Apache Web Server Hardening and Security Guide

A sensible information to safe and harden Apache HTTP Server.

The Internet Server is a vital a part of web-based purposes. Apache Internet Server is usually positioned on the fringe of the community therefore it turns into some of the weak providers to assault.

Having default configuration provide a lot delicate info which can assist hacker to arrange for an assault the purposes. The vast majority of net utility assaults are by way of XSS, Data Leakage, Session Administration and SQL Injection assaults that are because of weak programming code and failure to sanitize net utility infrastructure.

Attention-grabbing analysis by Constructive Applied sciences reveals, 52% of the scanned utility had excessive vulnerabilities.

vulnerability-report

On this article, I’ll discuss among the finest practices to safe Apache HTTP server on Linux platform.

Following are examined on Apache 2.4.x model.

This assumes you might have put in Apache on UNIX platform. If not, you may undergo the Set up information.
I’ll name the Apache set up listing /decide/apache as $Web_Server all through this information.
You’re suggested to take a backup of present configuration file earlier than any modification.

Viewers

That is designed for Middleware Administrator, Software Help, System Analyst, or anybody working or desperate to study Hardening & Safety tips.

Honest information of Apache Internet Server & UNIX command is obligatory.

Notes

You require some device to look at HTTP Headers for among the implementation verification. There are two methods to do that.

Use browser inbuilt developer instruments to examine the HTTP headers. Normally, it’s underneath Community tab
Use on-line HTTP response header checker device

Take away Server Model Banner

I might say this is without doubt one of the first issues to think about, as you don’t wish to expose what net server model you might be utilizing. Exposing model means you might be serving to hacker to speedy the reconnaissance course of.

The default configuration will expose Apache Model and OS sort as proven under.

Go to $Web_Server/conf folder
Modify httpd.conf through the use of the vi editor
Add the next directive and save the httpd.conf

ServerTokens Prod
ServerSignature Off

Restart apache

ServerSignature will take away the model info from the web page generated by Apache.

ServerTokens will change Header to manufacturing solely, i.e., Apache

As you may see under, model & OS info is gone.

Disable listing browser itemizing

Disable listing itemizing in a browser, so the customer doesn’t see what all file and folders you might have underneath root or subdirectory.

Let’s take a look at how does it appear like in default settings.

Go to $Web_Server/htdocs listing
Create a folder and few information inside that

# mkdir take a look at
# contact hello
# contact whats up

Now, let’s attempt to entry Apache by http://localhost/take a look at

apache-directory-listing

As you could possibly see it reveals what all file/folders you might have and I’m positive you don’t wish to expose that.

Go to $Web_Server/conf listing
Open httpd.conf utilizing vi
Seek for Listing and alter Choices directive to None or –Indexes

<Listing /decide/apache/htdocs>
Choices -Indexes
</Listing>

(or)

<Listing /decide/apache/htdocs>
Choices None
</Listing>

Restart Apache

Word: you probably have a number of Listing directives in your surroundings, you need to take into account doing the identical for all.

Now, let’s attempt to entry Apache by http://localhost/take a look at

disabled-directory-listing

As you could possibly see, it shows a forbidden error as an alternative of displaying take a look at folder itemizing.

Etag

It permits distant attackers to acquire delicate info like inode quantity, multipart MIME boundary, and baby course of by way of Etag header.

To forestall this vulnerability, let’s implement it as under. That is required to repair for PCI compliance.

Go to $Web_Server/conf listing
Add the next directive and save the httpd.conf

FileETag None

Restart apache

Run Apache from a non-privileged account

A default set up runs as no one or daemon. Utilizing a separate non-privileged consumer for Apache is sweet.

The concept right here is to guard different providers working in case of any safety gap.

Create a consumer and group known as apache

# groupadd apache
# useradd –G apache apache

Change apache set up listing possession to a newly created non-privileged consumer

# chown –R apache:apache /decide/apache

Go to $Web_Server/conf
Modify httpd.conf utilizing vi
Seek for Consumer & Group Directive and alter as non-privileged account apache

Consumer apache 
Group apache

Save the httpd.conf
Restart Apache

grep for working http course of and guarantee it’s working with apache consumer

# ps –ef |grep http

It’s best to see one course of is working with root. That’s as a result of Apache is listening on port 80 and it needs to be began with root.

