Add Response Headers in Apache

Ticker

6/recent/ticker-posts

Add Response Headers in Apache

Question: We are working on hardening Apache web server on all app servers. As a part of this process we want to add some of the Apache response headers for security purpose. We are testing the settings one by one on all app servers. As per details mentioned below enable these headers for Apache:

Install httpd package on App Server 3 using yum and configure it to run on 6100 port, make sure to start its service.

Create an index.html file under Apache's default document root i.e /var/www/html and add below given content in it.

Welcome to the xFusionCorp Industries!

Configure Apache to enable below mentioned headers:

X-XSS-Protection header with value 1; mode=block

X-Frame-Options header with value SAMEORIGIN

X-Content-Type-Options header with value nosniff

Note: You can test using curl on the given app server as LBR URL will not work for this task.

Please Note:-  Perform the below commands based on your question server,  user name & other details that might differ. 
So please read the task carefully before executing it. 
All the Best 👍

Solution:  

1. Login on   App server as per the task & switch to root user

thor@jump_host ~$ ssh banner@stapp03

The authenticity of host 'stapp03 (172.16.238.12)' can't be established.

ECDSA key fingerprint is SHA256:jQBzPUeKPaiyjrpKdy6e4PG/2IswOUaZYIogb7o1SHE.

ECDSA key fingerprint is MD5:1f:11:06:a6:ec:6c:f5:37:38:31:79:ad:a6:70:94:37.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'stapp03,172.16.238.12' (ECDSA) to the list of known hosts.

banner@stapp03's password:

[banner@stapp03 ~]$ sudo su -

 We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

     #1) Respect the privacy of others.

    #2) Think before you type.

    #3) With great power comes great responsibility.

 [sudo] password for banner:

[root@stapp03 ~]#

2. Install httpd package on the server

[root@stapp03 ~]# yum install httpd -y

Loaded plugins: fastestmirror, ovl

Determining fastest mirrors

 * base: mirror.us-midwest-1.nexcess.net

 * extras: centos.mirrors.hoobly.com

 * updates: mirrors.tummy.com

base                                                                                           | 3.6 kB  00:00:00    

extras                                                                                         | 2.9 kB  00:00:00    

updates                                                                                        | 2.9 kB  00:00:00    

(1/4): base/7/x86_64/group_gz                                                                  | 153 kB  00:00:00    


Dependencies Resolved

======================================================================================================================

 Package                     Arch                  Version                               Repository              Size

======================================================================================================================

Installing:

 httpd                       x86_64                2.4.6-97.el7.centos                   updates                2.7 M

Installing for dependencies:

 apr                         x86_64                1.4.8-7.el7                           base                   104 k

 apr-util                    x86_64                1.5.2-6.el7                           base                    92 k

 centos-logos                noarch                70.0.6-3.el7.centos                   base                    21 M

 httpd-tools                 x86_64                2.4.6-97.el7.centos                   updates                 93 k

 mailcap                     noarch                2.1.41-2.el7                          base                    31 k

 

Transaction Summary

======================================================================================================================

Install  1 Package (+5 Dependent packages)

 

Total download size: 24 M

Installed size: 32 M

Downloading packages:

(1/6): apr-1.4.8-7.el7.x86_64.rpm                                                              | 104 kB  00:00:00    

(2/6): apr-util-1.5.2-6.el7.x86_64.rpm                                                         |  92 kB  00:00:00    

(3/6): mailcap-2.1.41-2.el7.noarch.rpm                                                         |  31 kB  00:00:00    

(4/6): httpd-tools-2.4.6-97.el7.centos.x86_64.rpm                                              |  93 kB  00:00:00    

(5/6): centos-logos-70.0.6-3.el7.centos.noarch.rpm                                             |  21 MB  00:00:01    

(6/6): httpd-2.4.6-97.el7.centos.x86_64.rpm                                                    | 2.7 MB  00:00:01    

----------------------------------------------------------------------------------------------------------------------

Total                                                                                  18 MB/s |  24 MB  00:00:01    

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : apr-1.4.8-7.el7.x86_64                                                                             1/6

  Installing : apr-util-1.5.2-6.el7.x86_64                                                                        2/6

  Installing : httpd-tools-2.4.6-97.el7.centos.x86_64                                                             3/6

  Installing : centos-logos-70.0.6-3.el7.centos.noarch                                                            4/6

  Installing : mailcap-2.1.41-2.el7.noarch                                                                        5/6

  Installing : httpd-2.4.6-97.el7.centos.x86_64                                                                   6/6

  Verifying  : mailcap-2.1.41-2.el7.noarch                                                                        1/6

  Verifying  : apr-1.4.8-7.el7.x86_64                                                                             2/6

  Verifying  : apr-util-1.5.2-6.el7.x86_64                                                                        3/6

