linux_wiki:apache_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:apache_http_server [2016/01/30 23:55]
billdozor [Compile and Install] 		linux_wiki:apache_http_server [2019/05/25 23:50] (current)
Line 6: Line 6:
  
 **Checklist** **Checklist**
-  * Distro: Enterprise Linux 6 or 7+  * Distro(s): Enterprise Linux 6/7
  
 ---- ----
Line 16: Line 16:
 ---- ----
  
-===== Repo Install =====+===== Repo: EPEL =====
  
   * CentOS 6.7: Apache 2.2   * CentOS 6.7: Apache 2.2
Line 42: Line 42:
 yum -y install mod_ssl yum -y install mod_ssl
 </code> </code>
 +
 +----
 +
 +===== Repo: Software Collections =====
 +
 +Versions as of 04/13/2016:
 +  * httpd 2.4
 +
 +  - Add the [[linux_wiki:repos#software_collections|software collections repo]].
 +  - Install<code bash>yum install httpd24</code>
 +  - Enable the software collection<code bash>scl enable httpd24 bash</code>
 +    - Control operation as below.
  
 ---- ----
Line 47: Line 59:
 ===== Compile and Install ===== ===== Compile and Install =====
  
 +If you need a newer feature than what is available in the repo installed versions, you may need to compile and install.
 +
 +**Prerequisites**
 +  * Install gcc in order to compile packages<code bash>yum install gcc</code>
 +  * Install apr-devel, apr-util-devel, and pcre-devel<code bash>yum install apr-devel apr-util-devel pcre-devel</code>
 +    * apr = Apache Portable Runtime
 +    * pcre = Perl-Compatible Regular Expressions Library
 +    * If you really want to compile these as well for newer versions, see here: [[http://httpd.apache.org/docs/2.4/install.html#requirements]]
 +\\
 +**Install Procedure**
   * Download   * Download
     * Visit the download page: [[http://httpd.apache.org/download.cgi]]     * Visit the download page: [[http://httpd.apache.org/download.cgi]]
     * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code>     * Wget a link to the desired version(example with a mirror)<code bash>wget http://www.webhostingjams.com/mirror/apache/httpd/httpd-2.4.18.tar.gz</code>
-  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz</code> +  * Extract Apache<code bash>tar -zxvf httpd-2.4.18.tar.gz 
-  * Download APR and APR-Util into the httpd-2.4.18/srclib dir +cd httpd-2.4.18</code> 
-    * Visit the download page: [[http://apr.apache.org/download.cgi]] +  * Configure Apache from httpd-2.4.18/<code bash>./configure --prefix=PREFIX</code>
-    * Wget a link to apr and apr-util(examples)<code bash>cd httpd-2.4.18/srclib +
-wget http://download.nextag.com/apache/apr/apr-1.5.2.tar.gz +
-wget http://download.nextag.com/apache/apr/apr-util-1.5.4.tar.gz</code> +
-  * Extract APR and APR-Util<code bash>tar -zxvf apr-1.5.2.tar.gz +
-tar -zxvf apr-util-1.5.4.tar.gz</code> +
-  * Rename APR and APR-Util dirs to loose the version number<code bash>mv apr-1.5.2 apr +
-mv apr-util-1.5.4 apr-util</code> +
-  * Configure Apache from httpd-2.4.18/<code bash>cd .. +
-./configure --prefix=PREFIX</code>+
     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"     * --prefix=PREFIX => Where "PREFIX" is the directory where you want Apache to be installed, such as "/opt/apache"
   * Compile<code bash>make</code>   * Compile<code bash>make</code>
Line 99: Line 112:
   * Default: NameVirtualHost *:80 (and commented out)   * Default: NameVirtualHost *:80 (and commented out)
  
-Disable Trace/Track (a XSS Vulnerability)+Security Configs
 <code bash> <code bash>
 +##-- Security --##
 +#- Information Disclosure -#
 +ServerTokens Prod
 +ServerSignature Off
 +
 +# FileETag: File attributes used to create the ETag HTTP response header for static files
 +FileETag -INode +MTime +Size
 +
 +#- Web Application Security -#
 +# Trace/Track - disabled for security purposes
 TraceEnable Off TraceEnable Off
 +
 +# Cross-Frame Scripting prevention (click jacking)
 +# DENY = Deny all attempts to frame the page
 +Header always append X-Frame-Options DENY
 +
 +# Cross Site Scripting protection
 +Header set X-XSS-Protection "1; mode=block"
 +Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 +##-- End of Security Settings --##
 </code> </code>
  
Line 120: Line 152:
 Protocol and Ciphers Protocol and Ciphers
 <code bash> <code bash>
-SSLProtocol TLS1.2 +TLSv1.1 +TLSv1 +SSLProtocol TLSv1.2 
-SSLCipherSuite HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM+SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4
 </code> </code>
   * Default SSLProtocol: all -SSLv2   * Default SSLProtocol: all -SSLv2
Line 131: Line 163:
 </code> </code>
  
-==== SSL Verification ====+----
  
-Check what ciphers will be used given an Apache config +===== Other Security Settings =====
-<code bash> +
-openssl ciphers -v 'HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM' +
-</code>+
  
-Verify server offered ciphers +Other important security settings. 
-<code bash> + 
-sslscan --no-failed 10.1.2.3:443 +==== Redirect HTTP to HTTPS ==== 
-</code> + 
-  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"+Redirect all HTTP to HTTPS<code bash><VirtualHost *:80> 
 +  ServerName example.com 
 +  <IfModule mod_rewrite.c> 
 +    RewriteEngine On 
 +    RewriteCond %{HTTPS} off 
 +    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
 +  </IfModule> 
 +</VirtualHost></code> 
 + 
 +---
 + 
 +==== HSTS ==== 
 + 
 +Enabling HTTPS Strict Transport Security (HSTS). 
 + 
 +Add the strict transport security header to the listening HTTPS host section 
 +<code bash># Optionally load the headers module: 
 +LoadModule headers_module modules/mod_headers.so 
 + 
 +<VirtualHost *:443
 +    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
 +</VirtualHost></code> 
 +  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
  
 ---- ----
Line 248: Line 299:
 192.168.1.150 server1 mysite.example.com</code> 192.168.1.150 server1 mysite.example.com</code>
   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}
 +
 +----
 +
 +====== Operation ======
 +
 +Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl).
 +
 +  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log
 +
 +----
 +
 +==== Start ====
 +
 +  * Check syntax, if errors are found, refuse to start.
 +  * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive.
 +
 +<code bash>
 +apachectl -k start
 +</code>
 +
 +----
 +
 +==== Stop ====
 +
 +  * Immediately stop the httpd process and kill workers.
 +  * User connections in progress are terminated.
 +
 +<code bash>
 +apachectl -k stop
 +</code>
 +
 +----
 +
 +==== Graceful Restart ====
 +
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process advises that workers shutdown after their current requests.
 +  * Once all workers have finished and exited, start up.
 +  * This does **not** interrupt user connections.
 +
 +<code bash>
 +apachectl -k graceful
 +</code>
 +
 +----
 +
 +==== Restart ====
 +
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process kills workers, then starts up.
 +  * This interrupts user connections.
 +
 +<code bash>
 +apachectl -k restart
 +</code>
 +
 +----
 +
 +==== Graceful Stop ====
 +
 +  * Parent process advises that workers shutdown after their current requests.
 +  * New requests are not accepted.
 +  * This does **not** interrupt user connections.
 +
 +<code bash>
 +apachectl -k graceful-stop
 +</code>
  
 ---- ----
  
  • linux_wiki/apache_http_server.1454216156.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)