Defend binary and configuration listing permission

By default, permission for binary and configuration is 755 meaning any consumer on a server can view the configuration. You possibly can disallow one other consumer to get into conf and bin folder.

Go to $Web_Server listing
Change permission of bin and conf folder

# chmod –R 750 bin conf

System Settings Safety

In a default set up, customers can override apache configuration utilizing .htaccess. If you wish to cease customers from altering your apache server settings, you may add AllowOverride to None as proven under.

This should be performed on the root stage.

Go to $Web_Server/conf listing
Open httpd.conf utilizing vi
Seek for Listing at a root stage

<Listing /> 
Choices -Indexes 
AllowOverride None
</Listing>

Save the httpd.conf
Restart Apache

HTTP Request Strategies

HTTP 1.1 protocol help many request strategies which might not be required and a few of them are having potential danger.

Sometimes you might want GET, HEAD, POST request strategies in an online utility, which might be configured within the respective Listing directive.

Default configuration help OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT methodology in HTTP 1.1 protocol.

Go to $Web_Server/conf listing
Open httpd.conf utilizing vi
Seek for Listing and add the next

<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>

Restart Apache

Disable Hint HTTP Request

By default Hint methodology is enabled in Apache net server.

Having this enabled can permit Cross Web site Tracing assault and probably giving an choice to a hacker to steal cookie info. Let’s see the way it seems to be like in default configuration.

Do a telnet net server IP with listening port
Make a TRACE request as proven under

#telnet localhost 80 
Making an attempt 127.0.0.1...
Related to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: take a look at
HTTP/1.1 200 OK
Date: Sat, 31 Aug 2013 02:13:24 GMT
Server: Apache
Switch-Encoding: chunked
Content material-Kind: message/http 20
TRACE / HTTP/1.1
Host: take a look at 
0
Connection closed by overseas host.
#

As you could possibly see in above TRACE request, it has responded my question. Let’s disable it and take a look at it.

Go to $Web_Server/conf listing
Add the next directive and save the httpd.conf

TraceEnable off

Restart apache

Do a telnet net server IP with pay attention port and make a TRACE request as proven under

#telnet localhost 80
Making an attempt 127.0.0.1...
Related to localhost.
Escape character is '^]'.
TRACE / HTTP/1.1 Host: take a look at
HTTP/1.1 405 Technique Not Allowed
Date: Sat, 31 Aug 2013 02:18:27 GMT
Server: Apache Permit:Content material-Size: 223Content-Kind: textual content/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> 
<title>405 Technique Not Allowed</title> </head><physique> 
<h1>Technique Not Allowed</h1>
<p>The requested methodology TRACE shouldn't be allowed for the URL /.</p> </physique></html>
Connection closed by overseas host.
#

As you could possibly see in above TRACE request, it has blocked my request with HTTP 405 Technique Not Allowed.

Now, this net server doesn’t permit TRACE request and assist in blocking Cross Web site Tracing assault.

Set cookie with HttpOnly and Safe flag

You possibly can mitigate a lot of the frequent Cross Web site Scripting assault utilizing HttpOnly and Safe flag in a cookie. With out having HttpOnly and Safe, it’s attainable to steal or manipulate net utility session and cookies, and it’s harmful.

Guarantee mod_headers.so is enabled in your httpd.conf
Go to $Web_Server/conf listing
Add the next directive and save the httpd.conf

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Safe

Restart apache

Clickjacking Assault

Clickjacking is a widely known net utility vulnerabilities.

Guarantee mod_headers.so is enabled in your httpd.conf
Go to $Web_Server/conf listing
Add the next directive and save the httpd.conf

Header at all times append X-Body-Choices SAMEORIGIN

Restart apache

apache-x-frame-options

X-Body-Choices additionally help two extra choices which I defined right here.

Server Aspect Embody

Server Aspect Embody (SSI) has a danger of accelerating the load on the server. If in case you have shared the surroundings and heavy site visitors net purposes you need to take into account disabling SSI by including Consists of in Choices directive.

