Differences

This shows you the differences between two versions of the page.

--- linux_wiki:apache_http_server [2016/01/30 23:57]
billdozor [Compile and Install]
+++ linux_wiki:apache_http_server [2018/03/23 16:10]
billdozor [SSL Verification]
@@ Line 6: / Line 6: @@
 **Checklist**
-  * Distro: Enterprise Linux 6 or 7
+  * Distro(s): Enterprise Linux 6/7
 ----
@@ Line 16: / Line 16: @@
 ----
-===== Repo Install =====
+===== Repo: EPEL =====
   * CentOS 6.7: Apache 2.2
@@ Line 42: / Line 42: @@
 yum -y install mod_ssl
 </code>
+----
+===== Repo: Software Collections =====
+Versions as of 04/13/2016:
+  * httpd 2.4
+  - Add the [[linux_wiki:repos#software_collections|software collections repo]].
+  - Install<code bash>yum install httpd24</code>
+  - Enable the software collection<code bash>scl enable httpd24 bash</code>
+    - Control operation as below.
 ----
@@ Line 47: / Line 59: @@
 ===== Compile and Install =====
-Prerequisites
+If you need a newer feature than what is available in the repo installed versions, you may need to compile and install.
-  * Install gcc in order to compile packages<code bash>yum install gcc</code>
-Install Procedure
+**Prerequisites**
+  * Install gcc in order to compile packages<code bash>yum install gcc</code>
+  * Install apr-devel, apr-util-devel, and pcre-devel<code bash>yum install apr-devel apr-util-devel pcre-devel</code>
+    * apr = Apache Portable Runtime
+    * pcre = Perl-Compatible Regular Expressions Library
+    * If you really want to compile these as well for newer versions, see here: [[http://httpd.apache.org/docs/2.4/install.html#requirements]]
+\\
+**Install Procedure**
   * Download
     * Visit the download page: [[http://httpd.apache.org/download.cgi]]
     * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code>
-  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz</code>
+  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz
-  * Download APR and APR-Util into the httpd-2.4.18/srclib dir
+cd httpd-2.4.18</code>
-    * Visit the download page: [[http://apr.apache.org/download.cgi]]
+  * Configure Apache from httpd-2.4.18/<code bash>./configure --prefix=PREFIX</code>
-    * Wget a link to apr and apr-util(examples)<code bash>cd httpd-2.4.18/srclib
-wget http://download.nextag.com/apache/apr/apr-1.5.2.tar.gz
-wget http://download.nextag.com/apache/apr/apr-util-1.5.4.tar.gz</code>
-  * Extract APR and APR-Util<code bash>tar -zxvf apr-1.5.2.tar.gz
-tar -zxvf apr-util-1.5.4.tar.gz</code>
-  * Rename APR and APR-Util dirs to loose the version number<code bash>mv apr-1.5.2 apr
-mv apr-util-1.5.4 apr-util</code>
-  * Configure Apache from httpd-2.4.18/<code bash>cd ..
-./configure --prefix=PREFIX</code>
     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"
   * Compile<code bash>make</code>
@@ Line 103: / Line 112: @@
   * Default: NameVirtualHost *:80 (and commented out)
-Disable Trace/Track (a XSS Vulnerability)
+Security Configs
 <code bash>
+##-- Security --##
+#- Information Disclosure -#
+ServerTokens Prod
+ServerSignature Off
+# FileETag: File attributes used to create the ETag HTTP response header for static files
+FileETag -INode +MTime +Size
+#- Web Application Security -#
+# Trace/Track - disabled for security purposes
 TraceEnable Off
+# Cross-Frame Scripting prevention (click jacking)
+# DENY = Deny all attempts to frame the page
+Header always append X-Frame-Options DENY
+# Cross Site Scripting protection
+Header set X-XSS-Protection "1; mode=block"
+Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+##-- End of Security Settings --##
 </code>
@@ Line 124: / Line 152: @@
 Protocol and Ciphers
 <code bash>
-SSLProtocol TLS1.2 +TLSv1.1 +TLSv1
+SSLProtocol TLSv1.2
-SSLCipherSuite HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM
+SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4
 </code>
   * Default SSLProtocol: all -SSLv2
@@ Line 135: / Line 163: @@
 </code>
-==== SSL Verification ====
-Check what ciphers will be used given an Apache config
+----
-<code bash>
-openssl ciphers -v 'HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM'
-</code>
-Verify server offered ciphers
+===== Other Security Settings =====
-<code bash>
-sslscan --no-failed 10.1.2.3:443
+Other important security settings.
-</code>
-  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"
+==== Redirect HTTP to HTTPS ====
+Redirect all HTTP to HTTPS<code bash><VirtualHost *:80>
+  ServerName example.com
+  <IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
+  </IfModule>
+</VirtualHost></code>
+----
+==== HSTS ====
+Enabling HTTPS Strict Transport Security (HSTS).
+Add the strict transport security header to the listening HTTPS host section
+<code bash># Optionally load the headers module:
+LoadModule headers_module modules/mod_headers.so
+<VirtualHost *:443>
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
+</VirtualHost></code>
+  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
 ----
@@ Line 252: / Line 300: @@
 .168.1.150 server1 mysite.example.com</code>
   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}
+----
+====== Operation ======
+Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl).
+  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log
+----
+==== Start ====
+  * Check syntax, if errors are found, refuse to start.
+  * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive.
+<code bash>
+apachectl -k start
+</code>
+----
+==== Stop ====
+  * Immediately stop the httpd process and kill workers.
+  * User connections in progress are terminated.
+<code bash>
+apachectl -k stop
+</code>
+----
+==== Graceful Restart ====
+  * Check syntax, if errors are found, refuse to restart.
+  * Parent process advises that workers shutdown after their current requests.
+  * Once all workers have finished and exited, start up.
+  * This does **not** interrupt user connections.
+<code bash>
+apachectl -k graceful
+</code>
+----
+==== Restart ====
+  * Check syntax, if errors are found, refuse to restart.
+  * Parent process kills workers, then starts up.
+  * This interrupts user connections.
+<code bash>
+apachectl -k restart
+</code>
+----
+==== Graceful Stop ====
+  * Parent process advises that workers shutdown after their current requests.
+  * New requests are not accepted.
+  * This does **not** interrupt user connections.
+<code bash>
+apachectl -k graceful-stop
+</code>
 ----