linux_wiki:apache_http_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:apache_http_server [2016/01/31 00:07]
billdozor [Compile and Install] 		linux_wiki:apache_http_server [2019/05/25 23:50] (current)
Line 6: Line 6:
  
 **Checklist** **Checklist**
-  * Distro: Enterprise Linux 6 or 7+  * Distro(s): Enterprise Linux 6/7
  
 ---- ----
Line 16: Line 16:
 ---- ----
  
-===== Repo Install =====+===== Repo: EPEL =====
  
   * CentOS 6.7: Apache 2.2   * CentOS 6.7: Apache 2.2
Line 42: Line 42:
 yum -y install mod_ssl yum -y install mod_ssl
 </code> </code>
 +
 +----
 +
 +===== Repo: Software Collections =====
 +
 +Versions as of 04/13/2016:
 +  * httpd 2.4
 +
 +  - Add the [[linux_wiki:repos#software_collections|software collections repo]].
 +  - Install<code bash>yum install httpd24</code>
 +  - Enable the software collection<code bash>scl enable httpd24 bash</code>
 +    - Control operation as below.
  
 ---- ----
Line 100: Line 112:
   * Default: NameVirtualHost *:80 (and commented out)   * Default: NameVirtualHost *:80 (and commented out)
  
-Disable Trace/Track (a XSS Vulnerability)+Security Configs
 <code bash> <code bash>
 +##-- Security --##
 +#- Information Disclosure -#
 +ServerTokens Prod
 +ServerSignature Off
 +
 +# FileETag: File attributes used to create the ETag HTTP response header for static files
 +FileETag -INode +MTime +Size
 +
 +#- Web Application Security -#
 +# Trace/Track - disabled for security purposes
 TraceEnable Off TraceEnable Off
 +
 +# Cross-Frame Scripting prevention (click jacking)
 +# DENY = Deny all attempts to frame the page
 +Header always append X-Frame-Options DENY
 +
 +# Cross Site Scripting protection
 +Header set X-XSS-Protection "1; mode=block"
 +Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
 +##-- End of Security Settings --##
 </code> </code>
  
Line 121: Line 152:
 Protocol and Ciphers Protocol and Ciphers
 <code bash> <code bash>
-SSLProtocol TLS1.2 +TLSv1.1 +TLSv1 +SSLProtocol TLSv1.2 
-SSLCipherSuite HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM+SSLCipherSuite HIGH:!MEDIUM:!3DES:!ADH:!AECDH:!DHE:!EDH:!RC4
 </code> </code>
   * Default SSLProtocol: all -SSLv2   * Default SSLProtocol: all -SSLv2
Line 132: Line 163:
 </code> </code>
  
-==== SSL Verification ====+----
  
-Check what ciphers will be used given an Apache config +===== Other Security Settings =====
-<code bash> +
-openssl ciphers -v 'HIGH:!DHE:!EDH:!RC4:!ADH:!MEDIUM' +
-</code>+
  
-Verify server offered ciphers +Other important security settings. 
-<code bash> + 
-sslscan --no-failed 10.1.2.3:443 +==== Redirect HTTP to HTTPS ==== 
-</code> + 
-  * Look for "Supported Server Cipher(s)" and "Preferred Server Cipher(s)"+Redirect all HTTP to HTTPS<code bash><VirtualHost *:80> 
 +  ServerName example.com 
 +  <IfModule mod_rewrite.c> 
 +    RewriteEngine On 
 +    RewriteCond %{HTTPS} off 
 +    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
 +  </IfModule> 
 +</VirtualHost></code> 
 + 
 +---
 + 
 +==== HSTS ==== 
 + 
 +Enabling HTTPS Strict Transport Security (HSTS). 
 + 
 +Add the strict transport security header to the listening HTTPS host section 
 +<code bash># Optionally load the headers module: 
 +LoadModule headers_module modules/mod_headers.so 
 + 
 +<VirtualHost *:443
 +    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" 
 +</VirtualHost></code> 
 +  * max-age=63072000 -> Tell web browsers to connect to the site using HTTPS only for two years. Countdown is reset each time the site is visited.
  
 ---- ----
Line 249: Line 299:
 192.168.1.150 server1 mysite.example.com</code> 192.168.1.150 server1 mysite.example.com</code>
   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}   * Sample of what visiting each site looks like:{{ :linux_wiki:apache_single-domain_subdirs.png |}}
 +
 +----
 +
 +====== Operation ======
 +
 +Controlling the Apache httpd service: Apache recommends using the "apachectl" signals instead of the OS service control interface (service/systemctl).
 +
 +  * After sending a signal to httpd, watch its progress in the error_log file: logs/error_log
 +
 +----
 +
 +==== Start ====
 +
 +  * Check syntax, if errors are found, refuse to start.
 +  * Start the httpd process and start the number of workers specified on the config files via the "StartServers <number>" directive.
 +
 +<code bash>
 +apachectl -k start
 +</code>
 +
 +----
 +
 +==== Stop ====
 +
 +  * Immediately stop the httpd process and kill workers.
 +  * User connections in progress are terminated.
 +
 +<code bash>
 +apachectl -k stop
 +</code>
 +
 +----
 +
 +==== Graceful Restart ====
 +
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process advises that workers shutdown after their current requests.
 +  * Once all workers have finished and exited, start up.
 +  * This does **not** interrupt user connections.
 +
 +<code bash>
 +apachectl -k graceful
 +</code>
 +
 +----
 +
 +==== Restart ====
 +
 +  * Check syntax, if errors are found, refuse to restart.
 +  * Parent process kills workers, then starts up.
 +  * This interrupts user connections.
 +
 +<code bash>
 +apachectl -k restart
 +</code>
 +
 +----
 +
 +==== Graceful Stop ====
 +
 +  * Parent process advises that workers shutdown after their current requests.
 +  * New requests are not accepted.
 +  * This does **not** interrupt user connections.
 +
 +<code bash>
 +apachectl -k graceful-stop
 +</code>
  
 ---- ----
  
  • linux_wiki/apache_http_server.1454216829.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)