I noticed that a few apache configuration files had been changed. So, I compared the changed files with backup files, replaced the changes with the backup content, and uninstalled Virtualmin.
These are the files and some of the content.
vi /etc/httpd/conf.d/php.conf
Remove comment from “SetHandler application/x-httpd-php”
Lines 4 - 6 look like:
<FilesMatch .php$>
SetHandler application/x-httpd-php
vi /etc/httpd/conf.d/conf.d/userdir.conf
Add “UserDir disabled”
Should look like:
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
UserDir disabled
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
#
#UserDir public_html
vi /etc/httpd/conf.d/welcome.conf
This configuration file enables the default “Welcome” page if there
is no default index page present for the root URL. To disable the
Welcome page, comment out all the lines below.
NOTE: if this file is removed, it will be restored on upgrades.
<LocationMatch “^/+$”>
Options -Indexes
ErrorDocument 403 /.noindex.html
<Directory /usr/share/httpd/noindex>
AllowOverride None
Require all granted
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
NOTE: The websites did not work until I changed this file
mv /etc/httpd/conf.d/awstats.conf.rpmsave /etc/httpd/conf.d/awstats.conf
vi /etc/httpd/conf.d/awstats.conf
Content of this file, with correct values, can be automatically added to
your Apache server by using the AWStats configure.pl tool.
If using Windows and Perl ActiveStat, this is to enable Perl script as CGI.
#ScriptInterpreterSource registry
Directives to add to your Apache conf file to allow use of AWStats as a CGI.
Note that path “/usr/share/awstats/” must reflect your AWStats install path.
Alias /awstatsclasses “/usr/share/awstats/wwwroot/classes/”
Alias /awstatscss “/usr/share/awstats/wwwroot/css/”
Alias /awstatsicons “/usr/share/awstats/wwwroot/icon/”
ScriptAlias /awstats/ “/usr/share/awstats/wwwroot/cgi-bin/”
This is to permit URL access to scripts/files in AWStats directory.
<Directory “/usr/share/awstats/wwwroot”>
Options None
AllowOverride None
<I # Apache 2.4
Require local
<IfModule !mod_authz_core.c>
# Apache 2.2
Order allow,deny
Allow from 127.0.0.1
Allow from ::1
Additional Perl modules
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
vi /etc/httpd/conf/httpd.conf
I removed these lines that are located at the bottom of /etc/httpd/conf/httpd.conf.
I have “IncludeOptional conf.d/*.conf” without the quotes in the file and use other configuration files for SSLProtocol and SSLCipherSuite.
SSLProtocol ALL -SSLv2
SSLCipherSuite HIGH:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
ServerTokens Minimal
ServerSignature Off
TraceEnable Off
Comments:
SSLProtocol and SSLCipherSuite. I use different configurations in other files.
ServerTokens - Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of “security through obscurity” is a myth and leads to a false sense of safety. https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
ServerSignature - Default is Off. So I removed it. https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
TraceEnable - Default is on. Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it. https://httpd.apache.org/docs/2.4/mod/core.html#traceenable
fModule mod_authz_core.c>