Apache: Difference between revisions
→SSL Providers: clarify |
m Text replacement - "<(\/?)source" to "<$1syntaxhighlight" |
||
| Line 8: | Line 8: | ||
==Canonical Domain== | ==Canonical Domain== | ||
Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain. | Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain. | ||
< | <syntaxhighlight lang="apache"> | ||
<VirtualHost *:80> | <VirtualHost *:80> | ||
# redirect 'www' subdomain | # redirect 'www' subdomain | ||
| Line 41: | Line 41: | ||
RewriteCond %{HTTP_HOST} !^$ | RewriteCond %{HTTP_HOST} !^$ | ||
RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE] | RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE] | ||
</ | </syntaxhighlight> | ||
*Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref> | *Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref> | ||
| Line 74: | Line 74: | ||
For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type | For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type | ||
< | <syntaxhighlight lang="bash"> | ||
sudo apache2 -l | sudo apache2 -l | ||
</ | </syntaxhighlight> | ||
If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command | If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command | ||
< | <syntaxhighlight lang="bash"> | ||
sudo a2enmod ssl | sudo a2enmod ssl | ||
Enabling module ssl. | Enabling module ssl. | ||
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. | See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates. | ||
Run '/etc/init.d/apache2 restart' to activate new configuration! | Run '/etc/init.d/apache2 restart' to activate new configuration! | ||
</ | </syntaxhighlight> | ||
A script for generating randomness (to help in creating a more cryptographically secure SSL key) | A script for generating randomness (to help in creating a more cryptographically secure SSL key) | ||
< | <syntaxhighlight lang="python"> | ||
#! /usr/bin/env python | #! /usr/bin/env python | ||
| Line 98: | Line 98: | ||
Random().sample(string.letters + | Random().sample(string.letters + | ||
string.digits, 1)[0]) | string.digits, 1)[0]) | ||
</ | </syntaxhighlight> | ||
And then use that to create and store some randomness. | And then use that to create and store some randomness. | ||
< | <syntaxhighlight lang="bash"> | ||
./randomness.py > file1 | ./randomness.py > file1 | ||
./randomness.py > file2 | ./randomness.py > file2 | ||
| Line 106: | Line 106: | ||
# which is then fed into openssl | # which is then fed into openssl | ||
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024 | sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024 | ||
</ | </syntaxhighlight> | ||
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended) | Do this if you want to remove the server key (useful if you want the SSL server to restart unattended) | ||
< | <syntaxhighlight lang="bash"> | ||
sudo openssl rsa -in server.key -out server.pem | sudo openssl rsa -in server.key -out server.pem | ||
</ | </syntaxhighlight> | ||
Generate the signed certificate | Generate the signed certificate | ||
< | <syntaxhighlight lang="bash"> | ||
sudo openssl req -new -key server.pem -out server.csr | sudo openssl req -new -key server.pem -out server.csr | ||
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt | sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt | ||
</ | </syntaxhighlight> | ||
Copy certificate over to the configuration directory | Copy certificate over to the configuration directory | ||
< | <syntaxhighlight lang="bash"> | ||
sudo cp server.pem server.crt /etc/apache2/ | sudo cp server.pem server.crt /etc/apache2/ | ||
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt | sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt | ||
</ | </syntaxhighlight> | ||
{{Messagebox | {{Messagebox | ||
| Line 131: | Line 131: | ||
Modify the (default) configuration file (only if you want to change the available ciphers used) | Modify the (default) configuration file (only if you want to change the available ciphers used) | ||
< | <syntaxhighlight lang="bash"> | ||
sudo vi /etc/apache2/mods-available/ssl.conf | sudo vi /etc/apache2/mods-available/ssl.conf | ||
</ | </syntaxhighlight> | ||
My ubuntu system comes pre-configured to allow medium to highly secure ciphers | My ubuntu system comes pre-configured to allow medium to highly secure ciphers | ||
| Line 139: | Line 139: | ||
Now configure our directory paths, and permissions in an Apache configuration file | Now configure our directory paths, and permissions in an Apache configuration file | ||
< | <syntaxhighlight lang="bash"> | ||
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl | sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl | ||
sudo vi /etc/apache2/sites-available/mysite-ssl | sudo vi /etc/apache2/sites-available/mysite-ssl | ||
</ | </syntaxhighlight> | ||
In addition to setting Document Root, I modified these two directives: | In addition to setting Document Root, I modified these two directives: | ||
| Line 150: | Line 150: | ||
</pre> | </pre> | ||
< | <syntaxhighlight lang="bash"> | ||
# enable the site | # enable the site | ||
sudo a2ensite mysite-ssl | sudo a2ensite mysite-ssl | ||
| Line 157: | Line 157: | ||
# restart the server | # restart the server | ||
sudo apache2ctl graceful | sudo apache2ctl graceful | ||
</ | </syntaxhighlight> | ||
==SSL Providers== | ==SSL Providers== | ||
| Line 178: | Line 178: | ||
You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding. | You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding. | ||
< | <syntaxhighlight lang="bash"> | ||
for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done | for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done | ||
</ | </syntaxhighlight> | ||
Who are the zombies trying to crack your WordPress site? | Who are the zombies trying to crack your WordPress site? | ||
< | <syntaxhighlight lang="awk"> | ||
awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log | awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log | ||
</ | </syntaxhighlight> | ||
or, | or, | ||
< | <syntaxhighlight lang="bash"> | ||
grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c | grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c | ||
</ | </syntaxhighlight> | ||
{{References}} | {{References}} | ||