Apache: Difference between revisions

(15 intermediate revisions by 2 users not shown)

Line 1:

== Docs ==

Apache (the webserver) is a [https://www.apache.org/free/ freely licensed] project of the Apache Software Foundation.

==Docs==

In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar

== Secure Server ==

The [https://help.ubuntu.com/lts/serverguide/httpd.html Ubuntu Server Guide] is also a helpful documentation source.

==Canonical Domain==

Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.

# redirect 'www' subdomain

# and all tld aliases

ServerName equality-tech.com

ServerAlias www.equality-tech.com

ServerAlias equality-tech.info

ServerAlias www.equality-tech.info

ServerAlias equality-tech.net

ServerAlias www.equality-tech.net

ServerAlias equality-tech.org

ServerAlias www.equality-tech.org

Redirect permanent "/" "https://equality-tech.com/"

</VirtualHost>

ServerName equality-tech.com

# answer calls to these numbers as well

ServerAlias www.equality-tech.com

ServerAlias equality-tech.info

ServerAlias www.equality-tech.info

ServerAlias equality-tech.net

ServerAlias www.equality-tech.net

ServerAlias equality-tech.org

ServerAlias www.equality-tech.org

ServerAlias equality-tech.local

# forward all calls to our canonical name

RewriteEngine on

RewriteCond %{HTTP_HOST} !^equality-tech.com [NC]

RewriteCond %{HTTP_HOST} !^$

RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE]

</syntaxhighlight>

*Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref>

*Response Code: 301 = Permanent <ref>https://tools.ietf.org/html/rfc2616</ref>

==Rewrites==

Use .htaccess ONLY for testing rules on-the-fly during development

so that you don't have to constantly reload Apache.

Once the rule is tested and works, it should be placed into the

proper Virtual Host configuration file.

e.g. /etc/apache2/sites-available/foo.conf

This is because the conf gets loaded into memory once during

startup whereas the .htaccess file needs to be loaded

FROM DISK on every single request. This slows a web

server. So, don't even leave .htaccess files lying around

empty. Nuke 'em.

See https://httpd.apache.org/docs/2.4/rewrite/tech.html

about the differences between per-directory context.

Basically, the path as seen in .conf will start with /

whereas the path as seen by .htaccess in / will have the

leading slash stripped already. That's why we use <code>^/?</code>

to make rules work in both contexts. But rules further down

the filesystem hierarchy will have a greater difference

between the .conf version and the .htaccess version (or

you can place the rules in a <directory> stanza)

==Secure Server==

These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache

For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type

<~~source~~ lang="bash">

sudo apache2 -l

</~~source~~>

</syntaxhighlight>

If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command

<~~source~~ lang="bash">

sudo a2enmod ssl

Enabling module ssl.

See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.

Run '/etc/init.d/apache2 restart' to activate new configuration!

</~~source~~>

</syntaxhighlight>

A script for generating randomness (to help in creating a more cryptographically secure SSL key)

<~~source~~ lang="python">

#! /usr/bin/env python

Line 30:

Line 98:

Random().sample(string.letters +

string.digits, 1)[0])

</~~source~~>

</syntaxhighlight>

And then use that to create and store some randomness.

<~~source~~ lang="bash">

./randomness.py > file1

./randomness.py > file2

Line 38:

Line 106:

# which is then fed into openssl

sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024

</~~source~~>

</syntaxhighlight>

Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)

<~~source~~ lang="bash">

sudo openssl rsa -in server.key -out server.pem

</~~source~~>

</syntaxhighlight>

Generate the signed certificate

<~~source~~ lang="bash">

sudo openssl req -new -key server.pem -out server.csr

sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt

</~~source~~>

</syntaxhighlight>

Copy certificate over to the configuration directory

<~~source~~ lang="bash">

sudo cp server.pem server.crt /etc/apache2/

sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt

</~~source~~>

</syntaxhighlight>

{{Messagebox

Line 63:

Line 131:

Modify the (default) configuration file (only if you want to change the available ciphers used)

