denial of Service attacks can drain the server’s resources quite effectively. A complementary and very capable counter measure is using a threaded MPM to get the best performance out of how Apache HTTP handles connections and processes. In this tutorial How To Configure Apache HTTP with MPM Event and PHP-FPM on FreeBSD 12.0 there are steps on enabling this capability.

注意：拒绝服务攻击可以相当有效地消耗服务器资源。 一种补充且非常强大的对策是使用线程化的MPM来获得Apache HTTP处理连接和进程的最佳性能。 在本教程中， 如何在FreeBSD 12.0上使用MPM Event和PHP-FPM配置Apache HTTP，有启用此功能的步骤。

For this change to take effect restart the Apache HTTP server:

为了使此更改生效，请重新启动Apache HTTP服务器：

You’ve changed the default value of the Timeout directive in order to partially mitigate DoS attacks.

您已更改了Timeout指令的默认值，以部分缓解DoS攻击。

禁用TRACE方法 (Disabling the TRACE method)

The Hypertext Transport Protocol was developed following a client-server model and as such, the protocol has request methods to retrieve or place information from/to the server. The server needs to understand these sets of methods and the interaction between them. In this step you’ll configure the minimum necessary methods.

超文本传输​​协议是根据客户端-服务器模型开发的，因此，该协议具有从服务器检索信息或向服务器放置信息的请求方法。 服务器需要了解这些方法集及其之间的交互。 在此步骤中，您将配置最少的必要方法。

TheTRACE method, which was considered harmless, was leveraged to perform Cross Site Tracing attacks. These types of attacks allow malicious actors to steal user sessions through that method. The method was designed for debugging purposes by the server returning the same request originally sent by the client. Because the cookie from the browser’s session is sent to the server it will be sent back again. However, this could potentially be intercepted by a malicious actor, who can then redirect a browser’s connection to a site of their control and not to the original server.

TRACE方法被认为是无害的，可用于执行跨站点跟踪攻击 。 这些类型的攻击使恶意行为者可以通过该方法窃取用户会话。 该方法是为调试目的而设计的，服务器将返回客户端最初发送的相同请求。 由于来自浏览器会话的cookie被发送到服务器，因此它将再次发送回。 但是，这可能会被恶意行为者拦截，然后，恶意行为者可以将浏览器的连接重定向到其控制的站点，而不是原始服务器。

Because of the possibility of the misuse of the TRACE method it is recommended to only use it for debugging and not in production. In this section you’ll disable this method.

由于可能会滥用TRACE方法，因此建议仅将其用于调试，而不用于生产中。 在本节中，您将禁用此方法。

Edit the httpd.conf file with the following command and then press G to reach the end of the file:

使用以下命令编辑httpd.conf文件，然后按G到达文件末尾：

Add the following entry path at the end of the file:

在文件末尾添加以下输入路径：

. . .
TraceEnable off

A good practice is to only specify the methods you’ll use in your Apache HTTP web server. This will help limit potential entry points for malicious actors.

一个好的做法是仅指定将在Apache HTTP Web服务器中使用的方法 。 这将有助于限制恶意行为者的潜在进入点。

LimitExcept can be useful for this purpose since it will not allow any other methods than those declared in it. For example a configuration can be established like this one:

LimitExcept可用于此目的，因为除其中声明的方法外，它不允许任何其他方法。 例如，可以像这样建立配置：

DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
    Options -Indexes +FollowSymLinks -Includes
    AllowOverride none
     <LimitExcept GET POST HEAD>
       deny from all
    </LimitExcept>
    Require all granted
</Directory>

As declared within the LimitExcept directive only the GET, POST, and HEAD methods are allowed in the configuration.

正如LimitExcept指令中声明的LimitExcept ，配置中仅允许GET，POST和HEAD方法。

• The GET method is part of the HTTP protocol and it is used to retrieve data.

  GET方法是HTTP协议的一部分，用于检索数据。

• The POST method is also part of the HTTP protocol and is used to send data to the server.

  POST方法也是HTTP协议的一部分，用于将数据发送到服务器。

• The HEAD method is similar to GET, however this has no response body.

