Apache Web Server Cost

Posted on  by



  1. Apache Web Server Costumes
  2. Is Apache The Best Web Server
  3. Apache Web Server Cost Comparison

Introduction

Apache Licenses¶. The Apache Software Foundation uses various licenses to distribute software and documentation, to accept regular contributions from individuals and corporations, and to accept larger grants of existing software products. The cost of 'Apache webserver' is free as an open-source HTTP server. It is used by free to download. The functionality of apache webserver is used for the HTTP protocol to send requests and responses from client to servers and vice versa. The Apache webserver have a great modular architecture future.

A web server is not just any other device that you employ in your network environment. Unlike other devices sitting behind layers of defenses and firewalls, web servers sit at the rim of your network and are designed to share information about your organization with the outside world, regardless of who they are.

Therefore, it is no surprise that a web server is often the first place that hackers look when they are considering attacking a target. Without the proper precautions and preparations, these devices are weak enough to give attackers the foothold that they need.

A quick look through the most common web-based cyberattacks lead back to web servers sharing too much device information, SQL injection, session management-based attacks and even a failure to install the latest patches. In other words, if left with their default configurations, your organization will quickly find some of your most important information exposed — or worse — with the forensic trail leading straight back to your web server.

So what can your organization do to harden your web server to keep attackers at bay — or at least frustrated enough to find a weaker target? In this next part of the Infosec Skills web server protection series, we will review some of the best practices when it comes to web server hardening.

Web server hardening best practices

Disable the signature

A common way attackers begin to probe a web server for possible exploitation is by sending a remote request that pulls back valuable information served up by the server signature. Also known as the server footer, disabling the server signature prevents the server name, server version number and other information such as recent error messages, module information and other directory information from displaying upon request or when a 404 error page is presented. If you want to protect your Apache web server from enumeration, for example, go to your web server’s configuration file and modify the code by adding in the command “ServerSignature Off” and “ServerTokens Prod.”

Log server access

By default, Apache and Windows servers are not configured to capture login information as users authenticate into the device and perform other requests. In Apache, these logs can be customized for your organization’s specific needs, written directly to a file or sent to an external application. Conditions can also be set so specific criteria presented are excluded or included. While the information logged can be broad, key information could include the IP address of the requestor, the session ID, the host and bytes received/sent, among others.

Apache web server cost calculator

Disable the HTTP Trace and Track requests

Although allowing your web server to respond to HTTP Trace and Track requests could be used for legitimate purposes, such as debugging connection errors within your network, these protocols can also compromise the security of your web server. One of the most common exploitation methods are cross-site scripting attacks, where attackers could use and manipulate the TRACE and TRACK methods to intercept normal traffic connections, session cookies and possibly any data in transit.

The best way to address this issue is to disable the TRACE HTTP method by adding a directive command into the httpd.conf file of an Apache web server. For example:

TraceEnable Off

Reload Apache

Create non-root users

Another best practice security measure, which applies not only to web servers but all operating system administration, is to create and use non-root accounts for basic administrative and management tasks. By doing so, your organization can add another layer of defense in case an attacker obtains non-root credentials to the web server.

In Linux/Debian, for example, this can be done with a simple “sudo adduser [username]” command followed by assigning that new account to the administrative “sudo” group and assigning that new account its appropriate privileges. When needed, that new account can perform its administrative-like functions using a preceding “sudo” command.

Restrict IP access

If your web server is used for only limited purposes such as internal organizational information sharing, hosting a static website or testing and developmental efforts, it can be configured to only allow specific IP addresses or network.

The range of IP addresses to accept or deny can be configured in your site Directory in the httpd.conf file. For example, a network address can be presented with the Allow directive:

<Directory /samplewebsite>

Options None

AllowOverride None

Order deny,allow

Deny from All

Allow from 10.10.10.0/24

</Directory>

Disable SSLv2 and SSLv3

Despite being full of well-known security issues, many web servers still run SSL 2.0/3.0 and TLS 1.0/1.1 protocols by default, putting any data transferred over these encryption methods at risk. Because of this, SSLv2 and SSLv3 as well as TLS 1.0 and 1.1 should be disabled while TLS 1.2 is enabled in its place.

In your web server’s ssl.conf file, navigate to the SSL Protocol Support section and add, for example, the following lines:

SSLProtocol -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

SSLProtocol +TLSv1.2

You also have the option of enabling your web server to encrypt traffic with SSL certificates, allowing your organization to leverage HTTPS protocols to securely transfer data. If your organization processes payments or offers member-specific functionality, using SSL certificates will not only protect PII but also help your website earn better rankings on search engines.

