linux_wiki:apache_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:apache_http_server [2018/03/23 16:10]
billdozor [SSL Verification] 		linux_wiki:apache_http_server [2019/05/25 23:50]
Line 1: Line 1:
-====== Apache HTTP Server ====== 
- 
-**General Information** 
- 
-Installation and configuration of Apache web server.  
- 
-**Checklist** 
-  * Distro(s): Enterprise Linux 6/7 
- 
----- 
- 
-====== Installation ====== 
- 
-Installing apache web server is very simple and can be done via repos or compiling. Repos is easier, while compiling usually provides newer versions. 
- 
----- 
- 
-===== Repo: EPEL ===== 
- 
-  * CentOS 6.7: Apache 2.2 
-  * CentOS 7.2: Apache 2.4 
- 
-For an easy standard Apache install, the repo install method is used. These packages are older, but stable. 
- 
-Install package 
-<code bash> 
-yum install httpd 
-</code> 
- 
-Start the service and enable on boot 
-  * EL 6<code bash>service httpd start 
-chkconfig httpd on</code> 
-  * EL 7<code bash>systemctl start httpd 
-systemctl enable httpd</code> 
- 
----- 
- 
-==== SSL ==== 
- 
-To add SSL support, install the "mod_ssl" package: 
-<code bash> 
-yum -y install mod_ssl 
-</code> 
- 
----- 
- 
-===== Repo: Software Collections ===== 
- 
-Versions as of 04/13/2016: 
-  * httpd 2.4 
- 
-  - Add the [[linux_wiki:repos#software_collections|software collections repo]]. 
-  - Install<code bash>yum install httpd24</code> 
-  - Enable the software collection<code bash>scl enable httpd24 bash</code> 
-    - Control operation as below. 
- 
----- 
- 
-===== Compile and Install ===== 
- 
-If you need a newer feature than what is available in the repo installed versions, you may need to compile and install. 
- 
-**Prerequisites** 
-  * Install gcc in order to compile packages<code bash>yum install gcc</code> 
-  * Install apr-devel, apr-util-devel, and pcre-devel<code bash>yum install apr-devel apr-util-devel pcre-devel</code> 
-    * apr = Apache Portable Runtime 
-    * pcre = Perl-Compatible Regular Expressions Library 
-    * If you really want to compile these as well for newer versions, see here: [[http://httpd.apache.org/docs/2.4/install.html#requirements]] 
-\\ 
-**Install Procedure** 
-  * Download 
-    * Visit the download page: [[http://httpd.apache.org/download.cgi]] 
-    * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code> 
-  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz 
-cd httpd-2.4.18</code> 
-  * Configure Apache from httpd-2.4.18/<code bash>./configure --prefix=PREFIX</code> 
-    * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache" 
-  * Compile<code bash>make</code> 
-  * Install<code bash>make install</code> 
-  * Customize web server<code bash>vim PREFIX/conf/httpd.conf</code> 
-  * Start web server<code bash>PREFIX/bin/apachectl -k start</code> 
- 
----- 
- 
-====== Configuration ====== 
- 
-The default configuration: 
-  * Main Config: /etc/httpd/conf/httpd.conf 
-  * Additional Config: /etc/httpd/conf.d/ 
-    * This is usually used for add on modules config 
- 
-===== httpd.conf - Global Configs ===== 
- 
-Some common defaults to change in /etc/httpd/conf/httpd.conf: 
- 
-Listen to specific IP instead of all 
-<code bash> 
-Listen 10.1.2.3:80 
-</code> 
-  * Default: Listen 80 
- 
-Set ServerName 
-<code bash> 
-ServerName example.com:80 
-</code> 
-  * Default: Commented and attempts to auto determine (not always accurate) 
- 
-NameVirtualHost to specific IP instead of all (if using virtual hosts) 
-<code bash> 
-NameVirtualHost 10.1.2.3:80 
-</code> 
-  * Default: NameVirtualHost *:80 (and commented out) 
- 
-Security Configs 
-<code bash> 
-##-- Security --## 
-#- Information Disclosure -# 
-ServerTokens Prod 
-ServerSignature Off 
- 
-# FileETag: File attributes used to create the ETag HTTP response header for static files 
-FileETag -INode +MTime +Size 
- 
-#- Web Application Security -# 
-# Trace/Track - disabled for security purposes 
-TraceEnable Off 
- 