  HEAD方法类似于GET ，但是它没有响应主体。

You’ll use the following command and place the LimitExcept block inside the file:

您将使用以下命令并将LimitExcept块放置在文件中：

To set this configuration you’ll place the following block into the DocumentRoot directive entry where the content will be read from, more specifically inside the Directory entry:

要设置此配置，请将以下块放入DocumentRoot指令条目中，从中读取内容，更具体地说，在Directory条目中：

. . .
<LimitExcept GET POST HEAD>
   deny from all
</LimitExcept>
. . .

To apply the changes restart Apache HTTP:

要应用更改，请重新启动Apache HTTP：

The newer directive AllowedMethods provides similar functionality, although its status is still experimental.

较新的伪指令AllowedMethods提供了类似的功能，尽管其状态仍处于试验阶段。

You’ve seen what HTTP methods are, their use, and the protection they offer from malicious activity leveraging the TRACE method as well as how to declare what methods to use. Next you’ll work with further protections dedicated to HTTP headers and cookies.

您已经了解了HTTP方法是什么，它们的用法以及它们利用TRACE方法提供的针对恶意活动的保护以及如何声明要使用的方法。 接下来，您将使用专用于HTTP标头和cookie的进一步保护。

保护标题和Cookie (Securing Headers and Cookies)

In this step you’ll set specific directives to protect the sessions that the client machines will open when visiting your Apache HTTP web server. This way your server will not load unwanted content, encryption will not be downgraded, and you’ll avoid content sniffing.

在这一步中，您将设置特定的指令以保护客户端计算机在访问Apache HTTP Web服务器时将打开的会话。 这样，您的服务器将不会加载不需要的内容，加密不会降级，并且您将避免内容嗅探 。

Headers are components of the requests methods. There are headers to adjust authentication, communication between server and client, caching, content negotiation, and so on.

标头是请求方法的组成部分。 有一些标头可用于调整身份验证，服务器与客户端之间的通信，缓存，内容协商等。

Cookies are bits of information sent by the server to the browser. These bits allow the server to recognize the client browser from one computer to another. They also allow servers to recognize user sessions. For example, they can track a shopping cart of a logged-in user, payment information, history, and so on. Cookies are used and retained in the client’s web browser since HTTP is a stateless protocol, meaning once the connection closes the server does not remember the request sent by one client, or another one.

Cookies是服务器发送到浏览器的信息位。 这些位允许服务器识别客户端浏览器从一台计算机到另一台计算机。 它们还允许服务器识别用户会话。 例如，他们可以跟踪已登录用户的购物车，付款信息，历史记录等。 由于HTTP是一种无状态协议，因此Cookie被使用并保留在客户端的Web浏览器中，这意味着一旦连接关闭，服务器就不会记住一个或另一个客户端发送的请求。

It is important to protect headers as well as cookies because they provide communication between the web browser client and the web server.

保护标头和cookie非常重要，因为标头和cookie提供了Web浏览器客户端和Web服务器之间的通信。

The headers module comes activated by default. To check if it’s loaded you’ll use the following command:

headers模块默认情况下处于激活状态。 要检查是否已加载，请使用以下命令：

You’ll see the following output:

您将看到以下输出：

   

    Output
   
headers_module (shared)

If you don’t see any output, check if the module is activated inside Apache’s httpd.conf file:

如果看不到任何输出，请检查模块是否在Apache的httpd.conf文件中被激活：

As output you’ll see an uncommented line referring to the specific module for headers:

在输出中，您将看到一条未注释的行，它指向标题的特定模块：

. . .
122  LoadModule headers_module libexec/apache24/mod_headers.so
. . .

Remove the hashtag at the beginning of the mod_headers.so line, if present, to activate the directive.

删除mod_headers.so行开头的mod_headers.so标签(如果存在)以激活指令。

By making use of the following Apache HTTP directives you’ll protect headers and cookies from malicious activity to reduce the risk for clients and servers.

通过使用以下Apache HTTP指令，您可以保护标头和cookie免受恶意活动的影响，从而降低客户端和服务器的风险。

Now you’ll set the header’s protection. You’ll place all these header values in one block. You can choose to apply these values as you wish, but all are recommended.

