

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
linux_wiki:apache_http_server [2016/01/30 23:58]
billdozor [Compile and Install]
linux_wiki:apache_http_server [2018/03/23 16:10]
Line 6: Line 6:
 **Checklist** **Checklist**
-  * Distro: Enterprise Linux 6 or 7+  * Distro(s): Enterprise Linux 6/7
 ---- ----
Line 16: Line 16:
 ---- ----
-===== Repo Install =====+===== Repo: EPEL =====
   * CentOS 6.7: Apache 2.2   * CentOS 6.7: Apache 2.2
Line 42: Line 42:
 yum -y install mod_ssl yum -y install mod_ssl
 </code> </code>
 +===== Repo: Software Collections =====
 +Versions as of 04/13/2016:
 +  * httpd 2.4
 +  - Add the [[linux_wiki:repos#software_collections|software collections repo]].
 +  - Install<code bash>yum install httpd24</code>
 +  - Enable the software collection<code bash>scl enable httpd24 bash</code>
 +    - Control operation as below.
 ---- ----
Line 51: Line 63:
 **Prerequisites** **Prerequisites**
   * Install gcc in order to compile packages<code bash>yum install gcc</code>   * Install gcc in order to compile packages<code bash>yum install gcc</code>
 +  * Install apr-devel, apr-util-devel, and pcre-devel<code bash>yum install apr-devel apr-util-devel pcre-devel</code>
 +    * apr = Apache Portable Runtime
 +    * pcre = Perl-Compatible Regular Expressions Library
 +    * If you really want to compile these as well for newer versions, see here: [[]]
 \\ \\
 **Install Procedure** **Install Procedure**
Line 56: Line 72:
     * Visit the download page: [[]]     * Visit the download page: [[]]
     * Wget a link to the desired version(example with a mirror)<code bash>wget</code>     * Wget a link to the desired version(example with a mirror)<code bash>wget</code>
-  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz</code> +  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz 
-  * Download APR and APR-Util into the httpd-2.4.18/srclib dir +cd httpd-2.4.18</code> 
-    * Visit the download page: [[]] +  * Configure Apache from httpd-2.4.18/<code bash>./configure --prefix=PREFIX</code>
-    * Wget a link to apr and apr-util(examples)<code bash>cd httpd-2.4.18/srclib +
-wget +
-wget</code> +
-  * Extract APR and APR-Util<code bash>tar -zxvf apr-1.5.2.tar.gz +
-tar -zxvf apr-util-1.5.4.tar.gz</code> +
-  * Rename APR and APR-Util dirs to loose the version number<code bash>mv apr-1.5.2 apr +
-mv apr-util-1.5.4 apr-util</code> +
-  * Configure Apache from httpd-2.4.18/<code bash>cd .. +
-./configure --prefix=PREFIX</code>+
     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"
   * Compile<code bash>make</code>   * Compile<code bash>make</code>
Line 105: Line 112:
   * Default: NameVirtualHost *:80 (and commented out)   * Default: NameVirtualHost *:80 (and commented out)
-Disable Trace/Track (a XSS Vulnerability)+Security Configs
 <code bash> <code bash>
 +##-- Security --##
 +#- Information Disclosure -#
 +ServerTokens Prod
 +ServerSignature Off
 +# FileETag: File attributes used to create the ETag HTTP response header for static files
 +FileETag -INode +MTime +Size
 +#- Web Application Security -#
 +# Trace/Track - disabled for security purposes
 TraceEnable Off TraceEnable Off
 +# Cross-Frame Scripting prevention (click jacking)
 +# DENY = Deny all attempts to frame the page
 +Header always append X-Frame-Options DENY
 +# Cross Site Scripting protection
 +Header set X-XSS-Protection "1; mode=block"
 +Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 +##-- End of Security Settings --##
 </code> </code>
Line 126: Line 152:
 Protocol and Ciphers Protocol and Ciphers
 <code bash> <code bash>
-SSLProtocol TLS1.2 +TLSv1.1 +TLSv1 +SSLProtocol TLSv1.2 
 </code> </code>
   * Default SSLProtocol: all -SSLv2   * Default SSLProtocol: all -SSLv2
Line 137: Line 163:
 </code> </code>
-==== SSL Verification ====+----
-Check what ciphers will be used given an Apache config +===== Other Security Settings =====
-<code bash> +
-openssl ciphers -v 'HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM' +
-Verify server offered ciphers +Other important security settings. 
-<code bash> + 
-sslscan --no-failed +==== Redirect HTTP to HTTPS ==== 
-</code> + 
-  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"+Redirect all HTTP to HTTPS<code bash><VirtualHost *:80> 
 +  ServerName 
 +  <IfModule mod_rewrite.c> 
 +    RewriteEngine On 
 +    RewriteCond %{HTTPS} off 
 +    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
 +  </IfModule> 
 +==== HSTS ==== 
 +Enabling HTTPS Strict Transport Security (HSTS). 
 +Add the strict transport security header to the listening HTTPS host section 
 +<code bash># Optionally load the headers module: 
 +LoadModule headers_module modules/ 
 +<VirtualHost *:443
 +    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
 +  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
 ---- ----
Line 254: Line 299: server1</code> server1</code>
   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}
 +====== Operation ======
 +Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl).
 +  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log
 +==== Start ====
 +  * Check syntax, if errors are found, refuse to start.
 +  * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive.
 +<code bash>
 +apachectl -k start
 +==== Stop ====
 +  * Immediately stop the httpd process and kill workers.
 +  * User connections in progress are terminated.
 +<code bash>
 +apachectl -k stop
 +==== Graceful Restart ====
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process advises that workers shutdown after their current requests.
 +  * Once all workers have finished and exited, start up.
 +  * This does **not** interrupt user connections.
 +<code bash>
 +apachectl -k graceful
 +==== Restart ====
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process kills workers, then starts up.
 +  * This interrupts user connections.
 +<code bash>
 +apachectl -k restart
 +==== Graceful Stop ====
 +  * Parent process advises that workers shutdown after their current requests.
 +  * New requests are not accepted.
 +  * This does **not** interrupt user connections.
 +<code bash>
 +apachectl -k graceful-stop
 ---- ----
  • linux_wiki/apache_http_server.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)