INTRODUCTION
Hardening Apache takes on the unenviable task of providing information about securely installing everyone's favorite HTTP daemon, Apache. It is common to have developers pushed into double-duty – or, for that matter, triple-duty – for performing systems administration on publicly accessible Web servers. If this is you, then this book can save you pain, humiliation and hair loss. We all read with morbid curiosity about popular Web sites that have been defaced, while nervously giggling that it hasn't happened to our site(s). Yet.

Securing an Apache installation is not rocket science. It is actually quite straightforward, as long as you know where all the information is, and all of the configuration parameters that make Apache a secure server. This book organizes all of this information, collected from many disparate sources, into a convenient package that you can look up to, in your work as a developer/administrator.

CHAPTER OVERVIEW
Chapter 1 tackles the beginning of most system administrator's problems, installing and configuring Apache. Interesting to note is strong mention of the importance of verifying that the Apache you downloaded is the one true Apache (as opposed to a trojaned version). Also welcome is instruction on the complicated tasks of installing and configuring SSL services on the server. Most importantly is the section that takes us happily away from the world of the 'default install', and provides clarity and understanding of all the arcane httpd.conf configuration directives.

Chapter 2 focuses on some recent vulnerabilities as case studies, and provides some perspective on handling security events and points out some very handy Web resources.

Chapter 3 sheds much-needed light on the importance of logging, as well as providing a secure logging environment. Logging provides an important source of information regarding attempts to compromise the server, and is a great opportunity for automated intrusion alarms. Important mention goes to the efforts required to provide a secure remote logging platform for all of your applications, ensuring that your audit trail is still available in the event of a break-in.

Chapter 4 touches on the important topic of Cross Site Scripting (XSS) attacks. I appreciated the attention given to the importance of proper URL escaping and processing submitted form data.

Chapter 5 is a who's-who of security-related modules for Apache. My two favorites, mod_security and mod_dosevasive, receive well-deserved attention. Also included were some commercial modules that lack Open Source counterparts and solve some interesting problems.

Chapter 6 is perhaps my favorite topic, configuring a chrooted environment for your Apache server to live in (also referred to as a chroot jail). Having Apache in a sandbox limits your exposure in the event of a compromise, as your intruder may find themselves in a very small room with no view!

Chapter 7 is where the systems administrator approach comes to the surface. The scripts provided in this chapter focus on automating health checks on your server, from monitoring load and disk space to actually checking your Web site to ensure all layers of your application are active and functioning properly. The scripts are written in the Bash shell, and are intended as starting points for burgeoning systems administrators to build their own toolkit.

There are several handy appendices pointing to valuable resources, a helpful introduction to the HTTP protocol, and checkpoints from the end of each chapter.

STYLE POINTS
There is not much code to critique in this book. But the code provided is readable and well commented, and is useful to anyone running Apache. The author's writing style is clear and to the point, and takes pain to clearly explain the why's and how's of securing Apache and security in general.
THE LOWDOWN
The inclusion of ./configure make and make install output is a bit gratuitous, as I have seen way too many lines of this output to find it interesting. There may be individuals out there with the need to see this as an example, however I would assume they are a small lot. The other nit I have is the lack of information specific to running Apache securely on Windows.

This is an excellent book for anyone responsible for running Apache in a production environment, especially so for a publicly accessible Web server. I especially enjoyed the chapters on installation/configuration and important modules, as these are the first two things I do when putting up yet another server.