Securing Apache 2 Step by Step

Security Focus has published a fantastic, in-depth piece by Artur Maj, a principal software engineer with Oracle, on locking down Apache 2.

The article starts with the assumption that initially Apache will serve only static HTML pages, and walks through several steps to establishing a chroot environment in which Apache will run. Steps include tuning the operating system, choosing Apache modules, building and configuring Apache and finally the chroot process.

For those running dynamic sites, fear not, links to securing PHP and MySQL, also written by Maj, are included at the end of the exercise. Sample httpd.conf and Apache startup scripts are available as well.


While running Apache in a chroot jail is not a simple task, it is one of the most secure ways to operate a web server as the true root of the server, or all directories below / are almost completely inaccessible even if the server’s security is successfully breached by an intruder.