  Verifying  : httpd-2.4.6-97.el7.centos.x86_64                                                                   4/6

  Verifying  : httpd-tools-2.4.6-97.el7.centos.x86_64                                                             5/6

  Verifying  : centos-logos-70.0.6-3.el7.centos.noarch                                                            6/6

 Installed:

  httpd.x86_64 0:2.4.6-97.el7.centos                                                                                  

 Dependency Installed:

  apr.x86_64 0:1.4.8-7.el7                  apr-util.x86_64 0:1.5.2-6.el7  centos-logos.noarch 0:70.0.6-3.el7.centos

  httpd-tools.x86_64 0:2.4.6-97.el7.centos  mailcap.noarch 0:2.1.41-2.el7

 Complete!

[root@stapp03 ~]#

3. Edit the configuration  file change port as per the task & add Header at end

[root@stapp03 ~]#  vi / etc/httpd/conf/httpd.conf 

[root@stapp03 ~]# 

[root@stapp03 ~]# cat /etc/httpd/conf/httpd.conf  |grep Listen

# Listen: Allows you to bind Apache to specific IP addresses and/or

# Change this to Listen on specific IP addresses as shown below to

#Listen 12.34.56.78:80

Listen 6100

[root@stapp03 ~]#

[root@stapp03 ~]# cat /etc/httpd/conf/httpd.conf  |grep X

Header set X-XSS-Protection "1; mode=block"

Header always append X-Frame-Options SAMEORIGIN

Header set X-Content-Type-Options nosniff

[root@stapp03 ~]#

4. Create Index file with given content in task

[root@stapp03 ~]# ll /var/www/html/

total 0

[root@stapp03 ~]# vi /var/www/html/index.html

[root@stapp03 ~]# cat /var/www/html/index.html

Welcome to the xFusionCorp Industries!

[root@stapp03 ~]#

5. Start httpd & check the status 

[root@stapp03 ~]# systemctl start httpd

[root@stapp03 ~]# systemctl status  httpd

● httpd.service - The Apache HTTP Server

   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)

   Active: active (running) since Sat 2021-07-17 07:31:12 UTC; 3s ago

     Docs: man:httpd(8)

           man:apachectl(8)

  Process: 846 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)

 Main PID: 849 (httpd)

   Status: "Processing requests..."

   CGroup: /docker/ca626cd24e8751a8de7d5bd4437816e73bb469629bd472504ef7e34d0bb3c7ae/system.slice/httpd.service

           849 /usr/sbin/httpd -DFOREGROUND

           850 /usr/sbin/httpd -DFOREGROUND

           851 /usr/sbin/httpd -DFOREGROUND

           852 /usr/sbin/httpd -DFOREGROUND

           853 /usr/sbin/httpd -DFOREGROUND

           └─854 /usr/sbin/httpd -DFOREGROUND

 

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com httpd[849]: [Sat Jul 17 07:31:12.959638 2021] [so:warn] [pid 849...ing

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com httpd[849]: AH00558: httpd: Could not reliably determine the ser...age

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: Got notification message for unit httpd.service

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: Got notification message from PID 849...49)

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: got MAINPID=849

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: got READY=1

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service changed start -> running

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: Job httpd.service/start finished, result=done

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: Started The Apache HTTP Server.

Jul 17 07:31:12 stapp03.stratos.xfusioncorp.com systemd[1]: httpd.service: got STATUS=Processing requests...

Hint: Some lines were ellipsized, use -l to show in full.

[root@stapp03 ~]# 

6. Validate the task by Curl

[root@stapp03 ~]# curl http://localhost:8083

Welcome to the xFusionCorp Industries!

[root@stapp03 ~]#

[root@stapp03 ~]# curl -i http://localhost:8083

HTTP/1.1 200 OK

Date: Sat, 17 Jul 2021 07:32:26 GMT

Server: Apache/2.4.6 (CentOS)

X-Frame-Options: SAMEORIGIN

Last-Modified: Sat, 17 Jul 2021 07:31:44 GMT

ETag: "27-5c74cb2316a2c"

Accept-Ranges: bytes

Content-Length: 39

X-XSS-Protection: 1; mode=block

X-Content-Type-Options: nosniff

Content-Type: text/html; charset=UTF-8

 Welcome to the xFusionCorp Industries!

[root@stapp03 ~]#

 7. Click on Finish & Confirm to complete the task successful

Happy Learning!!!!


Apart from this if you need more clarity,  I have made a  tutorial video on this , 

please go through and share your comments. Like and share the knowledge



















































Post a Comment

0 Comments

Latest Posts

KodeKloud Kubernetes Security CKS  Lab Challenge 4 |  Audit-policy | Install & configure falco utility | Inspect the API server audit logs and identify the user