<~~source~~ lang="bash">

sudo vi /etc/apache2/mods-available/ssl.conf

</~~source~~>

</syntaxhighlight>

My ubuntu system comes pre-configured to allow medium to highly secure ciphers

Line 71:

Line 139:

Now configure our directory paths, and permissions in an Apache configuration file

<~~source~~ lang="bash">

sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl

sudo vi /etc/apache2/sites-available/mysite-ssl

</~~source~~>

</syntaxhighlight>

In addition to setting Document Root, I modified these two directives:

Line 82:

Line 150:

</pre>

<~~source~~ lang="bash">

# enable the site

sudo a2ensite mysite-ssl

Line 89:

Line 157:

# restart the server

sudo apache2ctl graceful

</~~source~~>

</syntaxhighlight>

==SSL Providers==

Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. We use the [[TLS|Lets Encrypt]] project: They automate free certificate installation, making TLS security accessible to all. If you want expert help in getting your site secured, contact {{CompanyName}}

==Security==

Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.

http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip

http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip

Thank the US tax payers =)

==Support / Customization==

There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.

==Quick Check==

You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding.

for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done

</syntaxhighlight>

=~~= SSL Providers ==~~

Who are the zombies trying to crack your WordPress site?

~~Check your domain registrar~~ for ~~their services~~ or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. If you want expert help in getting your site secured, ~~contact http:~~//~~eQuality~~-~~Tech.com~~

awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log

</syntaxhighlight>

or,

grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c

</syntaxhighlight>

[[Category:Howto]]

[[Category:Apache]]

[[Category:System Administration]]

[[Category:Security]]

[[Category:Company]]

[[Category:Webserver]]

