Differences
This shows you the differences between two versions of the page.
linux_wiki:apache_http_server [2018/03/23 16:10] billdozor [SSL Verification] |
linux_wiki:apache_http_server [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Apache HTTP Server ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Installation and configuration of Apache web server. | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Enterprise Linux 6/7 | ||
- | |||
- | ---- | ||
- | |||
- | ====== Installation ====== | ||
- | |||
- | Installing apache web server is very simple and can be done via repos or compiling. Repos is easier, while compiling usually provides newer versions. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Repo: EPEL ===== | ||
- | |||
- | * CentOS 6.7: Apache 2.2 | ||
- | * CentOS 7.2: Apache 2.4 | ||
- | |||
- | For an easy standard Apache install, the repo install method is used. These packages are older, but stable. | ||
- | |||
- | Install package | ||
- | <code bash> | ||
- | yum install httpd | ||
- | </ | ||
- | |||
- | Start the service and enable on boot | ||
- | * EL 6<code bash> | ||
- | chkconfig httpd on</ | ||
- | * EL 7<code bash> | ||
- | systemctl enable httpd</ | ||
- | |||
- | ---- | ||
- | |||
- | ==== SSL ==== | ||
- | |||
- | To add SSL support, install the " | ||
- | <code bash> | ||
- | yum -y install mod_ssl | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Repo: Software Collections ===== | ||
- | |||
- | Versions as of 04/13/2016: | ||
- | * httpd 2.4 | ||
- | |||
- | - Add the [[linux_wiki: | ||
- | - Install< | ||
- | - Enable the software collection< | ||
- | - Control operation as below. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Compile and Install ===== | ||
- | |||
- | If you need a newer feature than what is available in the repo installed versions, you may need to compile and install. | ||
- | |||
- | **Prerequisites** | ||
- | * Install gcc in order to compile packages< | ||
- | * Install apr-devel, apr-util-devel, | ||
- | * apr = Apache Portable Runtime | ||
- | * pcre = Perl-Compatible Regular Expressions Library | ||
- | * If you really want to compile these as well for newer versions, see here: [[http:// | ||
- | \\ | ||
- | **Install Procedure** | ||
- | * Download | ||
- | * Visit the download page: [[http:// | ||
- | * Wget a link to the desired version(example with a mirror)< | ||
- | * Extract Apache< | ||
- | cd httpd-2.4.18</ | ||
- | * Configure Apache from httpd-2.4.18/< | ||
- | * --prefix=PREFIX => Where " | ||
- | * Compile< | ||
- | * Install< | ||
- | * Customize web server< | ||
- | * Start web server< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configuration ====== | ||
- | |||
- | The default configuration: | ||
- | * Main Config: / | ||
- | * Additional Config: / | ||
- | * This is usually used for add on modules config | ||
- | |||
- | ===== httpd.conf - Global Configs ===== | ||
- | |||
- | Some common defaults to change in / | ||
- | |||
- | Listen to specific IP instead of all | ||
- | <code bash> | ||
- | Listen 10.1.2.3:80 | ||
- | </ | ||
- | * Default: Listen 80 | ||
- | |||
- | Set ServerName | ||
- | <code bash> | ||
- | ServerName example.com: | ||
- | </ | ||
- | * Default: Commented and attempts to auto determine (not always accurate) | ||
- | |||
- | NameVirtualHost to specific IP instead of all (if using virtual hosts) | ||
- | <code bash> | ||
- | NameVirtualHost 10.1.2.3:80 | ||
- | </ | ||
- | * Default: NameVirtualHost *:80 (and commented out) | ||
- | |||
- | Security Configs | ||
- | <code bash> | ||
- | ##-- Security --## | ||
- | #- Information Disclosure -# | ||
- | ServerTokens Prod | ||
- | ServerSignature Off | ||
- | |||
- | # FileETag: File attributes used to create the ETag HTTP response header for static files | ||
- | FileETag -INode +MTime +Size | ||
- | |||
- | #- Web Application Security -# | ||
- | # Trace/Track - disabled for security purposes | ||
- | TraceEnable Off | ||
- | |||
- | # Cross-Frame Scripting prevention (click jacking) | ||
- | # DENY = Deny all attempts to frame the page | ||
- | Header always append X-Frame-Options DENY | ||
- | |||
- | # Cross Site Scripting protection | ||
- | Header set X-XSS-Protection "1; mode=block" | ||
- | Header edit Set-Cookie ^(.*)$ $1; | ||
- | ##-- End of Security Settings --## | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== ssl.conf ===== | ||
- | |||
- | The SSL config file is located here: / | ||
- | |||
- | SSL Certificate and Certificate Authority | ||
- | <code bash> | ||
- | SSLCertificateFile / | ||
- | SSLCertificateKeyFile / | ||
- | SSLCertificateChainFile / | ||
- | </ | ||
- | * Above are defaults, change to location of cert, key and CA cert | ||
- | |||
- | Protocol and Ciphers | ||
- | <code bash> | ||
- | SSLProtocol TLSv1.2 | ||
- | SSLCipherSuite HIGH: | ||
- | </ | ||
- | * Default SSLProtocol: | ||
- | * Default SSLCipherSuite: | ||
- | |||
- | Enable SSL Cipher Honoring (server picks the strongest compatible cipher) | ||
- | <code bash> | ||
- | SSLHonorCipherOrder on | ||
- | </ | ||
- | |||
- | |||
- | ---- | ||
- | |||
- | ===== Other Security Settings ===== | ||
- | |||
- | Other important security settings. | ||
- | |||
- | ==== Redirect HTTP to HTTPS ==== | ||
- | |||
- | Redirect all HTTP to HTTPS< | ||
- | ServerName example.com | ||
