1.Apache2のインストールとセキュアな設定

Raspberry Pi4にApache2をインストールして、最低限のセキュリティ設定をします。

Apache2のインストール
1. module_headersの活性化
2. rewriteの活性化
セキュアな設定

Apache2のインストール

下記のコマンドでApache2をインストールします。

$ sudo apt-get -y install apache2
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.3-0 ssl-cert
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap liblua5.3-0 ssl-cert
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 2,166 kB of archives.
After this operation, 14.0 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main arm64 libapr1 arm64 1.7.2-3 [94.1 kB]
Get:2 http://deb.debian.org/debian bookworm/main arm64 libaprutil1 arm64 1.6.3-1 [84.4 kB]
Get:3 http://deb.debian.org/debian bookworm/main arm64 libaprutil1-dbd-sqlite3 arm64 1.6.3-1 [13.5 kB]
Get:4 http://deb.debian.org/debian bookworm/main arm64 libaprutil1-ldap arm64 1.6.3-1 [11.8 kB]
Get:5 http://deb.debian.org/debian bookworm/main arm64 liblua5.3-0 arm64 5.3.6-2 [110 kB]
Get:6 http://deb.debian.org/debian bookworm/main arm64 apache2-bin arm64 2.4.57-2 [1,257 kB]
Get:7 http://deb.debian.org/debian bookworm/main arm64 apache2-data all 2.4.57-2 [160 kB]
Get:8 http://deb.debian.org/debian bookworm/main arm64 apache2-utils arm64 2.4.57-2 [199 kB]
Get:9 http://deb.debian.org/debian bookworm/main arm64 apache2 arm64 2.4.57-2 [215 kB]
Get:10 http://deb.debian.org/debian bookworm/main arm64 ssl-cert all 1.1.2 [21.1 kB]
Fetched 2,166 kB in 0s (5,355 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libapr1:arm64.
・
・
・

念のためインストールされたApache2を確認します。

$ apachectl -v
Server version: Apache/2.4.57 (Debian)
Server built:   2023-04-13T03:26:51

module_headersの活性化

HTTP のリクエストヘッダと応答ヘッダを制御し、追加・変更・削除します。

セキュリティ対策の為必須です。

$ sudo a2enmod headers
Enabling module headers.
To activate the new configuration, you need to run:
  systemctl restart apache2

rewriteの活性化

アクセスのあったURLを、正規表現で書き換えてから処理する機能です。

書き換えで対処できることが一杯あるので有効にします。

$ sudo a2enmod rewrite
Enabling module rewrite.
To activate the new configuration, you need to run:
  systemctl restart apache2

セキュアな設定

有効と思われる全てのセキュアな設定を行っていきます。

インストール直後のHTTPヘッダの確認

インストール直後は下記の青い部分がHTTPヘッダとして出力されます。

$ curl -v  http://localhost | more
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 07 Nov 2023 15:05:21 GMT
< Server: Apache/2.4.57 (Debian)
< Last-Modified: Tue, 07 Nov 2023 15:01:23 GMT
< ETag: "29cd-609913e7684e7"
< Accept-Ranges: bytes
< Content-Length: 10701
< Vary: Accept-Encoding
< Content-Type: text/html
<
{ [10701 bytes data]
1
00 10701  100 107<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
01    <html xmlns="http://www.w3.org/1999/xhtml">
0   <head>
    0   6    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
43k        <title>Apache2 Debian Default Page: It works</title>
  0 --    <style type="text/css" media="screen">
:-  * {
-:--    margin: 0px 0px 0px 0px;
 --    padding: 0px 0px 0px 0px;
:-  }
・
・
・

セキュアな設定

Apache2からできるセキュリティ対策を設定します。

$ sudo vi /etc/apache2/conf-enabled/security.conf

ももぶろ

viの超簡単な使い方は、ここを見てね

下記の赤い値に変更してください。

無い行は追加をしてください。

行の頭に#が入っている行はコメントなので、コメントは追加する必要はありません。

設定の説明がコメントにあるので参考にしてください。

# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
<Directory />
   AllowOverride None
   Require all denied
</Directory>
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories.
#
# Examples:
#
#RedirectMatch 404 /\.git
#RedirectMatch 404 /\.svn

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set Content-Security-Policy "frame-ancestors 'self';"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
Header set X-Frame-Options: "sameorigin"

# バージョン情報の隠蔽
Header unset "X-Powered-By"

# XSS対策
Header set X-XSS-Protection "1; mode=block"

Apache2のサーバを再起動

$ sudo systemctl restart apache2.service

メッセージは何も出ません。

メッセージが出力されてるときは、エラーが有るのでしっかり対処しましょう。

セキュリティ設定後のHTTPヘッダの確認

変わったところは赤字にしています。

$ curl -v http://localhost | more
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 07 Nov 2023 15:36:42 GMT
< Server: Apache              <=バージョン情報が出力されていません。
< Last-Modified: Tue, 07 Nov 2023 15:01:23 GMT
< ETag: "29cd-609913e7684e7"
< Accept-Ranges: bytes
< Content-Length: 10701
< Vary: Accept-Encoding
< X-Content-Type-Options: nosniff
< X-Frame-Options: sameorigin
< X-XSS-Protection: 1; mode=block
< Content-Type: text/html
<
{ [10701 bytes data]
100 10701  100 10701    0     0   950k      0 --:--:-- --:--:-- --:--:-- 1045k
* Connection #0 to host localhost left intact

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
・
・　以降HTMLが続きます。
・

ももぶろ

Apache2のインストールはこれで終了です。