I noticed that a few apache configuration files had been changed. So, I compared the changed files with backup files, replaced the changes with the backup content, and uninstalled Virtualmin.
These are the files and some of the content.
Remove comment from “SetHandler application/x-httpd-php”
Lines 4 - 6 look like:
Add “UserDir disabled”
Should look like:
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disabled" line above, and uncomment
# the following line instead:
This configuration file enables the default “Welcome” page if there
is no default index page present for the root URL. To disable the
Welcome page, comment out all the lines below.
NOTE: if this file is removed, it will be restored on upgrades.
ErrorDocument 403 /.noindex.html
Require all granted
Alias /.noindex.html /usr/share/httpd/noindex/index.html
Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css
Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css
Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif
Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png
NOTE: The websites did not work until I changed this file
mv /etc/httpd/conf.d/awstats.conf.rpmsave /etc/httpd/conf.d/awstats.conf
Content of this file, with correct values, can be automatically added to
your Apache server by using the AWStats configure.pl tool.
If using Windows and Perl ActiveStat, this is to enable Perl script as CGI.
Directives to add to your Apache conf file to allow use of AWStats as a CGI.
Note that path “/usr/share/awstats/” must reflect your AWStats install path.
Alias /awstatsclasses “/usr/share/awstats/wwwroot/classes/”
Alias /awstatscss “/usr/share/awstats/wwwroot/css/”
Alias /awstatsicons “/usr/share/awstats/wwwroot/icon/”
ScriptAlias /awstats/ “/usr/share/awstats/wwwroot/cgi-bin/”
This is to permit URL access to scripts/files in AWStats directory.
<I # Apache 2.4
# Apache 2.2
Allow from 127.0.0.1
Allow from ::1
Additional Perl modules
SetEnv PERL5LIB /usr/share/awstats/lib:/usr/share/awstats/plugins
I removed these lines that are located at the bottom of /etc/httpd/conf/httpd.conf.
I have “IncludeOptional conf.d/*.conf” without the quotes in the file and use other configuration files for SSLProtocol and SSLCipherSuite.
SSLProtocol ALL -SSLv2
SSLProtocol and SSLCipherSuite. I use different configurations in other files.
ServerTokens - Setting ServerTokens to less than minimal is not recommended because it makes it more difficult to debug interoperational problems. Also note that disabling the Server: header does nothing at all to make your server more secure. The idea of “security through obscurity” is a myth and leads to a false sense of safety. https://httpd.apache.org/docs/2.4/mod/core.html#servertokens
ServerSignature - Default is Off. So I removed it. https://httpd.apache.org/docs/2.4/mod/core.html#serversignature
TraceEnable - Default is on. Despite claims to the contrary, enabling the TRACE method does not expose any security vulnerability in Apache httpd. The TRACE method is defined by the HTTP/1.1 specification and implementations are expected to support it. https://httpd.apache.org/docs/2.4/mod/core.html#traceenable