1.Apache2のインストールとセキュアな設定

Apacheのインストールとセキュアな設定
Apacheのインストールとセキュアな設定
2021.09.11

Raspberry PiにApache2をインストールして、最低限のセキュリティ設定をします。

Apache2のインストール

下記のコマンドでApache2をインストールします。

$ sudo apt-get -y install apache2
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  apache2-bin apache2-data apache2-utils libapr1t64 libaprutil1-dbd-sqlite3 libaprutil1-ldap libaprutil1t64 liblua5.4-0 ssl-cert
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom ufw www-browser
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapr1t64 libaprutil1-dbd-sqlite3 libaprutil1-ldap libaprutil1t64 liblua5.4-0 ssl-cert
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,252 kB of archives.
After this operation, 14.4 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian trixie/main arm64 libapr1t64 arm64 1.7.5-1 [97.1 kB]
Get:2 http://deb.debian.org/debian trixie/main arm64 libaprutil1t64 arm64 1.6.3-3+b1 [86.2 kB]
Get:3 http://deb.debian.org/debian trixie/main arm64 libaprutil1-dbd-sqlite3 arm64 1.6.3-3+b1 [14.2 kB]
Get:4 http://deb.debian.org/debian trixie/main arm64 libaprutil1-ldap arm64 1.6.3-3+b1 [12.4 kB]
Get:5 http://deb.debian.org/debian trixie/main arm64 liblua5.4-0 arm64 5.4.7-1+b2 [134 kB]
Get:6 http://deb.debian.org/debian trixie/main arm64 apache2-bin arm64 2.4.65-2 [1,295 kB]
Get:7 http://deb.debian.org/debian trixie/main arm64 apache2-data all 2.4.65-2 [160 kB]
Get:8 http://deb.debian.org/debian trixie/main arm64 apache2-utils arm64 2.4.65-2 [212 kB]
Get:9 http://deb.debian.org/debian trixie/main arm64 apache2 arm64 2.4.65-2 [224 kB]
Get:10 http://deb.debian.org/debian trixie/main arm64 ssl-cert all 1.1.3 [16.8 kB]
Fetched 2,252 kB in 0s (9,288 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libapr1t64:arm64.
(Reading database ... 68419 files and directories currently installed.)
Preparing to unpack .../0-libapr1t64_1.7.5-1_arm64.deb ...
Unpacking libapr1t64:arm64 (1.7.5-1) ...
Selecting previously unselected package libaprutil1t64:arm64.
Preparing to unpack .../1-libaprutil1t64_1.6.3-3+b1_arm64.deb ...
Unpacking libaprutil1t64:arm64 (1.6.3-3+b1) ...
Selecting previously unselected package libaprutil1-dbd-sqlite3:arm64.
Preparing to unpack .../2-libaprutil1-dbd-sqlite3_1.6.3-3+b1_arm64.deb ...
Unpacking libaprutil1-dbd-sqlite3:arm64 (1.6.3-3+b1) ...
Selecting previously unselected package libaprutil1-ldap:arm64.
Preparing to unpack .../3-libaprutil1-ldap_1.6.3-3+b1_arm64.deb ...
Unpacking libaprutil1-ldap:arm64 (1.6.3-3+b1) ...
Selecting previously unselected package liblua5.4-0:arm64.
Preparing to unpack .../4-liblua5.4-0_5.4.7-1+b2_arm64.deb ...
Unpacking liblua5.4-0:arm64 (5.4.7-1+b2) ...
Selecting previously unselected package apache2-bin.
Preparing to unpack .../5-apache2-bin_2.4.65-2_arm64.deb ...
Unpacking apache2-bin (2.4.65-2) ...
Selecting previously unselected package apache2-data.
Preparing to unpack .../6-apache2-data_2.4.65-2_all.deb ...
Unpacking apache2-data (2.4.65-2) ...
Selecting previously unselected package apache2-utils.
Preparing to unpack .../7-apache2-utils_2.4.65-2_arm64.deb ...
Unpacking apache2-utils (2.4.65-2) ...
Selecting previously unselected package apache2.
Preparing to unpack .../8-apache2_2.4.65-2_arm64.deb ...
Unpacking apache2 (2.4.65-2) ...
Selecting previously unselected package ssl-cert.
Preparing to unpack .../9-ssl-cert_1.1.3_all.deb ...
Unpacking ssl-cert (1.1.3) ...
Setting up ssl-cert (1.1.3) ...
Setting up libapr1t64:arm64 (1.7.5-1) ...
・
・
・