SSI assault permits the exploitation of an online utility by injecting scripts in HTML pages or executing codes remotely.

Go to $Web_Server/conf listing
Open httpd.conf utilizing vi
Seek for Listing and add Consists of in Choices directive

<Listing /decide/apache/htdocs>
Choices –Indexes -Consists of
Order permit,denyAllow from all
</Listing>

Restart Apache

Word: you probably have a number of Listing directives in your surroundings, you need to take into account doing the identical for all.

X-XSS Safety

Cross Web site Scripting (XSS) safety might be bypassed in lots of browsers. You might apply this safety for an online utility if it was disabled by the consumer. That is utilized by a majority of large net corporations like Fb, Twitter, Google, and many others.

Go to $Web_Server/conf listing
Open httpd.conf utilizing vi and add following Header directive

Header set X-XSS-Safety "1; mode=block"

Restart Apache

As you may see, XSS-Safety is the injected within the response header.

apache-xss

Disable HTTP 1.0 Protocol

Once we discuss safety, we should always shield as a lot we are able to. So why will we use older HTTP model of the protocol, let’s disable them as nicely?

HTTP 1.0 has safety weak point associated to session hijacking. We are able to disable this through the use of the mod_rewrite module.

Guarantee to load mod_rewrite module in httpd.conf file
Allow RewriteEngine directive as following and add Rewrite situation to permit solely HTTP 1.1

RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1.1$
RewriteRule .* - [F]

Timeout worth configuration

By default, Apache time-out worth is 300 seconds, which generally is a sufferer of Sluggish Loris assault and DoS. To mitigate this, you may decrease the timeout worth to possibly 60 seconds.

Go to $Web_Server/conf listing
Open httpd.conf utilizing vi
Add the next in httpd.conf

Timeout 60

SSL

Having SSL is a further layer of safety you might be including into Internet Software. Nevertheless, default SSL configuration results in sure vulnerabilities, and you need to take into account tweaking these configurations.

SSL Key

Breaching SSL secret is laborious, however not not possible. It’s only a matter of computational energy and time.

As you may know, utilizing a 2009-era PC cracking away for round 73 days you may reverse engineer a 512-bit key.

So the upper key size you might have, the extra sophisticated it turns into to interrupt SSL key. The vast majority of large Internet Firms use 2048 bit key, as under so why don’t we?

Outlook.com
Microsoft.com
Stay.com
Skype.com
Apple.com
Yahoo.com
Bing.com
Hotmail.com
Twitter.com

You should use OpenSSL to generate CSR with 2048 bit as under.

openssl req -out geekflare.csr -newkey rsa:2048 -nodes -keyout geekflare.key

It’s going to generate a CSR which you have to to ship to a certificates authority to signal it. When you obtain the signed certificates file, you may add them in httpd-ssl.conf file

SSLCertificateFile #Certificates signed by authority
SSLCertificateChainFile #Certificates signer given by authority
SSLCertificateKeyFile #Key file which you generated above

Restart Apache net server and attempt to entry the URL with https

SSL Cipher

SSL Cipher is an encryption algorithm, which is used as a key between two computer systems over the Web. Information encryption is the method of changing plain textual content into secret ciphered codes.

It’s based mostly in your net server SSL Cipher configuration the information encryption will happen. So it’s essential to configure SSL Cipher, which is stronger and never weak.

Go to $Web_Server/conf/additional folder
Modify SSLCipherSuite directive in httpd-ssl.conf as under to just accept solely increased encryption algorithms

SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4

Save the configuration file and restart apache server

Word: you probably have many weak ciphers in your SSL auditing report, you may rapidly reject them including ! in the beginning.

Disable SSL v2 & v3

SSL v2 & v3 has many safety flaws, and in case you are working in direction of penetration take a look at or PCI compliance, then you might be anticipated to shut safety discovering to disable SSL v2/v3.

Any SSL v2/v3 communication could also be weak to a Man-in-The-Center assault that would permit information tampering or disclosure.

Let’s implement apache net server to just accept solely newest TLS and reject SSL v2/v3 connection request.