-# Cross-Frame Scripting prevention (click jacking) 
-# DENY = Deny all attempts to frame the page 
-Header always append X-Frame-Options DENY 
- 
-# Cross Site Scripting protection 
-Header set X-XSS-Protection "1; mode=block" 
-Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 
-##-- End of Security Settings --## 
-</code> 
- 
----- 
- 
-===== ssl.conf ===== 
- 
-The SSL config file is located here: /etc/httpd/conf.d/ssl.conf 
- 
-SSL Certificate and Certificate Authority 
-<code bash> 
-SSLCertificateFile /etc/pki/tls/certs/localhost.crt 
-SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 
-SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 
-</code> 
-  * Above are defaults, change to location of cert, key and CA cert 
- 
-Protocol and Ciphers 
-<code bash> 
-SSLProtocol TLSv1.2 
-SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4 
-</code> 
-  * Default SSLProtocol: all -SSLv2 
-  * Default SSLCipherSuite: DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES 
- 
-Enable SSL Cipher Honoring (server picks the strongest compatible cipher) 
-<code bash> 
-SSLHonorCipherOrder on 
-</code> 
- 
- 
----- 
- 
-===== Other Security Settings ===== 
- 
-Other important security settings. 
- 
-==== Redirect HTTP to HTTPS ==== 
- 
-Redirect all HTTP to HTTPS<code bash><VirtualHost *:80> 
-  ServerName example.com 
-  <IfModule mod_rewrite.c> 
-    RewriteEngine On 
-    RewriteCond %{HTTPS} off 
-    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
-  </IfModule> 
-</VirtualHost></code> 
- 
----- 
- 
-==== HSTS ==== 
- 
-Enabling HTTPS Strict Transport Security (HSTS). 
- 
-Add the strict transport security header to the listening HTTPS host section 
-<code bash># Optionally load the headers module: 
-LoadModule headers_module modules/mod_headers.so 
- 
-<VirtualHost *:443> 
-    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
-</VirtualHost></code> 
-  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited. 
- 
----- 
- 
-===== Virtual Hosts: Multiple Domains ===== 
- 
-You can host multiple web sites, each with their own domain, from the same Apache instance by using virtual hosts directives. 
- 
-Example sites 
-  * server1 => the server's normal dns entry and "default" virtual host. 
-  * site1.example.com => virtual host 
-  * site2.example.com => virtual host 
- 
-  * Create a new file: /etc/httpd/conf.d/virtual_hosts.conf<code bash># Directory for virtual host sites 
-<Directory "/www"> 
-  Options Indexes FollowSymLinks 
-  AllowOverride None 
-  Require all granted 
-</Directory> 
- 
-# Default catch all 
-<VirtualHost _default_:80> 
-  DocumentRoot /www/default 
-</VirtualHost> 
- 
-# Site 1 
-<VirtualHost *:80> 
-  ServerName site1.example.com 
-  DocumentRoot /www/site1 
- 
-  ServerAdmin webmaster@site1.example.com 
-  ErrorLog logs/site1.example.com-error_log 
-  CustomLog logs/site1.example.com-access_log common 
-</VirtualHost> 
- 
-# Site 2 
-<VirtualHost *:80> 
-  ServerName site2.example.com 
-  DocumentRoot /www/site2 
- 
-  ServerAdmin webmaster@site2.example.com   
-  ErrorLog logs/site2.example.com-error_log 
-  CustomLog logs/site2.example.com-access_log common 
-</VirtualHost></code> 
-  * Create the new directories<code bash>mkdir -p /www/{default,site1,site2}</code> 
-  * Create test indexes<code bash>echo "default site" > /www/default/index.html 
-echo "site1 content" > /www/site1/index.html 
-echo "site2 content" > /www/site2/index.html</code> 
-  * Reload Apache config files<code bash>apachectl graceful</code> 
-  * DNS entries will need to be made (/etc/hosts for demonstration purposes)<code bash>vim /etc/hosts 
-192.168.1.150 server1 site1.example.com site2.example.com</code> 
-  * Sample of what visiting each site looks like:{{ :linux_wiki:apache_vhosts_firefox.png |}} 
- 
----- 
- 
-===== Virtual Hosts: Single Domain with Site Sub Dirs ===== 
- 
-An alternative to separate sub-domains, is a single domain with sub directories hosting different sites. 