Disable directory listing

Similar to disabling web server signatures, web servers also by default display the content of the documents and files in the root directory when an index.html file is missing. This means that a potential attacker could possibly view all of the files and subdirectories that are presented to the browser.

To turn of this function, in the Options directory set the value to either “None” or -Indexes in order to look like the following:

<Directory /var/www/SampleWebsite>

Options None

Order allow,deny

Allow from all

</Directory>

Eliminate unused modules

If you installed your web server with the default operating system configuration, then there’s a high chance that there are many unused or unrequired modules running. The more services and functions that a web server is running, the more opportunities a potential hacker will have to exploit your network; because of this, a simple but easily overlooked best practice is to disable and turn off any unnecessary services, ports or functions.

For example, there are 65,535 available ports each server could possibly service. Your server clearly doesn’t need all of them open and receptive.

Any unnecessary internal or external ports and modules should be turned off. To confirm which modules are running on your web server, use the following command:

grep LoadModule /etc/httpd/conf/httpd.conf

To disable a certain module, insert a hash mark at the beginning of the line of that service and restart your web server.

Install Mod_evasive and Mod_security

Now that you have disabled all unused services, there are two that you should consider enabling: Mod_security and Mod_evasive. The former is an open-source IDS and prevention engine, while the latter provides your web server with built-in evasive capabilities if it detects that your website may be under attack.

Mod_security works as a supplemental firewall for the web server, allowing you to monitor traffic in real-time while also disabling host connections if the module suspects potential brute-force password attacks. Mod_evasive is used to help to prevent DDOS attacks by closing connections if too many requests come into a certain website too quickly, if a certain child process request is attempting to create too many concurrent requests or if any host IP is trying to access the web server even if blacklisted.

Constantly check for patches

Last, but certainly not least, you need to constantly check for updates and patches for your server. This should not just be a one-time function after installation. In Linux, regularly use the “sudo apt update” command to install the latest patches and fixes. Of course, this should be done in accordance with larger infrastructure change and patch management processes by administrators trained to perform patching procedures.

Bringing it all together

While this article covers ten of the most common web server hardening techniques, no single method or combination of methods can guarantee that your website will be defended against a determined cyberattacker.

However, by actively using web vulnerability scanners, constantly patching, continuously tuning your web server to meet the specific needs of your organization and considering these best practices, your organization can drastically raise the level of effort it would take an attacker to exploit your network. This means frustrating the attacker and possibly forcing them to move on to an easier target.

Sources

  1. wstg/document, OWASP
  2. The Apache HTTP Server Project, Apache

What is Apache Web Server?

Apache HTTP Server is a free and open-source web server that delivers web content through the internet. It is commonly referred to as Apache and after development, it quickly became the most popular HTTP client on the web. It’s widely thought that Apache gets its name from its development history and process of improvement through applied patches and modules but that was corrected back in 2000. It was revealed that the name originated from the respect of the Native American tribe for its resiliency and durability.

Now, before we get too in depth on Apache, we should first go over what a web application is and the standard architecture usually found in web apps.

Apache Web Application Architecture

Apache is just one component that is needed in a web application stack to deliver web content. One of the most common web application stacks involves LAMP, or Linux, Apache, MySQL, and PHP.

Linux is the operating system that handles the operations of the application. Apache is the web server that processes requests and serves web assets and content via HTTP. MySQL is the database that stores all your information in an easily queried format. PHP is the programming language that works with apache to help create dynamic web content.

While actual statistics may vary, it’s fair to say a large portion of web applications run on some form of the LAMP stack because it is easy to build and also free to use. For the most part, web applications tend to generally have similar architecture and structure even though they serve many different functions and purposes. Most web applications also benefit from Firewalls, Load Balancers, Web Servers, Content Delivery Networks, and Database Servers.

Firewalls help protect the web application from both external threats and internal vulnerabilities depending on where the firewalls are configured. Load Balancers help distribute traffic across the web servers which handle the HTTP(S) requests (this is where Apache comes in) and application servers (servers that handle the functionality and workload of the web app.) We also have Database Servers, which handle asset storage and backups. Depending on your infrastructure, your database and application can both live on the same server although it’s recommended to keep those separate.

Easily monitor and troubleshoot Apache web activity

Gain better insight into systems infrastructure, and your clients and customers' interactions with your website and applications.

Web Server Landscape

The internet is comprised of many different technologies and not all of them are the same. While Apache is arguably one of the most popular web servers out there on the net, there are many other players and the landscape is always changing. Back in the late 90s and early 2000s, Apache’s dominance was very strong, serving over 50% of the internet's active websites. Microsoft's IIS (Internet Information Services) was also an option but not nearly as popular.