Go to $Web_Server/conf/additional folder
Modify SSLProtocol directive in httpd-ssl.conf as under to just accept solely TLS 1.2+

SSLProtocol –ALL +TLSv1.2

As soon as you might be performed with SSL configuration, it’s a good suggestion to check your net utility with on-line SSL/TLS Certificates device to seek out any configuration error.

Mod Safety

Mod Safety is an open-source Internet Software Firewall, which you should utilize with Apache.

It comes as a module which you need to compile and set up. Should you can’t afford a industrial net utility firewall, this may be a wonderful option to go for it.

To supply generic net purposes safety, the Core Guidelines use the next methods:

HTTP Safety – detecting violations of the HTTP protocol and a regionally outlined utilization coverage
Actual-time Blacklist Lookups – makes use of third Celebration IP Fame
Internet-based Malware Detection – identifies malicious net content material by verify in opposition to the Google Secure Looking API.
HTTP Denial of Service Protections – protection in opposition to HTTP Flooding and Sluggish HTTP DoS Assaults.
Frequent Internet Assaults Safety – detecting frequent net utility safety assault
Automation Detection – Detecting bots, crawlers, scanners, and one other malicious floor exercise
Integration with AV Scanning for File Uploads – identifies malicious information uploaded by way of the online utility.
Monitoring Delicate Information – Tracks Credit score Card utilization and blocks leakages.
Trojan Safety – Detecting entry to Trojans horses.
Identification of Software Defects – alerts on utility misconfigurations.
Error Detection and Hiding – Disguising error messages despatched by the server.

Obtain & Set up

Following conditions should be put in on the server the place you want to use Mod Safety with Apache. If any one in every of these doesn’t exist then Mod Safety compilation will fail. You might use yum set up on Linux or Centos to put in these packages.

apache 2.x or increased
libpcre bundle
libxml2 bundle
liblua bundle
libcurl bundle
libapr and libapr-util bundle
mod_unique_id module bundled with Apache net server

Now, let’s obtain the most recent secure model of Mod Safety 2.7.5 from right here

Switch downloaded file to /decide/apache
Extract modsecurity-apache_2.7.5.tar.gz

# gunzip –c modsecurity-apache_2.7.5.tar.gz | tar xvf –

Go to extracted folder modsecurity-apache_2.7.5

# cd modsecurity-apache_2.7.5

Run the configure script together with apxs path to present Apache

# ./configure –with-apxs=/decide/apache/bin/apxs

Compile & set up with make script

# make
# make set up

As soon as the set up is completed, you’ll see mod_security2.so in modules folder underneath /decide/apache

Now this concludes, you might have put in Mod Safety module in present Apache net server.

Configuration

To make use of Mod safety characteristic with Apache, we’ve got to load mod safety module in httpd.conf. The mod_unique_id module is pre-requisite for Mod Safety.

This module supplies an surroundings variable with a singular identifier for every request, which is tracked and utilized by Mod Safety.

Add following a line to load module for Mod Safety in httpd.conf and save the configuration file

LoadModule unique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

Restart apache net server

Mod Safety is now put in!

Subsequent factor you need to do is to put in Mod Safety core rule to take full benefit of its characteristic.

Newest Core Rule might be downloaded from following a hyperlink, which is free. https://github.com/SpiderLabs/owasp-modsecurity-crs/zipball/grasp

Copy downloaded core rule zip to /decide/apache/conf folder
Unzip core rule file
You might want to rename the folder to one thing brief and straightforward to recollect. On this instance, I’ll rename to crs.
Go to crs folder and rename modsecurity_crs10_setup.conf.instance to modsecurity_crs10_setup.conf

Now, let’s allow these guidelines to get it working with Apache net server.

Add the next in httpd.conf

<IfModule security2_module>
Embody conf/crs/modsecurity_crs_10_setup.confInclude conf/crs/base_rules/*.conf
</IfModule>

Within the above configuration, we’re loading Mod Safety essential configuration file modsecurity_crs_10_setup.conf and base guidelines base_rules/*.conf offered by Mod Safety Core Guidelines to guard net purposes.

Restart apache net server

You’ve gotten efficiently configured Mod Safety with Apache!

Effectively performed. Now, Apache Internet server is protected by Mod Safety net utility firewall.

Getting Began

Let’s get it began with among the essential configurations in Mod Safety to harden & safe net purposes.