- 
-Example Sites 
-  * server1 => the server's normal dns entry and "default" virtual host 
-  * mysite.example.com => main site and "default" virtual host 
-  * mysite.example.com/site1 => site 1 
-  * mysite.example.com/site2 => site 2 
- 
- 
-  * Create a new file: /etc/httpd/conf.d/virtual_hosts.conf<code bash># Directory for virtual host sites 
-<Directory "/www"> 
-  Options Indexes FollowSymLinks 
-  AllowOverride None 
-  Require all granted 
-</Directory> 
- 
-# Default catch all 
-<VirtualHost _default_:80> 
-  DocumentRoot /www/default 
-  ServerName mysite.example.com 
-  ServerAdmin webmaster@mysite.example.com 
-  ErrorLog logs/mysite.example.com-error_log 
-  CustomLog logs/mysite.example.com-access_log common 
- 
-  # Site 1 
-  Alias /site1 /www/site1 
-  SetEnvIf Request_URI "^/site1/.*$" site1_log 
-  CustomLog logs/site1-access_log common env=site1_log 
-  <Directory "/www/site1"> 
-    Require all granted 
-  </Directory> 
- 
-  # Site 2 
-  Alias /site2 /www/site2 
-  SetEnvIf Request_URI "^/site2/.*$" site2_log 
-  CustomLog logs/site2-access_log common env=site2_log 
-  <Directory "/www/site2"> 
-    Require all granted 
-  </Directory> 
- 
-</VirtualHost></code> 
-  * Create the new directories<code bash>mkdir -p /www/{default,site1,site2}</code> 
-  * Create test indexes<code bash>echo "default site" > /www/default/index.html 
-echo "site1 content" > /www/site1/index.html 
-echo "site2 content" > /www/site2/index.html</code> 
-  * Reload Apache config files<code bash>apachectl graceful</code> 
-  * DNS entries will need to be made (/etc/hosts for demonstration purposes)<code bash>vim /etc/hosts 
-192.168.1.150 server1 mysite.example.com</code> 
-  * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}} 
- 
----- 
- 
-====== Operation ====== 
- 
-Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl). 
- 
-  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log 
- 
----- 
- 
-==== Start ==== 
- 
-  * Check syntax, if errors are found, refuse to start. 
-  * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive. 
- 
-<code bash> 
-apachectl -k start 
-</code> 
- 
----- 
- 
-==== Stop ==== 
- 
-  * Immediately stop the httpd process and kill workers. 
-  * User connections in progress are terminated. 
- 
-<code bash> 
-apachectl -k stop 
-</code> 
- 
----- 
- 
-==== Graceful Restart ==== 
- 
-  * Check syntax, if errors are found, refuse to restart. 
-  * Parent process advises that workers shutdown after their current requests. 
-  * Once all workers have finished and exited, start up. 
-  * This does **not** interrupt user connections. 
- 
-<code bash> 
-apachectl -k graceful 
-</code> 
- 
----- 
- 
-==== Restart ==== 
- 
-  * Check syntax, if errors are found, refuse to restart. 
-  * Parent process kills workers, then starts up. 
-  * This interrupts user connections. 
- 
-<code bash> 
-apachectl -k restart 
-</code> 
- 
----- 
- 
-==== Graceful Stop ==== 
- 
-  * Parent process advises that workers shutdown after their current requests. 
-  * New requests are not accepted. 
-  * This does **not** interrupt user connections. 
- 
-<code bash> 
-apachectl -k graceful-stop 
-</code> 
- 
----- 
  
  • linux_wiki/apache_http_server.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)