Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Apache HTTP Server ====== **General Information** Installation and configuration of Apache web server. **Checklist** * Distro(s): Enterprise Linux 6/7 ---- ====== Installation ====== Installing apache web server is very simple and can be done via repos or compiling. Repos is easier, while compiling usually provides newer versions. ---- ===== Repo: EPEL ===== * CentOS 6.7: Apache 2.2 * CentOS 7.2: Apache 2.4 For an easy standard Apache install, the repo install method is used. These packages are older, but stable. Install package <code bash> yum install httpd </code> Start the service and enable on boot * EL 6<code bash>service httpd start chkconfig httpd on</code> * EL 7<code bash>systemctl start httpd systemctl enable httpd</code> ---- ==== SSL ==== To add SSL support, install the "mod_ssl" package: <code bash> yum -y install mod_ssl </code> ---- ===== Repo: Software Collections ===== Versions as of 04/13/2016: * httpd 2.4 - Add the [[linux_wiki:repos#software_collections|software collections repo]]. - Install<code bash>yum install httpd24</code> - Enable the software collection<code bash>scl enable httpd24 bash</code> - Control operation as below. ---- ===== Compile and Install ===== If you need a newer feature than what is available in the repo installed versions, you may need to compile and install. **Prerequisites** * Install gcc in order to compile packages<code bash>yum install gcc</code> * Install apr-devel, apr-util-devel, and pcre-devel<code bash>yum install apr-devel apr-util-devel pcre-devel</code> * apr = Apache Portable Runtime * pcre = Perl-Compatible Regular Expressions Library * If you really want to compile these as well for newer versions, see here: [[http://httpd.apache.org/docs/2.4/install.html#requirements]] \\ **Install Procedure** * Download * Visit the download page: [[http://httpd.apache.org/download.cgi]] * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code> * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz cd httpd-2.4.18</code> * Configure Apache from httpd-2.4.18/<code bash>./configure --prefix=PREFIX</code> * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache" * Compile<code bash>make</code> * Install<code bash>make install</code> * Customize web server<code bash>vim PREFIX/conf/httpd.conf</code> * Start web server<code bash>PREFIX/bin/apachectl -k start</code> ---- ====== Configuration ====== The default configuration: * Main Config: /etc/httpd/conf/httpd.conf * Additional Config: /etc/httpd/conf.d/ * This is usually used for add on modules config ===== httpd.conf - Global Configs ===== Some common defaults to change in /etc/httpd/conf/httpd.conf: Listen to specific IP instead of all <code bash> Listen 10.1.2.3:80 </code> * Default: Listen 80 Set ServerName <code bash> ServerName example.com:80 </code> * Default: Commented and attempts to auto determine (not always accurate) NameVirtualHost to specific IP instead of all (if using virtual hosts) <code bash> NameVirtualHost 10.1.2.3:80 </code> * Default: NameVirtualHost *:80 (and commented out) Security Configs <code bash> ##-- Security --## #- Information Disclosure -# ServerTokens Prod ServerSignature Off # FileETag: File attributes used to create the ETag HTTP response header for static files FileETag -INode +MTime +Size #- Web Application Security -# # Trace/Track - disabled for security purposes TraceEnable Off # Cross-Frame Scripting prevention (click jacking) # DENY = Deny all attempts to frame the page Header always append X-Frame-Options DENY # Cross Site Scripting protection Header set X-XSS-Protection "1; mode=block" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure ##-- End of Security Settings --## </code> ---- ===== ssl.conf ===== The SSL config file is located here: /etc/httpd/conf.d/ssl.conf SSL Certificate and Certificate Authority <code bash> SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt </code> * Above are defaults, change to location of cert, key and CA cert Protocol and Ciphers <code bash> SSLProtocol TLSv1.2 SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4 </code> * Default SSLProtocol: all -SSLv2 * Default SSLCipherSuite: DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES Enable SSL Cipher Honoring (server picks the strongest compatible cipher) <code bash> SSLHonorCipherOrder on </code> ---- ===== Other Security Settings ===== Other important security settings. ==== Redirect HTTP to HTTPS ==== Redirect all HTTP to HTTPS<code bash><VirtualHost *:80> ServerName example.com <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> </VirtualHost></code> ---- ==== HSTS ==== Enabling HTTPS Strict Transport Security (HSTS). Add the strict transport security header to the listening HTTPS host section <code bash># Optionally load the headers module: LoadModule headers_module