Objective

To harden an Apache web server.

Solution

Edit your Apache configuration file/etc/apache2/httpd.conf and add the following in the root level Directory directive:

<Directory />
    AllowOverride None
    AllowOverrideList None
    Options None
    Require all denied
</Directory>

Reload Apache

[root@nowherelan]# systemctl reload httpd.service

When the AllowOverride directive is set to None and AllowOverrideList is set to None, .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.

The Options directive controls which server features are available in a particular directory. Options  can be set to None, in which case none of the extra features are enabled.

The Require directive tests whether an authenticated user is authorized according to a particular authorization provider and the specified restrictions. WithRequire all denied, access is denied unconditionally.

You will then want to enable certain abilities on a per-directory basis:

<Directory /var/www/html>
    Options +SymLinksIfOwnerMatch
    Require all granted
</Directory>

WithOptions +SymLinksIfOwnerMatch, the server will only follow symbolic links for which the target file or directory is owned by the same user id as the link.

WithRequire all granted, access is allowed unconditionally.

Verify that your web application still functions properly after making these changes.

My System Configuration

• CentOS 7
• Apache 2.4

References

• https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
• https://httpd.apache.org/docs/2.4/mod/core.html#allowoverridelist
• https://httpd.apache.org/docs/2.4/mod/core.html#options
• https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require