- | < | ||
- | RewriteEngine On | ||
- | RewriteCond %{HTTPS} off | ||
- | RewriteRule (.*) https:// | ||
- | </ | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== HSTS ==== | ||
- | |||
- | Enabling HTTPS Strict Transport Security (HSTS). | ||
- | |||
- | Add the strict transport security header to the listening HTTPS host section | ||
- | <code bash># Optionally load the headers module: | ||
- | LoadModule headers_module modules/ | ||
- | |||
- | < | ||
- | Header always set Strict-Transport-Security " | ||
- | </ | ||
- | * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Virtual Hosts: Multiple Domains ===== | ||
- | |||
- | You can host multiple web sites, each with their own domain, from the same Apache instance by using virtual hosts directives. | ||
- | |||
- | Example sites | ||
- | * server1 => the server' | ||
- | * site1.example.com => virtual host | ||
- | * site2.example.com => virtual host | ||
- | |||
- | * Create a new file: / | ||
- | < | ||
- | Options Indexes FollowSymLinks | ||
- | AllowOverride None | ||
- | Require all granted | ||
- | </ | ||
- | |||
- | # Default catch all | ||
- | < | ||
- | DocumentRoot / | ||
- | </ | ||
- | |||
- | # Site 1 | ||
- | < | ||
- | ServerName site1.example.com | ||
- | DocumentRoot /www/site1 | ||
- | |||
- | ServerAdmin webmaster@site1.example.com | ||
- | ErrorLog logs/ | ||
- | CustomLog logs/ | ||
- | </ | ||
- | |||
- | # Site 2 | ||
- | < | ||
- | ServerName site2.example.com | ||
- | DocumentRoot /www/site2 | ||
- | |||
- | ServerAdmin webmaster@site2.example.com | ||
- | ErrorLog logs/ | ||
- | CustomLog logs/ | ||
- | </ | ||
- | * Create the new directories< | ||
- | * Create test indexes< | ||
- | echo "site1 content" | ||
- | echo "site2 content" | ||
- | * Reload Apache config files< | ||
- | * DNS entries will need to be made (/etc/hosts for demonstration purposes)< | ||
- | 192.168.1.150 server1 site1.example.com site2.example.com</ | ||
- | * Sample of what visiting each site looks like:{{ : | ||
- | |||
- | ---- | ||
- | |||
- | ===== Virtual Hosts: Single Domain with Site Sub Dirs ===== | ||
- | |||
- | An alternative to separate sub-domains, | ||
- | |||
- | Example Sites | ||
- | * server1 => the server' | ||
- | * mysite.example.com => main site and " | ||
- | * mysite.example.com/ | ||
- | * mysite.example.com/ | ||
- | |||
- | |||
- | * Create a new file: / | ||
- | < | ||
- | Options Indexes FollowSymLinks | ||
- | AllowOverride None | ||
- | Require all granted | ||
- | </ | ||
- | |||
- | # Default catch all | ||
- | < | ||
- | DocumentRoot / | ||
- | ServerName mysite.example.com | ||
- | ServerAdmin webmaster@mysite.example.com | ||
- | ErrorLog logs/ | ||
- | CustomLog logs/ | ||
- | |||
- | # Site 1 | ||
- | Alias /site1 /www/site1 | ||
- | SetEnvIf Request_URI " | ||
- | CustomLog logs/ | ||
- | < | ||
- | Require all granted | ||
- | </ | ||
- | |||
- | # Site 2 | ||
- | Alias /site2 /www/site2 | ||
- | SetEnvIf Request_URI " | ||
- | CustomLog logs/ | ||
- | < | ||
- | Require all granted | ||
- | </ | ||
- | |||
- | </ | ||
- | * Create the new directories< | ||
- | * Create test indexes< | ||
- | echo "site1 content" | ||
- | echo "site2 content" | ||
- | * Reload Apache config files< | ||
- | * DNS entries will need to be made (/etc/hosts for demonstration purposes)< | ||
- | 192.168.1.150 server1 mysite.example.com</ | ||
- | * Sample of what visiting each site looks like:{{ : | ||
- | |||
- | ---- | ||
- | |||
- | ====== Operation ====== | ||
- | |||
- | Controlling the Apache httpd service: Apache recommends using the " | ||
- | |||
- | * After sending a signal to httpd, watch its progress in the error_log file: logs/ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Start ==== | ||
- | |||
- | * Check syntax, if errors are found, refuse to start. | ||
- | * Start the httpd process and start the number of workers specified on the config files via the " | ||
- | |||
- | <code bash> | ||
- | apachectl -k start | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Stop ==== | ||
- | |||
- | * Immediately stop the httpd process and kill workers. | ||
- | * User connections in progress are terminated. | ||
- | |||
- | <code bash> | ||
- | apachectl -k stop | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Graceful Restart ==== | ||
- | |||
- | * Check syntax, if errors are found, refuse to restart. | ||
- | * Parent process advises that workers shutdown after their current requests. | ||
- | * Once all workers have finished and exited, start up. | ||
- | * This does **not** interrupt user connections. | ||
- | |||
- | <code bash> | ||
- | apachectl -k graceful | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Restart ==== | ||
- | |||
- | * Check syntax, if errors are found, refuse to restart. | ||
- | * Parent process kills workers, then starts up. | ||
- | * This interrupts user connections. | ||
- | |||
- | <code bash> | ||
- | apachectl -k restart | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ==== Graceful Stop ==== | ||
- | |||
- | * Parent process advises that workers shutdown after their current requests. | ||
- | * New requests are not accepted. | ||
- | * This does **not** interrupt user connections. | ||
- | |||
- | <code bash> | ||
- | apachectl -k graceful-stop | ||
- | </ | ||
- | |||
- | ---- | ||