@@ Line 1: / Line 1: @@
-== Docs ==
+Apache (the webserver) is a [https://www.apache.org/free/ freely licensed] project of the Apache Software Foundation.
+==Docs==
 In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
-== Secure Server ==
+The [https://help.ubuntu.com/lts/serverguide/httpd.html Ubuntu Server Guide] is also a helpful documentation source.
+==Canonical Domain==
+Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.
+<syntaxhighlight lang="apache">
+<VirtualHost *:80>
+  # redirect 'www' subdomain
+  # and all tld aliases
+  ServerName      equality-tech.com
+  ServerAlias www.equality-tech.com
+  ServerAlias     equality-tech.info
+  ServerAlias www.equality-tech.info
+  ServerAlias     equality-tech.net
+  ServerAlias www.equality-tech.net
+  ServerAlias     equality-tech.org
+  ServerAlias www.equality-tech.org
+  Redirect permanent "/" "https://equality-tech.com/"
+</VirtualHost>
+<VirtualHost *:443>
+  ServerName      equality-tech.com
+  # answer calls to these numbers as well
+  ServerAlias www.equality-tech.com
+  ServerAlias     equality-tech.info
+  ServerAlias www.equality-tech.info
+  ServerAlias     equality-tech.net
+  ServerAlias www.equality-tech.net
+  ServerAlias     equality-tech.org
+  ServerAlias www.equality-tech.org
+  ServerAlias equality-tech.local
+  # forward all calls to our canonical name
+  RewriteEngine on
+  RewriteCond %{HTTP_HOST} !^equality-tech.com [NC]
+  RewriteCond %{HTTP_HOST} !^$
+  RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE]
+</syntaxhighlight>
+*Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref>
+*Response Code: 301 = Permanent <ref>https://tools.ietf.org/html/rfc2616</ref>
+==Rewrites==
+Use .htaccess ONLY for testing rules on-the-fly during development
+so that you don't have to constantly reload Apache.
+Once the rule is tested and works, it should be placed into the
+proper Virtual Host configuration file.
+e.g. /etc/apache2/sites-available/foo.conf
+This is because the conf gets loaded into memory once during
+startup whereas the .htaccess file needs to be loaded
+FROM DISK on every single request. This slows a web
+server. So, don't even leave .htaccess files lying around
+empty. Nuke 'em.
+See https://httpd.apache.org/docs/2.4/rewrite/tech.html
+about the differences between per-directory context.
+Basically, the path as seen in .conf will start with /
+whereas the path as seen by .htaccess in / will have the
+leading slash stripped already. That's why we use <code>^/?</code>
+to make rules work in both contexts. But rules further down
+the filesystem hierarchy will have a greater difference
+between the .conf version and the .htaccess version (or
+you can place the rules in a <directory> stanza)
+==Secure Server==
 These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
 For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo apache2 -l
-</source>
+</syntaxhighlight>
 If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo a2enmod ssl
 Enabling module ssl.
 See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
 Run '/etc/init.d/apache2 restart' to activate new configuration!
-</source>
+</syntaxhighlight>
 A script for generating randomness (to help in creating a more cryptographically secure SSL key)
-<source lang="python">
+<syntaxhighlight lang="python">
 #! /usr/bin/env python
@@ Line 30: / Line 98: @@
    Random().sample(string.letters +
    string.digits, 1)[0])
-</source>
+</syntaxhighlight>
 And then use that to create and store some randomness.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 ./randomness.py > file1
 ./randomness.py > file2
@@ Line 38: / Line 106: @@
 # which is then fed into openssl
 sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
-</source>
+</syntaxhighlight>
 Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo openssl rsa -in server.key -out server.pem
-</source>
+</syntaxhighlight>
 Generate the signed certificate
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo openssl req -new -key server.pem -out server.csr
 sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
-</source>
+</syntaxhighlight>
 Copy certificate over to the configuration directory
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo cp server.pem server.crt /etc/apache2/
 sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
-</source>
+</syntaxhighlight>
 {{Messagebox
@@ Line 63: / Line 131: @@
 Modify the (default) configuration file (only if you want to change the available ciphers used)
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo vi /etc/apache2/mods-available/ssl.conf
-</source>
+</syntaxhighlight>
 My ubuntu system comes pre-configured to allow medium to highly secure ciphers
@@ Line 71: / Line 139: @@
 Now configure our directory paths, and permissions in an Apache configuration file
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
 sudo vi /etc/apache2/sites-available/mysite-ssl
-</source>
+</syntaxhighlight>
 In addition to setting Document Root, I modified these two directives:
@@ Line 82: / Line 150: @@
 </pre>
-<source lang="bash">
+<syntaxhighlight lang="bash">
 # enable the site
 sudo a2ensite mysite-ssl
@@ Line 89: / Line 157: @@
 # restart the server
 sudo apache2ctl graceful
-</source>
+</syntaxhighlight>
+==SSL Providers==
+Check your domain registrar for their services or products around SSL certificates.  There are a lot of Certificate Authorities to choose from.  Plus a lot of options on those certificates.  We use the [[TLS|Lets Encrypt]] project: They automate free certificate installation, making TLS security accessible to all.  If you want expert help in getting your site secured, contact {{CompanyName}}
+==Security==
+Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
+http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
+http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
+Thank the US tax payers =)
+==Support / Customization==
+There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that.  OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.
+==Quick Check==
+You have a bunch of virtual hosts configured by various files in your Apache's configuration directories.  Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding.
+<syntaxhighlight lang="bash">
+for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done
+</syntaxhighlight>
-== SSL Providers ==
+Who are the zombies trying to crack your WordPress site?
-Check your domain registrar for their services or products around SSL certificates.  There are a lot of Certificate Authorities to choose from.  Plus a lot of options on those certificates.  You can still get a free SSL certificate from StartSSL.com.  If you want expert help in getting your site secured, contact http://eQuality-Tech.com
+<syntaxhighlight lang="awk">
+awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log
+</syntaxhighlight>
+or,
+<syntaxhighlight lang="bash">
+grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c
+</syntaxhighlight>
+{{References}}
 [[Category:Howto]]
 [[Category:Apache]]
 [[Category:System Administration]]
+[[Category:Security]]
+[[Category:Company]]
+[[Category:Webserver]]