念のためインストールされたApache2を確認します。

$ apachectl -v
Server version: Apache/2.4.65 (Debian)
Server built:   2025-07-29T17:52:31

module_headersの活性化

HTTP のリクエストヘッダと応答ヘッダを制御し、 追加・変更・削除します。

セキュリティ対策の為必須です。

$ sudo a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  systemctl restart apache2

rewriteの活性化

アクセスのあったURLを、正規表現で書き換えてから処理する機能です。

書き換えで対処できることが一杯あるので有効にします。

$ sudo a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  systemctl restart apache2

セキュアな設定

有効と思われる全てのセキュアな設定を行っていきます。

インストール直後のHTTPヘッダの確認

インストール直後は下記の青い部分がHTTPヘッダとして出力されます。

$ curl -v  http://localhost | more
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 15 Oct 2025 13:25:30 GMT
< Server: Apache/2.4.65 (Debian)
< Last-Modified: Wed, 15 Oct 2025 13:23:39 GMT
< ETag: "29cf-6413268a38452"
< Accept-Ranges: bytes
< Content-Length: 10703
< Vary: Accept-Encoding
< Content-Type: text/html
<
{ [10703 bytes data]
100 10
703  100 10703    0     0  3026k      0 --:--:-- --:--:-- --:--:-- 3484k
* Connection #0 to host localhost left intact
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Apache2 Debian Default Page: It works</title>
    <style type="text/css" media="screen">
  * {
    margin: 0px 0px 0px 0px;
    padding: 0px 0px 0px 0px;
・
・
・

セキュアな設定

Apache2からできるセキュリティ対策を設定します。

$ sudo vi /etc/apache2/conf-enabled/security.conf
ももぶろ
ももぶろ

viの超簡単な使い方は、ここを見てね

下記の赤い値に変更してください。

無い行は追加をしてください。

行の頭に#が入っている行はコメントなので、コメントは追加する必要はありません。

設定の説明がコメントにあるので参考にしてください。

# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
<Directory />
   AllowOverride None
   Require all denied
</Directory>
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories.
#
# Examples:
#
#RedirectMatch 404 /\.git
#RedirectMatch 404 /\.svn

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header set Content-Security-Policy "frame-ancestors 'self';"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header set X-Frame-Options: "sameorigin"

# バージョン情報の隠蔽
Header unset "X-Powered-By"

# XSS対策
Header set X-XSS-Protection "1; mode=block"

Apache2のサーバを再起動

$ sudo systemctl restart apache2.service

メッセージは何も出ません。

メッセージが出力されてるときは、エラーが有るのでしっかり対処しましょう。

セキュリティ設定後のHTTPヘッダの確認

変わったところは赤字にしています。


$ curl -v http://localhost | more
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80
* using HTTP/1.x
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.14.1
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Date: Wed, 15 Oct 2025 13:31:55 GMT
< Server: Apache
< Last-Modified: Wed, 15 Oct 2025 13:23:39 GMT
< ETag: "29cf-6413268a38452"
< Accept-Ranges: bytes
< Content-Length: 10703
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< Content-Security-Policy: frame-ancestors 'self';
< X-Frame-Options: sameorigin
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html
<
{ [10703 bytes data]
100 1070
3  100 10703    0     0  3071k      0 --:--:-- --:--:-- --:--:-- 3484k
* Connection #0 to host localhost left intact
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    <title>Apache2 Debian Default Page: It works</title>
    <style type="text/css" media="screen">
  * {
    margin: 0px 0px 0px 0px;
    padding: 0px 0px 0px 0px;
・
・
・
ももぶろ
ももぶろ

Apache2のインストールはこれで終了です。

タイトルとURLをコピーしました