modules/mod_headers.so <VirtualHost *:443> Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" </VirtualHost></code> * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. ---- ===== Virtual Hosts: Multiple Domains ===== You can host multiple web sites, each with their own domain, from the same Apache instance by using virtual hosts directives. Example sites * server1 => the server's normal dns entry and "default" virtual host. * site1.example.com => virtual host * site2.example.com => virtual host * Create a new file: /etc/httpd/conf.d/virtual_hosts.conf<code bash># Directory for virtual host sites <Directory "/www"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> # Default catch all <VirtualHost _default_:80> DocumentRoot /www/default </VirtualHost> # Site 1 <VirtualHost *:80> ServerName site1.example.com DocumentRoot /www/site1 ServerAdmin webmaster@site1.example.com ErrorLog logs/site1.example.com-error_log CustomLog logs/site1.example.com-access_log common </VirtualHost> # Site 2 <VirtualHost *:80> ServerName site2.example.com DocumentRoot /www/site2 ServerAdmin webmaster@site2.example.com ErrorLog logs/site2.example.com-error_log CustomLog logs/site2.example.com-access_log common </VirtualHost></code> * Create the new directories<code bash>mkdir -p /www/{default,site1,site2}</code> * Create test indexes<code bash>echo "default site" > /www/default/index.html echo "site1 content" > /www/site1/index.html echo "site2 content" > /www/site2/index.html</code> * Reload Apache config files<code bash>apachectl graceful</code> * DNS entries will need to be made (/etc/hosts for demonstration purposes)<code bash>vim /etc/hosts 192.168.1.150 server1 site1.example.com site2.example.com</code> * Sample of what visiting each site looks like:{{ :linux_wiki:apache_vhosts_firefox.png |}} ---- ===== Virtual Hosts: Single Domain with Site Sub Dirs ===== An alternative to separate sub-domains, is a single domain with sub directories hosting different sites. Example Sites * server1 => the server's normal dns entry and "default" virtual host * mysite.example.com => main site and "default" virtual host * mysite.example.com/site1 => site 1 * mysite.example.com/site2 => site 2 * Create a new file: /etc/httpd/conf.d/virtual_hosts.conf<code bash># Directory for virtual host sites <Directory "/www"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> # Default catch all <VirtualHost _default_:80> DocumentRoot /www/default ServerName mysite.example.com ServerAdmin webmaster@mysite.example.com ErrorLog logs/mysite.example.com-error_log CustomLog logs/mysite.example.com-access_log common # Site 1 Alias /site1 /www/site1 SetEnvIf Request_URI "^/site1/.*$" site1_log CustomLog logs/site1-access_log common env=site1_log <Directory "/www/site1"> Require all granted </Directory> # Site 2 Alias /site2 /www/site2 SetEnvIf Request_URI "^/site2/.*$" site2_log CustomLog logs/site2-access_log common env=site2_log <Directory "/www/site2"> Require all granted </Directory> </VirtualHost></code> * Create the new directories<code bash>mkdir -p /www/{default,site1,site2}</code> * Create test indexes<code bash>echo "default site" > /www/default/index.html echo "site1 content" > /www/site1/index.html echo "site2 content" > /www/site2/index.html</code> * Reload Apache config files<code bash>apachectl graceful</code> * DNS entries will need to be made (/etc/hosts for demonstration purposes)<code bash>vim /etc/hosts 192.168.1.150 server1 mysite.example.com</code> * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}} ---- ====== Operation ====== Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl). * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log ---- ==== Start ==== * Check syntax, if errors are found, refuse to start. * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive. <code bash> apachectl -k start </code> ---- ==== Stop ==== * Immediately stop the httpd process and kill workers. * User connections in progress are terminated. <code bash> apachectl -k stop </code> ---- ==== Graceful Restart ==== * Check syntax, if errors are found, refuse to restart. * Parent process advises that workers shutdown after their current requests. * Once all workers have finished and exited, start up. * This does **not** interrupt user connections. <code bash> apachectl -k graceful </code> ---- ==== Restart ==== * Check syntax, if errors are found, refuse to restart. * Parent process kills workers, then starts up. * This interrupts user connections. <code bash> apachectl -k restart </code> ---- ==== Graceful Stop ==== * Parent process advises that workers shutdown after their current requests. * New requests are not accepted. * This does **not** interrupt user connections. <code bash> apachectl -k graceful-stop </code> ---- linux_wiki/apache_http_server.txt Last modified: 2019/05/25 23:50(external edit)