On this part, we are going to do all configuration modification in /decide/apache/conf/crs/modsecurity_crs_10_setup.conf.

We are going to refer /decide/apache/conf/crs/modsecurity_crs_10_setup.conf as setup.conf on this part for instance objective.

It’s essential to know what are the OWASP guidelines are offered at no cost. There are two sorts of guidelines offered by OWASP.

Base Guidelines – these guidelines are closely examined, and doubtless false alarm ratio is much less.

Experimental Guidelines – these guidelines are for an experimental objective, and you’ll have a excessive false alarm. It’s essential to configure, take a look at and implement in UAT earlier than utilizing these in a manufacturing surroundings.

Optionally available Guidelines – these non-obligatory guidelines might not be appropriate for all the surroundings. Primarily based in your requirement you might use them.

In case you are in search of CSRF, Consumer monitoring, Session hijacking, and many others. safety, then you might think about using non-obligatory guidelines. We’ve got the bottom, non-obligatory and experimental guidelines after extracting the downloaded crs zip file from OWASP obtain web page.

These guidelines configuration file is accessible in crs/base_rules, crs/optional_rules and crs/experimental_rules folder. Let’s get aware of among the base guidelines.

modsecurity_crs_20_protocol_violations.conf: This rule is defending from Protocol vulnerabilities like response splitting, request smuggling, utilizing non-allowed protocol (HTTP 1.0).
modsecurity_crs_21_protocol_anomalies.conf: That is to guard from a request, which is lacking with Host, Settle for, Consumer-Agent within the header.
modsecurity_crs_23_request_limits.conf:This rule has the dependency on utility particular like request measurement, add measurement, a size of a parameter, and many others.
modsecurity_crs_30_http_policy.conf:That is to configure and shield allowed or disallowed methodology like CONNECT, TRACE, PUT, DELETE, and many others.
modsecurity_crs_35_bad_robots.conf:Detect malicious robots
modsecurity_crs_40_generic_attacks.conf:That is to guard from OS command injection, distant file inclusion, and many others.
modsecurity_crs_41_sql_injection_attacks.conf:This rule to guard SQL and blind SQL inject request.
modsecurity_crs_41_xss_attacks.conf:Safety from Cross-Web site Scripting request.
modsecurity_crs_42_tight_security.conf:Listing traversal detection and safety.
modsecurity_crs_45_trojans.conf:This rule to detect generic file administration output, importing of HTTP backdoor web page, identified signature.
modsecurity_crs_47_common_exceptions.conf:That is used as an exception mechanism to take away frequent false positives that could be encountered suck as Apache inside dummy connection, SSL pinger, and many others.

Logging

Logging is without doubt one of the first issues to configure so you may have logs created for what Mod Safety is doing. There are two sorts of logging out there; Debug & Audit log.

Debug Log: that is to duplicate the Apache error, warning and see messages from the error log.

Audit Log: that is to write down the transaction logs which might be marked by Mod Safety rule Mod Safety provides you the flexibleness to configure Audit, Debug or each logging.

By default configuration will write each logs. Nevertheless, you may change based mostly in your requirement. The log is managed in SecDefaultAction directive. Let’s have a look at default logging configuration in setup.conf

SecDefaultAction “section:1,deny,log”

To log Debug, Audit log – use “log” To log solely audit log – use “nolog,auditlog” To log solely debug log – use “log,noauditlog” You possibly can specify the Audit Log location to be saved which is managed by SecAuditLog directive.

Let’s write audit log into /decide/apache/logs/modsec_audit.log by including as proven under.

Add SecAuditLog directive in setup.conf and restart Apache Internet Server

SecAuditLog /decide/apache/logs/modsec_audit.log

After the restart, you need to see modsec_audit.log getting generated

Allow Rule Engine

By default Engine Rule is Off meaning when you don’t allow Rule Engine you aren’t using all the benefits of Mod Safety.

Rule Engine enabling or disabling is managed by SecRuleEngine directive.