现在，您将设置标题的保护。 您将所有这些标头值放在一个块中。 您可以根据需要选择应用这些值，但是推荐所有值。

Edit the httpd.conf file with the following command and then press G to reach the end of the file:

使用以下命令编辑httpd.conf文件，然后按G到达文件末尾：

Place the following block at the end of the file:

将以下块放在文件末尾：

. . .
<IfModule mod_headers.c>
  # Add security and privacy related headers
  Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
  Header set X-Content-Type-Options "nosniff"
  Header set X-XSS-Protection "1; mode=block"
  Header set Referrer-Policy "strict-origin"
  Header set X-Frame-Options: "deny"
  SetEnv modHeadersAvailable true
</IfModule>

• Header set Strict-Transport-Security "max-age=31536000; includeSubDomains": HTTP Strict Transport Security (HTSTS) is a mechanism for web servers and clients (mainly browsers) to establish communications using only HTTPS. By implementing this you’re avoiding man-in-the-middle attacks, where a third party in between the communication could potentially access the bits, but also tamper with them.

  Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" ：HTTP严格传输安全性(HTSTS)是一种机制，用于Web服务器和客户端(主要是浏览器)仅使用HTTPS建立通信。 通过实施此操作，您可以避免中间人攻击，在中间人攻击中，通信之间的第三方可能会访问这些位，但也会对其进行篡改。

• Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure": The HttpOnly and Secure flags on headers help prevent cross-site scripting attacks, also known as XSS. Cookies can be misused by attackers to pose as legitimate visitors presenting themselves as someone else (identity theft), or be tampered.

  Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure" ：标头上的HttpOnly和Secure标志有助于防止跨站点脚本攻击，也称为XSS。 Cookie可能被攻击者滥用，冒充合法访客冒充他人( 身份盗窃 )，或者被篡改。

• Header set Referrer-Policy "strict-origin": The Referrer-Policy header sets what information is included as the referrer information in the header field.

  Header set Referrer-Policy "strict-origin" ： Referrer-Policy标头设置在标头字段中包括哪些信息作为引荐来源信息。

• Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;": The Content-Security-Policy header (CSP) will completely prevent loading content not specified in the parameters, which is helpful to prevent cross-site scripting (XSS) attacks. There are many possible parameters to configure the policy for this header. The bottom line is configuring it to load content from the same site and upgrade any content with an HTTP origin.

  Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;" ： Content-Security-Policy标头 (CSP)将完全阻止加载参数中未指定的内容，这有助于防止跨站点脚本( XSS )攻击。 有许多可能的参数可以配置此标头的策略 。 最重要的是，将其配置为从同一站点加载内容并使用HTTP起源升级任何内容。

• Header set X-XSS-Protection "1; mode=block": This supports older browsers that do not cope with Content-Security-Policy headers. The ‘X-XSS-Protection’ header provides protection against Cross-Site Scripting attacks. You do not need to set this header unless you need to support old browser versions, which is rare.

  Header set X-XSS-Protection "1; mode=block" ：这支持不支持Content-Security-Policy标头的较旧的浏览器。 “ X-XSS-Protection”标头提供了针对跨站点脚本攻击的保护。 除非需要支持旧的浏览器版本(这种情况很少见)，否则无需设置此标头。

• Header set X-Frame-Options: "deny": This prevents clickjacking attacks. The 'X-Frame-Options’ header tells a browser if a page can be rendered in a <frame>, <iframe>, <embed>, or <object>. This way content from other sites cannot be embedded into others, preventing clickjacking attacks. Here you’re denying all frame render so the web page can’t be embedded anywhere else, not even inside the same web site. You can adapt this to your needs, if, for example, you must authorize rendering some pages because they are advertisements or collaborations with specific websites.

