Listing 3 reduced httpd.conf
### Section 1: Global Environment
ServerTokens OS
#
ServerRoot "/etc/httpd"
#
PidFile run/httpd.pid
#
Timeout 120
#
KeepAlive Off
#
MaxKeepAliveRequests 100
#
KeepAliveTimeout 15
##
## Server-Pool Size Regulation (MPM specific)
##
<IfModule prefork.c>
StartServers 8
MinSpareServers 5
MaxSpareServers 20
ServerLimit 256
MaxClients 256
MaxRequestsPerChild 4000
</IfModule>
# worker MPM
<IfModule worker.c>
StartServers 2
MaxClients 150
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxRequestsPerChild 0
</IfModule>
#
#Listen 12.34.56.78:80
Listen 80
#modules
LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule mime_magic_module modules/mod_mime_magic.so
#LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
#LoadModule info_module modules/mod_info.so
LoadModule jk_module modules/mod_jk.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule security_module modules/mod_security.so
LoadModule cache_module modules/mod_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
#
# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf
#
# User/Group:
User apache
Group apache
### Section 2: 'Main' server configuration
# ServerAdmin:
ServerAdmin email@yourdomain.com
#
ServerName <valid DNS server name>
#
# UseCanonicalName
UseCanonicalName On
#
AccessFileName .htaccess
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
#
# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types
#
DefaultType text/plain
#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type. The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
<IfModule mod_mime_magic.c>
# MIMEMagicFile /usr/share/magic.mime
MIMEMagicFile conf/magic
</IfModule>
#
# HostnameLookups:
HostnameLookups Off
# ErrorLog:
ErrorLog logs/error_log
#
# LogLevel:
LogLevel warn
#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
# For a single logfile with access, agent, and referer information
# (Combined Logfile Format), use the following directive:
#
CustomLog logs/access_log combined
#
ServerSignature On
#
AddDefaultCharset UTF-8
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
#####################
# mod_rewrite config #
#####################
RewriteEngine on
# Optional debug directives
RewriteLog logs/mod_rewrite.log
RewriteLogLevel 1
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]
#
#####################
# Mod_security config #
#####################
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
SecFilterDefaultAction "deny,log,status:500"
SecFilterScanPOST On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
SecFilterCheckCookieFormat On
# Unicode encoding check
SecFilterCheckUnicodeEncoding On
# Only allow bytes from this range
SecFilterForceByteRange 1 255
# Only log suspicious requests
SecAuditEngine RelevantOnly
# The name of the audit log file
SecAuditLog logs/audit_log
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type \
"!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# Prevent path traversal (..) attacks
SecFilter "\.\./"
# Weaker XSS protection but allows common HTML tags
SecFilter "<( |\n)*script"
SecFilter "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
SecFilter "/\"><img\x20src=\"javascript:alert(document.domain)\">"
# Crude filters to prevent SQL injection attacks
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
# Require HTTP_USER_AGENT and HTTP_HOST headers
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
</IfModule>
#
#######################
# Mod_jk Configuration #
#######################
# mod_jk configuration
#LoadModule jk_module modules/mod_jk.so
# Where to find workers.properties
JkWorkersFile /etc/httpd/conf/workers.properties
# Where to put jk logs
JkLogFile /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
# Send everything for context /cpi to worker named worker1 (ajp13)
JkMount /<your app> worker1
JkMount /<your app>/* worker1
JkUnMount /<your app>/*.jsp worker1
JkUnMount /<your app>/*.js worker1
JkUnMount /<your app>/*.xml worker1
JkUnMount /<your app>/*.xslt worker1
JkUnMount /<your app>/*.html worker1
JkUnMount /<your app>/*.cgi worker1
JkUnMount /<your app>/*.txt worker1
#
###Authenticate Users
<Location /<your app>>
AuthType Basic
AuthName "Authorized Users Only"
AuthUserFile /usr/share/access/.authenticated
require valid-user
</Location>
#
### Section 3: Virtual Hosts
#
# VirtualHost
#
|