Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
apache-server-configs
Advanced tools
Apache Server Configs is a collection of configuration snippets that can help your server improve the website's performance and security, while also ensuring that resources are served with the correct content-type and are accessible, if needed, even cross-domain.
There are two options for getting the Apache server configs:
httpd.conf
), you should configure Apache this way.
This is usually the recommended way, as using .htaccess
files slows
down
Apache!.htaccess
guide.Using the Apache server configs repo directly has a few required steps to be able to work.
See also the Apache Getting Started.
httpd.conf
settingsThe first thing to check is that the httpd.conf
file contains appropriate values for
your specific install.
Most specific variables are:
ServerRoot
User
Group
ErrorLog
CustomLog
TypesConfig
(ensure that the path for the mime.types
file is valid)To verify Apache config
apache2 -t
To verify Apache config with a custom file
apache2 -t -f httpd.conf
To reload Apache and apply the new config
apache2ctl reload
Some configurations won't have any effect if the appropriate modules aren't enabled. So, in order for everything to work as intended, you need to ensure you have the following Apache modules enabled:
mod_autoindex.c
(autoindex_module)mod_deflate.c
(deflate_module)mod_expires.c
(expires_module)mod_filter.c
(filter_module)mod_headers.c
(headers_module)mod_include.c
(include_module)mod_mime.c
(mime_module)mod_rewrite.c
(rewrite_module)mod_setenvif.c
(setenvif_module)For more detailed information on configuration files and how to use them, please check the appropriate Apache documentation:
These instructions should work on any distribution where apt-get
has been
used to install Apache.
Open up a terminal and type the following command. Enter your password when prompted.
sudo a2enmod setenvif headers deflate filter expires rewrite include
Restart apache by using the following command, so the new configuration takes effect.
sudo /etc/init.d/apache2 restart
MAMP PRO. On the main screen, click the Apache
tab and ensure that all
the required modules are 'checked', indicating they are enabled.
WampServer. If you have installed WampServer just click on the icon in the task bar then Apache section then modules section. You will be presented with a list of modules. Simply click on a module name to enable it. WampServer will automatically restart the Apache service after you enable a module.
Others. Locate the httpd.conf
file, which is typically found in:
/Applications/MAMP/conf/apache/httpd.conf
/Applications/XAMPP/etc/httpd.conf
C:\apache\conf\httpd.conf
Open the file in a text editor and uncomment all the required modules. Once you have done so, reset MAMP/WAMP/XAMPP.
This repository has the following structure:
./
├── vhosts/
│ ├── 000-default.conf
│ └── templates/
├── h5bp/
│ ├── basic.conf
│ └── .../
└── httpd.conf
vhosts/
This directory should contain all the server definitions.
Except if they are dot prefixed or non .conf
extension, all files in this
folder are loaded automatically.
templates
folder
Files in this folder contain a <VirtualHost/>
template for secure and non-secure hosts.
They are intended to be copied in the vhosts
folder with all example.com
occurrences changed to the target host.
h5bp/
This directory contains config snippets (mixins) to be included as desired.
There are two types of config files provided, individual config snippets and combined config files which provide convenient defaults.
basic.conf
This file loads a small subset of the rules provided by this repository to add
expires headers, allow cross-domain fonts and protect system files from web
access.
The basic.conf
file includes the rules which are recommended to always be
defined.
httpd.conf
The main Apache config file.
The default location of the configuration files is /usr/local/apache2/
, but these files may be located any of a variety of places, depending on how exactly you installed the server.
Common locations for these files may be found in the httpd wiki.
To use as reference requires no special installation steps, download/checkout the repository to a convenient location and adapt your existing httpd configuration incorporating the desired functionality from this repository.
Download the latest release archive.
To use directly, add httpd config files from this repository.
For example:
apache2ctl stop
git clone https://github.com/h5bp/server-configs-apache.git /tmp/h5bp-apache
cd /usr/local
cp -r apache2 apache2-previous
cp -r /tmp/h5bp-apache/* apache2
# install-specific edits
apache2ctl start
cd /usr/local/apache2/vhosts
Creating a new site
cp templates/example.com.conf .actual-hostname.conf
sed -i 's/example.com/actual-hostname/g' .actual-hostname.conf
Enabling a site
mv .actual-hostname.conf actual-hostname.conf
Disabling a site
mv actual-hostname.conf .actual-hostname.conf
apache2ctl reload
.htaccess
fileJust copy the .htaccess
file in the root of the website.
