linux_wiki:apache_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revision Both sides next revision
linux_wiki:apache_http_server [2016/01/30 23:57]
billdozor [Compile and Install]
linux_wiki:apache_http_server [2018/03/23 16:10]
billdozor [SSL Verification]
Line 6: Line 6:
  
 **Checklist** **Checklist**
-  * Distro: Enterprise Linux 6 or 7+  * Distro(s): Enterprise Linux 6/7
  
 ---- ----
Line 16: Line 16:
 ---- ----
  
-===== Repo Install =====+===== Repo: EPEL =====
  
   * CentOS 6.7: Apache 2.2   * CentOS 6.7: Apache 2.2
Line 42: Line 42:
 yum -y install mod_ssl yum -y install mod_ssl
 </code> </code>
 +
 +----
 +
 +===== Repo: Software Collections =====
 +
 +Versions as of 04/13/2016:
 +  * httpd 2.4
 +
 +  - Add the [[linux_wiki:repos#software_collections|software collections repo]].
 +  - Install<code bash>yum install httpd24</code>
 +  - Enable the software collection<code bash>scl enable httpd24 bash</code>
 +    - Control operation as below.
  
 ---- ----
Line 47: Line 59:
 ===== Compile and Install ===== ===== Compile and Install =====
  
-Prerequisites +If you need a newer feature than what is available in the repo installed versions, you may need to compile and install.
-  * Install gcc in order to compile packages<code bash>yum install gcc</code>+
  
-Install Procedure+**Prerequisites** 
 +  * Install gcc in order to compile packages<code bash>yum install gcc</code> 
 +  * Install apr-devel, apr-util-devel, and pcre-devel<code bash>yum install apr-devel apr-util-devel pcre-devel</code> 
 +    * apr = Apache Portable Runtime 
 +    * pcre = Perl-Compatible Regular Expressions Library 
 +    * If you really want to compile these as well for newer versions, see here: [[http://httpd.apache.org/docs/2.4/install.html#requirements]] 
 +\\ 
 +**Install Procedure**
   * Download   * Download
     * Visit the download page: [[http://httpd.apache.org/download.cgi]]     * Visit the download page: [[http://httpd.apache.org/download.cgi]]
     * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code>     * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code>
-  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz</code> +  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz 
-  * Download APR and APR-Util into the httpd-2.4.18/srclib dir +cd httpd-2.4.18</code> 
-    * Visit the download page: [[http://apr.apache.org/download.cgi]] +  * Configure Apache from httpd-2.4.18/<code bash>./configure --prefix=PREFIX</code>
-    * Wget a link to apr and apr-util(examples)<code bash>cd httpd-2.4.18/srclib +
-wget http://download.nextag.com/apache/apr/apr-1.5.2.tar.gz +
-wget http://download.nextag.com/apache/apr/apr-util-1.5.4.tar.gz</code> +
-  * Extract APR and APR-Util<code bash>tar -zxvf apr-1.5.2.tar.gz +
-tar -zxvf apr-util-1.5.4.tar.gz</code> +
-  * Rename APR and APR-Util dirs to loose the version number<code bash>mv apr-1.5.2 apr +
-mv apr-util-1.5.4 apr-util</code> +
-  * Configure Apache from httpd-2.4.18/<code bash>cd .. +
-./configure --prefix=PREFIX</code>+
     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"
   * Compile<code bash>make</code>   * Compile<code bash>make</code>
Line 103: Line 112:
   * Default: NameVirtualHost *:80 (and commented out)   * Default: NameVirtualHost *:80 (and commented out)
  
-Disable Trace/Track (a XSS Vulnerability)+Security Configs
 <code bash> <code bash>
 +##-- Security --##
 +#- Information Disclosure -#
 +ServerTokens Prod
 +ServerSignature Off
 +
 +# FileETag: File attributes used to create the ETag HTTP response header for static files
 +FileETag -INode +MTime +Size
 +
 +#- Web Application Security -#
 +# Trace/Track - disabled for security purposes
 TraceEnable Off TraceEnable Off
 +
 +# Cross-Frame Scripting prevention (click jacking)
 +# DENY = Deny all attempts to frame the page
 +Header always append X-Frame-Options DENY
 +
 +# Cross Site Scripting protection
 +Header set X-XSS-Protection "1; mode=block"
 +Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 +##-- End of Security Settings --##
 </code> </code>
  
Line 124: Line 152:
 Protocol and Ciphers Protocol and Ciphers
 <code bash> <code bash>
-SSLProtocol TLS1.2 +TLSv1.1 +TLSv1 +SSLProtocol TLSv1.2 
-SSLCipherSuite HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM+SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4
 </code> </code>
   * Default SSLProtocol: all -SSLv2   * Default SSLProtocol: all -SSLv2
Line 135: Line 163:
 </code> </code>
  
-==== SSL Verification ==== 
  
-Check what ciphers will be used given an Apache config +----
-<code bash> +
-openssl ciphers -v 'HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM' +
-</code>+
  
-Verify server offered ciphers +===== Other Security Settings ===== 
-<code bash> + 
-sslscan --no-failed 10.1.2.3:443 +Other important security settings. 
-</code> + 
-  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"+==== Redirect HTTP to HTTPS ==== 
 + 
 +Redirect all HTTP to HTTPS<code bash><VirtualHost *:80> 
 +  ServerName example.com 
 +  <IfModule mod_rewrite.c> 
 +    RewriteEngine On 
 +    RewriteCond %{HTTPS} off 
 +    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
 +  </IfModule> 
 +</VirtualHost></code> 
 + 
 +---
 + 
 +==== HSTS ==== 
 + 
 +Enabling HTTPS Strict Transport Security (HSTS). 
 + 
 +Add the strict transport security header to the listening HTTPS host section 
 +<code bash># Optionally load the headers module: 
 +LoadModule headers_module modules/mod_headers.so 
 + 
 +<VirtualHost *:443
 +    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
 +</VirtualHost></code> 
 +  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
  
 ---- ----
Line 252: Line 300:
 192.168.1.150 server1 mysite.example.com</code> 192.168.1.150 server1 mysite.example.com</code>
   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}
 +
 +----
 +
 +====== Operation ======
 +
 +Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl).
 +
 +  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log
 +
 +----
 +
 +==== Start ====
 +
 +  * Check syntax, if errors are found, refuse to start.
 +  * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive.
 +
 +<code bash>
 +apachectl -k start
 +</code>
 +
 +----
 +
 +==== Stop ====
 +
 +  * Immediately stop the httpd process and kill workers.
 +  * User connections in progress are terminated.
 +
 +<code bash>
 +apachectl -k stop
 +</code>
 +
 +----
 +
 +==== Graceful Restart ====
 +
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process advises that workers shutdown after their current requests.
 +  * Once all workers have finished and exited, start up.
 +  * This does **not** interrupt user connections.
 +
 +<code bash>
 +apachectl -k graceful
 +</code>
 +
 +----
 +
 +==== Restart ====
 +
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process kills workers, then starts up.
 +  * This interrupts user connections.
 +
 +<code bash>
 +apachectl -k restart
 +</code>
 +
 +----
 +
 +==== Graceful Stop ====
 +
 +  * Parent process advises that workers shutdown after their current requests.
 +  * New requests are not accepted.
 +  * This does **not** interrupt user connections.
 +
 +<code bash>
 +apachectl -k graceful-stop
 +</code>
  
 ---- ----
  
  • linux_wiki/apache_http_server.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)