使用 mod_security 在 Debian Jessie 上对 Apache 2.4 进行 Chrooting

有人建议我 chroot 我的 apache2 安装，以便更好地保护服务器其余部分的敏感内容。我已经正确安装和设置了 mod_security，并且可以在日志中看到它正确地 chroot 了 apache2，但 systemctl 在验证服务是否正在运行时遇到了问题。当我运行：

service apache2 start

它挂起 20 秒然后报告失败：

The apache2 instance did not start within 20 seconds. Please read the log files to discover problems ... (warning).

但如果我检查进程，我可以看到各种 apache2 服务正在运行。如果我尝试访问我的网站，我会收到 403 Forbidden 错误。这是我 grep 的 /etc/apache2/apache2.conf：

Mutex file:${APACHE_LOCK_DIR} default
PidFile ${APACHE_PID_FILE}
SecChrootDir /var/www
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>
<Directory /usr/share>
        AllowOverride None
        Require all granted
</Directory>
<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
        Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf
ServerName localhost

这是我的 /etc/apache2/sites-enabled/site.com.conf：

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

<Directory /var/www>
  AllowOverride None
  Require all granted
</Directory>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

一些最近的 /var/log/apache2/error.log：

[Mon Feb 22 00:26:02.746084 2016] [mpm_prefork:notice] [pid 2766] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:26:27.000946 2016] [:notice] [pid 2978] ModSecurity: chroot checkpoint #1 (pid=2978 ppid=2975)
[Mon Feb 22 00:26:27.001010 2016] [:notice] [pid 2978] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:26:27.001016 2016] [:notice] [pid 2978] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:26:27.001022 2016] [:notice] [pid 2978] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:26:27.001028 2016] [:notice] [pid 2978] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:26:27.001032 2016] [:notice] [pid 2978] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:26:27.001068 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:26:27.223832 2016] [:notice] [pid 2978] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:26:28.000065 2016] [:notice] [pid 2979] ModSecurity: chroot checkpoint #2 (pid=2979 ppid=1)
[Mon Feb 22 00:26:28.000103 2016] [:notice] [pid 2979] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:26:28.003129 2016] [mpm_prefork:notice] [pid 2979] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:26:28.003162 2016] [core:notice] [pid 2979] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:26:51.576466 2016] [authz_core:error] [pid 2983] [client 65.29.162.224:50484] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.093394 2016] [authz_core:error] [pid 2984] [client 80.65.51.221:5624] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.108471 2016] [authz_core:error] [pid 2985] [client 80.65.51.221:10799] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:27:35.137950 2016] [authz_core:error] [pid 2986] [client 80.65.51.221:64057] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:28:48.924836 2016] [authz_core:error] [pid 2987] [client 150.70.173.47:53051] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:48.875421 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:33:49.977038 2016] [authz_core:error] [pid 3032] [client 65.29.162.224:50567] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:34:06.848570 2016] [mpm_prefork:notice] [pid 2979] AH00169: caught SIGTERM, shutting down
[Mon Feb 22 00:34:28.000025 2016] [:notice] [pid 3821] ModSecurity: chroot checkpoint #1 (pid=3821 ppid=3818)
[Mon Feb 22 00:34:28.000106 2016] [:notice] [pid 3821] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Mon Feb 22 00:34:28.000112 2016] [:notice] [pid 3821] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1"
[Mon Feb 22 00:34:28.000118 2016] [:notice] [pid 3821] ModSecurity: PCRE compiled version="8.35 "; loaded version="8.35 2014-04-04"
[Mon Feb 22 00:34:28.000123 2016] [:notice] [pid 3821] ModSecurity: LUA compiled version="Lua 5.1"
[Mon Feb 22 00:34:28.000128 2016] [:notice] [pid 3821] ModSecurity: LIBXML compiled version="2.9.1"
[Mon Feb 22 00:34:28.000163 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call: "2.8.0,Apache/2.4.10 (Debian),1.5.1/1.5.1,8.35/8.35 2014-04-04,Lua 5.1,2.9.1,d5"
[Mon Feb 22 00:34:28.182087 2016] [:notice] [pid 3821] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Mon Feb 22 00:34:29.000835 2016] [:notice] [pid 3822] ModSecurity: chroot checkpoint #2 (pid=3822 ppid=1)
[Mon Feb 22 00:34:29.000871 2016] [:notice] [pid 3822] ModSecurity: chroot successful, path=/var/www
[Mon Feb 22 00:34:29.003978 2016] [mpm_prefork:notice] [pid 3822] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Feb 22 00:34:29.004010 2016] [core:notice] [pid 3822] AH00094: Command line: '/usr/sbin/apache2'
[Mon Feb 22 00:34:31.541762 2016] [authz_core:error] [pid 3827] [client 65.29.162.224:50568] AH01630: client denied by server configuration: /var/www
[Mon Feb 22 00:51:43.647330 2016] [authz_core:error] [pid 3829] [client 65.29.162.224:50919] AH01630: client denied by server configuration: /var/www, referer: http://xxxxxxxxxx.com/
[Mon Feb 22 01:00:25.730427 2016] [authz_core:error] [pid 3831] [client 208.91.115.10:47458] AH01630: client denied by server configuration: /var/www

如果我需要提供更多信息，请告诉我。