  Header set X-Frame-Options: "deny" ：这样可以防止点击劫持攻击。 “ X-Frame-Options”标头告诉浏览器是否可以在<frame> ， <iframe> ， <embed>或<object>呈现页面。 这样，其他站点的内容就无法嵌入其他站点，从而防止了点击劫持攻击。 在这里，您拒绝所有框架渲染，这样就无法将网页嵌入其他任何地方，甚至不能嵌入同一网站内。 您可以对此进行调整，例如，如果您必须授权渲染某些页面，因为它们是广告或与特定网站的协作，则可以对其进行调整。

• Header set X-Content-Type-Options "nosniff": The 'X-Content-Type-Options’ header controls MIME types so they’re not changed and followed. MIME types are file format standards; they work for text, audio, video, image, and so on. This header blocks malicious actors from content sniffing those files and trying to alter the file types.

  Header set X-Content-Type-Options "nosniff" ： 'X-Content-Type-Options'标头控制MIME类型，因此它们不会更改和遵循。 MIME类型是文件格式标准； 它们适用于文本，音频，视频，图像等。 该标头阻止恶意行为者嗅探这些文件并试图更改文件类型的内容。

Now restart Apache for the changes to take effect:

现在重新启动Apache，以使更改生效：

To check the security levels of your configuration settings, visit the security headers website. Having followed the steps in this tutorial, your domain will score an A grade.

要检查配置设置的安全级别，请访问安全标题网站 。 按照本教程中的步骤进行操作后，您的域将获得A级成绩。

Note: If you make your headers check by visiting https://securityheaders.com/ and get an F grade it could be because there is no index.html inside the DocumentRoot of your site as instructed at the end of Step 2. If checking your headers you get a different grade than an A or an F, check each Header set line looking for any misspelling that may have caused the downgrade.

注意：如果您通过访问https://securityheaders.com/进行标题检查并获得F等级，则可能是因为按照第2步末的指示，站点的DocumentRoot中没有index.html 。 如果检查标头，则得到的等级与A或F ，请检查每个Header set行，以查找可能引起降级的任何拼写错误。

In this step you have worked with up to seven settings to improve the security of your headers and cookies. These will help prevent cross-site scripting, clickjacking, and other types of attacks.

在此步骤中，您已经使用了多达七个设置来提高标题和cookie的安全性。 这些将有助于防止跨站点脚本编写，点击劫持和其他类型的攻击。

结论 (Conclusion)

In this tutorial you’ve addressed several security aspects, from information disclosure, to protecting sessions, through setting alternative configuration settings for important functionality.

在本教程中，您通过设置重要功能的替代配置设置，解决了从信息泄露到保护会话的几个安全方面。

For further resources on hardening Apache, here are some other references:

有关加强Apache的更多资源，请参见以下其他参考：

• Apache’s HTTP security tips

  Apache的HTTP 安全提示

• Mozilla’s security guidelines

  Mozilla的安全准则

• Center for Internet Security audit recommendations for Apache HTTP

  互联网安全中心针对Apache HTTP的审核建议

For extra tools to protect Apache HTTP:

有关保护Apache HTTP的其他工具：

• mod_evasive is a useful tool to help mitigate DoS attacks. You can find more detail in the How To Protect Against DoS and DDoS with mod_evasive for Apache tutorial.

  mod_evasive是帮助缓解DoS攻击的有用工具。 您可以在如何使用mod_evasive for Apache防御DoS和DDoS教程中找到更多详细信息。

• fail2ban is an intrusion prevention software useful to block repeated login attempts from non-authorized users. You can read more in the How To Protect an Apache Server with Fail2Ban tutorial.

  fail2ban是一种入侵防御软件，可用于阻止来自未授权用户的重复登录尝试。 您可以在如何使用Fail2Ban保护Apache服务器教程中阅读更多内容。

• ModSecurity is a Web Application Firewall (or WAF) and as such it provides a wide range of possibilities based on predefined rules written by SpyderLabs and community members. You can read more about this in the How To Set Up ModSecurity with Apache tutorial.

  ModSecurity是Web应用程序防火墙(或WAF)，因此，它根据SpyderLabs和社区成员编写的预定义规则提供了广泛的可能性。 您可以在“ 如何使用Apache设置ModSecurity”教程中阅读有关此内容的更多信息。

翻译自: https://www.digitalocean.com/community/tutorials/recommended-steps-to-harden-apache-http-on-freebsd-12-0

freebsd 9.1.1