Add SecRuleEngine directive in setup.conf and restart Apache Internet Server

SecRuleEngine On

There are three values for SecRuleEngine:

On – to allow Rule Engine
Off – to disable Rule Engine
DetectionOnly – allow Rule Engine however by no means executes any actions like block, deny, drop, permit, proxy or redirect

As soon as Rule Engine is on – Mod Safety is able to shield with among the frequent assault varieties.

Frequent Assault Kind Safety

Now net server is able to shield with frequent assault varieties like XSS, SQL Injection, Protocol Violation, and many others. as we’ve got put in Core Rule and turned on Rule Engine. Let’s take a look at a number of of them.

XSS Assault

Open Firefox and entry your utility and put <script> tag on the finish or URL
Monitor the modsec_audit.log in apache/logs folder

You’ll discover Mod Safety blocks request because it comprises <script> tag which is the basis of XSS assault.

Listing Traversal Assault:- Listing traversal assaults can create loads of harm by making the most of this vulnerabilities and entry system associated file. Ex – /and many others/passwd, .htaccess, and many others.

Open Firefox and entry your utility with listing traversal
Monitor the modsec_audit.log in apache/logs folder

http://localhost/?../.../boot

You’ll discover Mod Safety blocks request because it comprises listing traversal.

Change Server Banner

Earlier on this information, you realized how you can take away Apache and OS sort, model assist of ServerTokens directive.

Let’s go one step forward, how about preserving server identify no matter you would like? It’s attainable with SecServerSignature directive in Mod Safety. You see it’s fascinating.

Word: to make use of Mod Safety to control Server Banner from a header, you should set ServerTokesn to Full in httpd.conf of Apache net server.

Add SecServerSignature directive together with your desired server identify in setup.conf and restart Apache Internet Server

SecServerSignature YourServerName

Ex:

[/opt/apache/conf/crs] #grep SecServer modsecurity_crs_10_setup.conf
SecServerSignature geekflare.com
[/opt/apache/conf/crs] #

Common Configuration

Let’s take a look at among the basic configurations as finest observe.

Configure Hear

When you might have a number of interfaces and IP’s on a single server, it’s beneficial to have Hear directive configured with absolute IP and Port quantity.

Once you depart apache configuration to Hear on all IP’s with some port quantity, it might create the issue in forwarding HTTP request to another net server. That is fairly frequent within the shared surroundings.

Configure Hear directive in httpd.conf with absolute IP and port as a proven instance under

Hear 10.10.10.1:80

Entry Logging

It’s important to configure entry log correctly in your net server. A few of the essential parameter to seize within the log can be the time taken to serve the request, SESSION ID.

By default, Apache shouldn’t be configured to seize these information. You bought to configure them manually as follows.

To seize time taken to serve the request and SESSION ID in an entry log
Add %T & %sessionID in httpd.conf underneath LogFormat directive

LogFormat "%h %l %u %t "%{sessionID}C" "%r" %>s %b %T" frequent

You possibly can refer http://httpd.apache.org/docs/2.2/mod/mod_log_config.html for an entire record of parameter supported in LogFormat directive in Apache Internet Server.

Disable Loading undesirable modules

If in case you have compiled and put in with all modules, then there are excessive probabilities you should have many modules loaded in Apache, which might not be required.

Greatest observe is to configure Apache with required modules in your net purposes. Following modules have safety issues, and also you is likely to be enthusiastic about disabling in httpd.conf of Apache Internet Server.

WebDAV (Internet-based Distributed Authoring and Versioning) This module permits distant shoppers to control information on the server and topic to varied denial-of-service assaults. To disable remark following in httpd.conf

#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#Embody conf/additional/httpd-dav.conf

Data Module The mod_info module can leak delicate info utilizing .htaccess as soon as this module is loaded. To disable remark following in httpd.conf

#LoadModule info_module modules/mod_info.so

Reference: This wouldn’t be attainable with out steering from the next hyperlink:

http://httpd.apache.org/docs/2.4/
http://www.modsecurity.org/documentation/
https://www.owasp.org/index.php/Class:OWASP_ModSecurity_Core_Rule_Set_Project

In order that was among the finest practices you should utilize to safe your Apache net server.

Test this hyperlink if you wish to implement customized error web page in Apache.

In case you are new to Apache HTTP, then I might advocate taking the Apache HTTP administration course.