Difference between revisions of "Apache"
(→SSL Providers: clarify) |
m (added Category:Webserver using HotCat) |
||
(4 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
Apache (the webserver) is a [https://www.apache.org/free/ freely licensed] project of the Apache Software Foundation. | Apache (the webserver) is a [https://www.apache.org/free/ freely licensed] project of the Apache Software Foundation. | ||
− | ==Docs== | + | == Docs == |
In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar | In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar | ||
− | + | == Canonical Domain == | |
− | |||
− | ==Canonical Domain== | ||
Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain. | Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain. | ||
<source lang="apache"> | <source lang="apache"> | ||
Line 42: | Line 40: | ||
RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE] | RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE] | ||
</source> | </source> | ||
+ | * Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref> | ||
+ | * Response Code: 301 = Permanent <ref>https://tools.ietf.org/html/rfc2616</ref> | ||
− | + | == Secure Server == | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | ==Secure Server== | ||
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache | These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache | ||
Line 159: | Line 132: | ||
</source> | </source> | ||
− | ==SSL Providers== | + | == SSL Providers == |
− | Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. | + | Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. However, a new and very interesting service is available from the [[TLS|Lets Encrypt]] project: They automate free certificate installation, making TLS security accessible to all. If you want expert help in getting your site secured, contact {{CompanyName}} |
− | ==Security== | + | == Security == |
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs. | Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs. | ||
Line 171: | Line 144: | ||
Thank the US tax payers =) | Thank the US tax payers =) | ||
− | ==Support / Customization== | + | == Support / Customization == |
There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache. | There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache. | ||
− | ==Quick Check== | + | == Quick Check == |
You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding. | You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding. | ||
Line 182: | Line 155: | ||
</source> | </source> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
{{References}} | {{References}} | ||
Revision as of 10:14, 26 September 2016
Apache (the webserver) is a freely licensed project of the Apache Software Foundation.
Contents
Docs[edit | edit source]
In addition to the extensive online documentation of the Apache project, you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
Canonical Domain[edit | edit source]
Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.
<VirtualHost *:80>
# redirect 'www' subdomain
# and all tld aliases
ServerName equality-tech.com
ServerAlias www.equality-tech.com
ServerAlias equality-tech.info
ServerAlias www.equality-tech.info
ServerAlias equality-tech.net
ServerAlias www.equality-tech.net
ServerAlias equality-tech.org
ServerAlias www.equality-tech.org
Redirect permanent "/" "https://equality-tech.com/"
</VirtualHost>
<VirtualHost *:443>
ServerName equality-tech.com
# answer calls to these numbers as well
ServerAlias www.equality-tech.com
ServerAlias equality-tech.info
ServerAlias www.equality-tech.info
ServerAlias equality-tech.net
ServerAlias www.equality-tech.net
ServerAlias equality-tech.org
ServerAlias www.equality-tech.org
ServerAlias equality-tech.local
# forward all calls to our canonical name
RewriteEngine on
RewriteCond %{HTTP_HOST} !^equality-tech.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE]
Secure Server[edit | edit source]
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
For Debian-based distros, the apache binary is apache2 rather than httpd, so for finding out what modules are built-in or enabled you would type
sudo apache2 -l
If mod_ssl.so is not listed in the output, it can be easily enabled by using the a2enmod command
sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
A script for generating randomness (to help in creating a more cryptographically secure SSL key)
#! /usr/bin/env python
import string
from random import Random
import sys
for x in range(1, 10000): sys.stdout.write(
Random().sample(string.letters +
string.digits, 1)[0])
And then use that to create and store some randomness.
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
# which is then fed into openssl
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
sudo openssl rsa -in server.key -out server.pem
Generate the signed certificate
sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
Copy certificate over to the configuration directory
sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
Modify the (default) configuration file (only if you want to change the available ciphers used)
sudo vi /etc/apache2/mods-available/ssl.conf
My ubuntu system comes pre-configured to allow medium to highly secure ciphers
SSLCipherSuite HIGH:MEDIUM:!ADH
Now configure our directory paths, and permissions in an Apache configuration file
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl
In addition to setting Document Root, I modified these two directives:
SSLCertificateFile /etc/apache2/server.crt SSLCertificateKeyFile /etc/apache2/server.pem
# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful
SSL Providers[edit | edit source]
Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. However, a new and very interesting service is available from the Lets Encrypt project: They automate free certificate installation, making TLS security accessible to all. If you want expert help in getting your site secured, contact eQuality Technology
Security[edit | edit source]
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
Thank the US tax payers =)
Support / Customization[edit | edit source]
There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.
Quick Check[edit | edit source]
You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with apache2ctl -S
, you can also do a bit more parsing of the output to be able to quickly check if they're all responding.
for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done