A few months ago I decided to go on a book binge and acquired a stack of books about two feet tall. It includes classics such as The Pragmatic Progammer and Practices of an Agile Developer, as well as some on Java, Asterisk, Extreme Programming, Linux Firewalls, and a NASCAR book thrown in for good measure.

I’ve gotten through a couple, and will be posting reviews of a few of them. This week I finished Apache Security, from O’Reilly. I found this book while browsing the programming section of Borders (the programming section of my local Borders is amazing!), and I’ve found it to be a real gem.

The book covers so much more than just Apache security. It covers installation and configuration, and explains a little of how Apache works along the way. There are also chapters or sections on:

– Understanding and securing PHP
– An explanation of SSL
– DOS attacks
– Traffic shaping in Apache
– Logging is covered extensively
– There’s a chapter on web security in general, where all the common attacks are explained
– Using Apache as a proxy or a reverse proxy

I especially enjoyed the Web Security Assessment chapter where the author explained how to systematically analyze and probe web applications/servers, with many real world examples.

There is a large section discussing mod_security, which is an amazing Apache module. Mod_security is an intrusion detection and prevention engine for web applications (a web application firewall). The book is written by the author of mod_security (Ivan Ristic), so he really knows what he’s talking about in this area. Also covered is mod_dosevasive, which, obviously helps prevent against denial of service attacks.

I would not hesitate to recommend this book to any Apache administrator, user, or web programmer.

Apache Security book cover