When I deploy web applications, I like to secure the environment that they run in as much as possible. Not only should you lock down the Operating System and network where the applications will reside, but Apache should be locked down as well. There are already good guides and checklists for doing that here, here, and here.
However, one of the items that is most difficult but probably one of the most important is getting Apache to run in a chroot jail. Mod_Chroot is the “easy” way to chroot your apache installation: http://core.segfault.pl/~hobbit/mod_chroot/

Mod_chroot makes running Apache in a secure chroot environment easy. You don’t need to create a special directory hierarchy containing /dev, /lib, /etc… mod_chroot allows you to run Apache in a chroot jail with no additional files. The chroot() system call is performed at the end of startup procedure - when all libraries are loaded and log files open.

• Install Apache2 chroot module from the Debian Linux repository, or install by compiling using apxs

apt-get install libapache2-mod-chroot

• Depending on how the system you are about to harden Apache on is set up you may not be able to create a new chroot partition. The jail will be set up in the /chroot directory which, if non-existent, should be created. Optionally you may want to dedicate an entire partition to the chroot jail. Use cfdisk or similar tool to create then mount the partion.
• Enable the mod_chroot module for apache2

ln -s /etc/apache2/mods-available/mod_chroot.load /etc/apache2/mods-enabled/

• Edit the apache2.conf file to add the directives for invoking the mod_chroot module

LoadFile /lib/libgcc_s.so.1
PidFile /var/run/apache2.pid
ChrootDir /chroot/apache2
DocumentRoot /

• Link /var/run/apache2.pid to /chroot/apache2/var/run/apache2.pid to keep apachectl happy:

ln -s /chroot/apache2/var/run/apache2.pid /var/run/apache2.pid

• The following is a list of libraries needed for different applications when chrooting apache: /usr/X11R6/lib/libXpm.so.4 (used for stats graphing)

  cp /usr/X11R6/lib/libXpm.so.4 /chroot/apache2/usr/X11R6/lib/

Coldfusion, Tomcat, and other application servers can also live in chroot jail and interact with Apache using this module.

After a long hiatus, I am going to try to keep this blog up to date. I expect to write about security issues that are current, and a lot of implementation issues. Let me know if you would like to see anything in particular covered here.