Recipe 6.25 Running a Minimal Module Set

Problem

You want to eliminate all modules that you don't need in order to reduce the potential exposure to security holes. What modules do you really need?

Solution

For Apache 1.3, you can run a bare-bones server with just three modules. (Actually, you can get away with not running any modules at all, but it is not recommended.)

% ./configure --disable-module=all --enable-module=dir \
> --enable-module=mime --enable-module=log_config \

For Apache 2.0, this is slightly more complicated, as you must individually disable modules you don't want:

% ./configure --disable-access \
> --disable-auth --disable-charset-lite \
> --disable-include --disable-log-config --disable-env --disable-setenvif \
> --disable-mime --disable-status --disable-autoindex --disable-asis \
> --disable-cgid --disable-cgi --disable-negotiation --disable-dir \
> --disable-imap --disable-actions --disable-alias --disable-userdir

Note that with 2.0, as with 1.3, you may wish to enable mod_dir, mod_mime, and mod_log_config, by simply leaving them off of this listing.

Discussion

A frequent security recommendation is that you eliminate everything that you don't need; if you don't need something and don't use it, then you are likely to overlook security announcements about it or forget to configure it securely. The question that is less frequently answered is exactly what you do and don't need.

A number of Apache package distributions come with everything enabled, and people end up running modules that they don't really need—or perhaps are not even aware that they are running.

This recipe is an attempt to get to the very smallest Apache server possible, reducing it to the minimum set of modules that Apache will run. That is, if you take any of these out, Apache will not even start up, let alone serve a functional web site.

Apache 1.3

With Apache 1.3, this question is fairly easy to answer. We've reduced it to a set of three modules, and, actually, you can eliminate all of the modules if you really want to, as long as you're aware of the implications of doing so.

mod_dir is the module that takes a request for / and turns it into a request for /index.html, or whatever other file you have indicated with the DirectoryIndex directive as the default document for a directory. Without this module, users typing just your hostname into their browser will immediately get a 404 error, rather than a default document. Granted, you could require that users specify a hostname and filename in their URL, in which case you could dispense with this module requirement. This would, however, make your web site fairly hard to use.

mod_mime enables Apache to determine what MIME type a particular file is, and send the appropriate MIME header with that file, enabling the browser to know how to render that file. Without mod_mime, your web server will treat all files as having the MIME type set by the DefaultType directive. If this happens to match the actual type of the file, well and good; otherwise, this will cause the browser to render the document incorrectly. If your web site consists only of one type of files, you can omit this module.

Finally, mod_log_config, while not technically required at all, is highly recommended. Running your web server without any activity logfiles will leave you without any idea of how your site is being used, which can be detrimental to the health of your server. However, you should note that it is not possible to disable the ErrorLog functionality of Apache, and so, if you really don't care about the access information of your web site, you could feasibly leave off mod_log_config and still have error log information.

The default distributed configuration file will need some adjustment to run under these reduced conditions. In particular, you will probably need to remove Order, Allow, and Deny directives (provided by mod_access), and you will need to remove LogFormat and CustomLog directives if you remove mod_log_config. Many other sections of the configuration files are protected by <IfModule> sections and will still function in the absence of the required modules.

Apache 2.0

With Apache 2.0, a new configuration utility is used, and so the command-line syntax is more complicated. In particular, there is no single command-line option to let you remove all modules, and so every module must be specified with a —disable directive.

The list of modules that are minimally required for Apache 2.0 is the same as that for 1.3. mod_dir, mod_mime, and mod_log_config are each recommended, but not mandated, for the same reasons outlined previously.