General Information
Installation and configuration of Apache web server.
Checklist
Installing apache web server is very simple and can be done via repos or compiling. Repos is easier, while compiling usually provides newer versions.
For an easy standard Apache install, the repo install method is used. These packages are older, but stable.
Install package
yum install httpd
Start the service and enable on boot
service httpd start chkconfig httpd on
systemctl start httpd
systemctl enable httpd
To add SSL support, install the “mod_ssl” package:
yum -y install mod_ssl
Versions as of 04/13/2016:
yum install httpd24
scl enable httpd24 bash
If you need a newer feature than what is available in the repo installed versions, you may need to compile and install.
Prerequisites
yum install gcc
yum install apr-devel apr-util-devel pcre-devel
Install Procedure
wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz
tar -zxvf httpd-2.4.18.tar.gz cd httpd-2.4.18
./configure --prefix=PREFIX
make
make install
vim PREFIX/conf/httpd.conf
PREFIX/bin/apachectl -k start
The default configuration:
Some common defaults to change in /etc/httpd/conf/httpd.conf:
Listen to specific IP instead of all
Listen 10.1.2.3:80
Set ServerName
ServerName example.com:80
NameVirtualHost to specific IP instead of all (if using virtual hosts)
NameVirtualHost 10.1.2.3:80
Security Configs
##-- Security --## #- Information Disclosure -# ServerTokens Prod ServerSignature Off # FileETag: File attributes used to create the ETag HTTP response header for static files FileETag -INode +MTime +Size #- Web Application Security -# # Trace/Track - disabled for security purposes TraceEnable Off # Cross-Frame Scripting prevention (click jacking) # DENY = Deny all attempts to frame the page Header always append X-Frame-Options DENY # Cross Site Scripting protection Header set X-XSS-Protection "1; mode=block" Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure ##-- End of Security Settings --##
The SSL config file is located here: /etc/httpd/conf.d/ssl.conf
SSL Certificate and Certificate Authority
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
Protocol and Ciphers
SSLProtocol TLSv1.2 SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4
Enable SSL Cipher Honoring (server picks the strongest compatible cipher)
SSLHonorCipherOrder on
Other important security settings.
Redirect all HTTP to HTTPS
<VirtualHost *:80> ServerName example.com <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </IfModule> </VirtualHost>
Enabling HTTPS Strict Transport Security (HSTS).
Add the strict transport security header to the listening HTTPS host section
# Optionally load the headers module: LoadModule headers_module modules/mod_headers.so <VirtualHost *:443> Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" </VirtualHost>
You can host multiple web sites, each with their own domain, from the same Apache instance by using virtual hosts directives.
Example sites
# Directory for virtual host sites <Directory "/www"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> # Default catch all <VirtualHost _default_:80> DocumentRoot /www/default </VirtualHost> # Site 1 <VirtualHost *:80> ServerName site1.example.com DocumentRoot /www/site1 ServerAdmin webmaster@site1.example.com ErrorLog logs/site1.example.com-error_log CustomLog logs/site1.example.com-access_log common </VirtualHost> # Site 2 <VirtualHost *:80> ServerName site2.example.com DocumentRoot /www/site2 ServerAdmin webmaster@site2.example.com ErrorLog logs/site2.example.com-error_log CustomLog logs/site2.example.com-access_log common </VirtualHost>
mkdir -p /www/{default,site1,site2}
echo "default site" > /www/default/index.html echo "site1 content" > /www/site1/index.html echo "site2 content" > /www/site2/index.html
apachectl graceful
vim /etc/hosts 192.168.1.150 server1 site1.example.com site2.example.com
An alternative to separate sub-domains, is a single domain with sub directories hosting different sites.
Example Sites
# Directory for virtual host sites <Directory "/www"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> # Default catch all <VirtualHost _default_:80> DocumentRoot /www/default ServerName mysite.example.com ServerAdmin webmaster@mysite.example.com ErrorLog logs/mysite.example.com-error_log CustomLog logs/mysite.example.com-access_log common # Site 1 Alias /site1 /www/site1 SetEnvIf Request_URI "^/site1/.*$" site1_log CustomLog logs/site1-access_log common env=site1_log <Directory "/www/site1"> Require all granted </Directory> # Site 2 Alias /site2 /www/site2 SetEnvIf Request_URI "^/site2/.*$" site2_log CustomLog logs/site2-access_log common env=site2_log <Directory "/www/site2"> Require all granted </Directory> </VirtualHost>
mkdir -p /www/{default,site1,site2}
echo "default site" > /www/default/index.html echo "site1 content" > /www/site1/index.html echo "site2 content" > /www/site2/index.html
apachectl graceful
vim /etc/hosts 192.168.1.150 server1 mysite.example.com
Controlling the Apache httpd service: Apache recommends using the “apachectl” signals instead of the OS service control interface (service/systemctl).
apachectl -k start
apachectl -k stop
apachectl -k graceful
apachectl -k restart
apachectl -k graceful-stop