Getting options:
h5bp.htaccess
on the latest release
and rename the file to .htaccess
npm install --save-dev apache-server-configs
Inside the dist/
folder, you'll find a ready-to-use .htaccess
file..htaccess
buildsSecurity, mime-type, and caching best practices evolve, and so should do your
.htaccess
file. In the past, with each new Apache Server Configs release
it was quite tedious to find out which .htaccess
trick was just new or only
had changes in certain nuances.
The build script with its re-usable and customizable
build configuration lets you easily
update your .htaccess
file. Each new .htaccess
build will contain the
updated Apache Server Configs source files, enabled or commented-out according
to your settings in the htaccess.conf
of your project root.
htaccess.conf
It allows you to define which module to enable or
disable for your project. Just copy the default
htaccess.conf
from this repo into your project directory. Adjust to your needs, and/or
add custom code snippets you need for your project.
Its syntax is straight and pretty much self-explanatory:
# Example Module
title "example module"
enable "src/example-module/images.conf"
enable "src/example-module/web_fonts.conf"
disable "src/example-module/not-needed.conf"
omit "src/example-module/not-needed-at-all.conf"
#... more modules ...
For example, the “Cross-origin web fonts” snippet is always included in
our pre-built .htaccess
file and enabled. If your project does not deal
with web fonts, you can disable
or omit
this section:
This will comment out the section:
disable "h5bp/cross-origin/web_fonts.conf"
…and this will exclude the section, saving lines in output:
omit "h5bp/cross-origin/web_fonts.conf"
For example, the “Forcing https://
” snippet is disabled by default,
although being included in our pre-built .htaccess
. To enable this
snippet, change the disable
keyword to enable
:
enable "h5bp/rewrites/rewrite_http_to_https.conf"
Imagine you're passing all requests to non-existing files to your favorite web framework. The according mod_dir snippet would go like this:
FallbackResource index.php
Store this snippet in a file, e.g. config/framework_rewrites.conf
, and add
a reference in your htaccess.conf
:
# PROJECT MODULES
enable "config/framework_rewrites.conf"
build.sh
Dive into your project root and call the build script from wherever you cloned the repo. Here are three examples:
.htaccess
Create a default .htaccess
in the current work directory. An existing
htaccess.conf
in this directory will be used; if none is present, the
default configuration
will apply.
$ path/to/server-configs-apache/bin/build.sh
# Output looks like:
[✔] Build .htaccess
[✔] Moved in place: './.htaccess'
Just add an output path and filename as a parameter. By the way, if there's an
existing .htaccess
file, the build script will create a backup.
$ path/to/server-configs-apache/bin/build.sh htdocs/.htaccess
[✔] Build .htaccess
[✔] Create backup: 'htdocs/.htaccess~'
[✔] Moved in place: 'htdocs/.htaccess'
.htaccess
configurationWhy not maintain your personal ~/htaccess.conf
? This example creates a
.htaccess
in the current work directory, according to your favorite settings
you may have stored in your $HOME
directory:
path/to/server-configs-apache/bin/build.sh ./.htaccess ~/htaccess.conf
Anyone is welcome to contribute, however, if you decide to get involved, please take a moment to review the guidelines:
Apache Server Configs is only possible thanks to all the awesome contributors!
The code is available under the MIT license.
6.0.0 (December 5, 2022)
Cache-Control
definition and usage
Cache-Control
boilerplate with extensive control
[https://github.com/h5bp/server-configs-apache/pull/325]ExpiresByType
map
[https://github.com/h5bp/server-configs-apache/pull/326]image/avif-sequence
MIME type
[https://github.com/h5bp/server-configs-apache/pull/316]FAQs
Boilerplate configurations for the Apache HTTP server
The npm package apache-server-configs receives a total of 413 weekly downloads. As such, apache-server-configs popularity was classified as not popular.
We found that apache-server-configs demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.