Today, Apache still serves a large portion of the active websites but their share of the field has shrunk from 50% to just under 40% as of 2018 and NGINX, a relatively new player to the web server playing field, is in second place with roughly 35% and Microsoft IIS hovering around 8-10%. Every year there’s a new crop of web applications with new stacks and servers so the landscape is always changing.

Why Apache Web Servers?

Apache is considered open source software, which means the original source code is freely available for viewing and collaboration. Being open source has made Apache very popular with developers who have built and configured their own modules to apply specific functionality and improve on its core features. Apache has been around since 1995 and is responsible as a core technology that helped spur the initial growth of the internet in its infancy.

One of the pros of Apache is its ability to handle large amounts of traffic with minimal configuration. It scales with ease and with its modular functionality at its core, you can configure Apache to do what you want, how you want it. You can also remove unwanted modules to make Apache more lightweight and efficient.

Some of the most popular modules that can be added are SSL, Server Side Programming Support (PHP), and Load Balancing configs to handle large amounts of traffic. Apache can also be deployed on Linux, MacOS, and Windows. If you learn how to configure Apache on Linux, you can administer Apache on Windows and Mac. The only difference would be directory paths and installation processes.

Features of Apache Web Server

  • Handling of static files
  • Loadable dynamic modules
  • Auto-indexing
  • .htaccess
  • Compatible with IPv6
  • Supports HTTP/2
  • FTP connections
  • Gzip compression and decompression
  • Bandwidth throttling
  • Perl, PHP, Lua scripts
  • Load balancing
  • Session tracking
  • URL rewriting
  • Geolocation based on IP address

Apache Web Server Costumes

How does Apache Web Server Work?

Apache functions as a way to communicate over networks from client to server using the TCP/IP protocol. Apache can be used for a wide variety of protocols, but the most common is HTTP/S. HTTP/S or Hyper Text Transfer Protocol (S stands for Secure) is one of the main protocols on the web, and the one protocol Apache is most known for.

HTTP/S is used to define how messages are formatted and transmitted across the web, with instructions for browsers and servers on how to respond to various requests and commands. Hypertext Transfer Protocol Secure is usually through port 443 with the unsecured protocol being through port 80.

The Apache server is configured via config files in which modules are used to control its behavior. By default, Apache listens to the IP addresses configured in its config files that are being requested. This is where one of Apaches many strengths come into play.

Is Apache The Best Web Server

With the Listen directive, Apache can accept and route specific traffic to certain ports and domains based on specific address-port combination requests. By default, Listen runs on port 80 but Apache can be bound to different ports for different domains, allowing for many different websites and domains to be hosted and a single server. You can have domain1.com listening on port 80, domain2.com on port 8080 and domain3.com on port 443 using HTTPS all on Apache.

Apache Web Server Cost Comparison

Once a message reaches its destination or recipient, it sends a notice, or ACK message, basically giving acknowledgment to the original sender that their data has successfully arrived. If there’s an error in receiving data, or some packets were lost in transit, the destination host or client sends a Not Acknowledged, or NAK message, to inform the sender that the data needs to be retransmitted.

Who Uses Apache Web Server?

Apache HTTP web servers are used by over 67% of all web servers in the world. Apache web servers are easy to customize environments, they’re fast, reliable, and highly secure. This makes Apache web servers a common choice by best-in-class companies.

Alternatives for Apache HTTP Server

While Apache web servers are very popular, they’re not the only web servers on the market. Below are a number of alternatives for Apache HTTP servers.

  • Nginx
  • Apache Tomcat
  • Node.js
  • Lighttpd
  • Cherokee
  • Microsoft IIS
  • Appweb
  • Hiawatha

Apache HTTP Server vs Tomcat

Simply put, Apache HTTP server is a web server designed to serve static web pages. Whereas, Apache Tomcat is an application server built to serve java applications. Web pages can still be served through Apache Tomcat, but it will be less efficient than using an Apache HTTP server.

Conclusion: Apache Web Server

Throughout the last few decades, Apache has proven to be a staple in many popular stacks and the backbone of the early internet year. While it’s popularity is declining and the options of web server choices are increasing, Apache still plays a pivotal role in many technology stacks and companies system infrastructure. Even with new technologies and servers coming out nonstop, Apache is still a technology every developer should learn how to handle and configure.

Easily monitor and troubleshoot Apache web activity

Sumo Logic helps you identify root issues, decrease downtime, increase availability, and improve overall system performance and user experience.