In this series, we show ways to secure your web server. We will use Debian 9 and Apache httpd 2.4.25 in our examples, however, you can convert most configuration to other operating systems or web servers.

A Git repository of config files for various network services that hardens their settings and sets up SSL and/or TLS to encrypt traffic.

What to do when you see the dreaded "Call to undefined function filter_var()" error message in your Apache logs. It's actually easier that it sounds but I recommend matching the version of the PHP source you download to that installed from your distro's official package.

How to configure Apache so that users need to authenticate to see any resources, but users accessing http[s]://localhost/ don't need to log in.

How to harden SSL support on your web server to mitigate attacks like BREACH, BEAST, and Lucky 13. Updated regularly.

An archived thread from the apache-dev mailing list about the webdav bug in the v2.4.x series where it conflicts with mod_dir. Specifically, mod_dir hijacks the PROPFIND HTTP method and causes the problem. The solution is to set "DirectoryIndex disabled" and "Dav On" in the block for the WebDAV share. apache ubuntu sysadmin howto workaround