在 RHEL 9 上设置 Apache httpd (2.4) 实例时,我添加以下内容作为插入配置文件 ( /etc/httpd/conf.d/12-secure.conf) 以尝试提高安全性。我还想在此文件中包含从 http 到 https 的重定向,而无需编辑服务器名称(下面的示例)。理想情况下,这将允许我将文件放置在任何服务器上而无需修改。这可能吗,还是我的管理/想法不正确?
# 12-secure.conf
# Remove version and OS from banner
ServerTokens Prod
ServerSignature Off
# Disable Etag support
FileETag None
# Disable TRACE HTTP method
TraceEnable off
# Mitigate click-jacking
Header always append X-Frame-Options SAMEORIGIN
# Mitigate XSS
Header set X-XSS-Protection "1; mode=block"
# Disable HTTP 1.0
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# Prevent Slow-Loris (DoS timeout attack)
Timeout 60
从 httpd.conf 重定向
# Code snippet from /etc/httpd/conf/httpd.conf
# Force https
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName sub.domain.com
Redirect permanent "/" "https://sub.domain.com"
</VirtualHost>
12-secure.conf您也可以随意提供有关该文件的其他一般建议。
答案1
根据 Gerald Schneider 的评论,我已使用 mod_rewrite 在插入文件中强制使用 HTTPS。这是最终配置,请注意底部部分是附加部分。我选择保留冗余命令RewriteEngine On以帮助其他管理员进行模块化。
# Remove version and OS from banner
ServerTokens Prod
ServerSignature Off
# Disable Etag support
FileETag None
# Disable TRACE HTTP method
TraceEnable off
# Mitigate click-jacking
Header always append X-Frame-Options SAMEORIGIN
# Mitigate XSS
Header set X-XSS-Protection "1; mode=block"
# Disable HTTP 1.0
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]
# Prevent Slow-Loris (DoS timeout attack)
Timeout 60
# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}