With more than 67% of web servers running Apache, it is by far the most widely used web server platform in the world. Apache has evolved into a powerful system that easily rivals other HTTP servers in terms of functionality, efficiency, and speed. Despite these impressive capabilities, though, Apache is only a beneficial tool if it's a secure one. To be sure, administrators installing and configuring Apache still need a sure-fire way to secure it--whether it's running a huge e-commerce operation, corporate intranet, or just a small hobby site. Our new guide, Apache Security, gives administrators and webmasters just what they crave--a comprehensive security source for Apache. Successfully combining Apache administration and web security topics, Apache Security speaks to nearly everyone in the field. What's more, it offers a concise introduction to the theory of securing Apache, as well as a broad perspective on server security in general. But this book isn't just about theory. The real strength of Apache Security lies in its wealth of interesting and practical advice, with many real-life examples and solutions. Administrators and programmers will learn how to:

• install and configure Apache

• prevent denial of service (DoS) and other attacks

• securely share servers

• control logging and monitoring

• secure custom-written web applications

• conduct a web security assessment

• use mod_security and other security-related modules

And that's just the tip of the iceberg, as mainstream Apache users will also gain valuable information on PHP and SSL/ TLS. Clearly, Apache Security is packed and to the point, with plenty of details for locking down this extremely popular and versatile web server.

Amazon.com® Reader Reviews (Ranked by Helpfulness)

Average Amazon.com® Rating:  Based on 15 Ratings

Much more than just Apache Security - 2007-10-11
Reviewer Rating:
I found this book while browsing the programming section of Borders (the programming section of my local Borders is amazing!), and I've found it to be a real gem.

The book covers so much more than just Apache security. It covers installation and configuration, and explains a little of how Apache works along the way. There are also chapters or sections on:

- Understanding and securing PHP
- An explanation of SSL
- DOS attacks
- Traffic shaping in Apache
- Logging is covered extensively
- There's a chapter on web security in general, where all the common attacks are explained
- Using Apache as a proxy or a reverse proxy

I especially enjoyed the Web Security Assessment chapter where the author explained how to systematically analyze and probe web applications/servers, with many real world examples.

There is a large section discussing mod_security, which is an amazing Apache module. Mod_security is an intrusion detection and prevention engine for web applications (a web application firewall). The book is written by the author of mod_security (Ivan Ristic), so he really knows what he's talking about in this area. Also covered is mod_dosevasive, which, obviously helps prevent against denial of service attacks.

I would not hesitate to recommend this book to any Apache administrator, user, or web programmer. Its one of my favorite books on my bookshelf.

A very easy read, on what could have been a dry topic - 2009-04-24
Reviewer Rating:
In the almost four years since this book was published the area of security, and of web security in particular has continued to move on at a significant pace. While there are many new specifics in this area, the underlying principals of this book are still fundamentally sound and a you get a very strong foundation in Apache in general, and Apache security specifically.

Unlike many O'Reilly books that punish you for reading from cover to cover, this one is very well edited, avoids telling you in a chapter what it told you in three previous chapters and the Ivan's writing style makes this a very fast read.

The section on mod_security is a lot longer than would normally make sense, but since Ivan wrote it this is not unexpected.

A very good read, and I hope at some point an updated version is released to cover the evolving area of web security.

A good reference, but a tad dated now. - 2009-10-02
Reviewer Rating:
I've had the book Apache Security for a while now, so I thought I'd give it a quick review.

Like most O'Reilly books, it's well thought out and fairly complete. Unsurprisingly, it focuses on the standard LAMP stack, giving advice on building and deploying Apache and hooking in PHP and SSL. Ruby seem to be missing, and Perl is just discussed within a chroot environment. It discusses performance tuning a bit, in the guise of protection against DOS, and then moves onto issues in a shared hosting environment.

Much of what is in this book is more general than just Apache, so it's best to consider this as a general security book for people running both Linux and Apache, and ideally using PHP and MySQL. It would be less useful to people running Apache on Windows and for people using less common languages. However, it is very good for the basics:

* Installing Apache
* Hardening Apache
* Setting up chroot
* Hardening PHP
* Configuring logging and access
* Understanding web attacks
Where it seems to lack a bit is:

* It presumes that the reader will install Apache from source, whereas most these days will install from a package. More advice on hardening Apache in the SuSE, Red Hat and Ubuntu/Debian environments would be useful.
* There is no mention of AppArmor or SELinux (which, to be fair, were pretty new when this book came out). A second edition will have to have these, as they are a key way to protect Apache against itself.
* A few pages on how to use Suhosin to protect PHP applications would be good.
* A section on protecting Ruby and one on Perl would be good. While it is certainly true that no book can cover everything, these three languages are the most common in the LAMP world and should probably be addressed, at least in passing.
* While we're at it, a section on hardening MySQL wouldn't be out place, as the book is more of a LAMP book than an Apache book anyway.

I recommend this book for the beginner to moderate admin, be they a web admin or in the security space. However, experienced people may not find much new in here. I would, however, love to see a second edition released.

Crucial reference for Apache web server admins - 2009-03-13
Reviewer Rating:
From my perspective: As a Linux / BSD sysadmin (but Apache httpd novice), I purchased this book a few months ago in hopes of supplementing my Apache learning. I wanted to learn the "right" (i.e. secure) way of configuring our Apache deployments from the start.

Along with the Apache project's official directive / module references, this book helped provide a great foundation for understanding how to configure and harden Apache. The most useful things I took away from Apache Security were:

* creating a cruft-free, secure by default httpd.conf;
* hardening PHP;
* getting more from httpd logging; and
* really, finally understanding SSL/TLS (and keys and certs).

There is a lot of information in the book, so I'll likely be reading it cover-to-cover at least once more to glean the next round of tips and concepts.

super - 2007-03-08
Reviewer Rating:
Thanks a lot, we are very happy to have this book in our library!

Browse Similar Topics

Top Level Categories:
Databases
Internet/Online
Security

Sub-Categories:
Databases > Web/Internet Database
Internet/Online > Apache
Internet/Online > Web Server
Security > Internet/Online