This project is under developement

Apache Armor

This Ansible role provides an easy way to harden your Apache webserver.

You can apply it as is immediately, as the default settings are good enough to start. You can also tailor the hardening process to your needs by enabling further options.

• Should I harden my webserver ?
• Requirements
• Usage
• Actions

Should I harden my webserver ?

Check by yourself at observatory.mozilla.org.

Requirements

To launch this role, you will need :

• Ansible
• SSH access to your server (key-based authentication is better)
• root, or any user with sudo privilege 🙂
• Any major Linux distribution

Usage

The role edits a temporary copy of you configuration file, then backup and overwrite your original configuration file if changes were made.

You can start by testing your webserver configuration on observatory.mozilla.org.

Install Ansible, then create the following apache_hardening.yaml playbook :

- name: Hardening playbook
  hosts:
    production:
      ansible_host: www.example.org
      #ansible_user: user
      #ansible_password: user_pass

  become: yes

  roles:
    - Apache-Armor

You should have the following arborescence :

tree

Finally, launch your playbook with :

ansible-playbook apache_hardening.yaml

Now you can check your webserver again and enjoy the improvement 😎.

Actions

Setting	Apache value	Armor value	Applied	Description
Etag	test	none	yes	Gives info on running server. In production, there is no reason to give this information.
Cookie : Secure attribute		secure	yes	Setting the Secure attribute on cookies will prevent them from being sent over insecure HTTP.
Cookie : HttpOnly attribute		httponly	yes	HttpOnly cookies are inaccessible from JavaScript, preventing cross-site scripting (XSS) attacks from stealing session cookies.
Cookie : SameSite attribute		samesite	yes	The SameSite attribute prevents your cookies from being sent cross-site, protecting against CSRF attacks.