Apache: Difference between revisions

Latest revision as of 13:27, 24 February 2025

Apache (the webserver) is a freely licensed project of the Apache Software Foundation.

Docs[edit]

In addition to the extensive online documentation of the Apache project, you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar

The Ubuntu Server Guide is also a helpful documentation source.

Canonical Domain[edit]

Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.

<VirtualHost *:80>
  # redirect 'www' subdomain
  # and all tld aliases
  ServerName      equality-tech.com
  ServerAlias www.equality-tech.com
  ServerAlias     equality-tech.info
  ServerAlias www.equality-tech.info
  ServerAlias     equality-tech.net
  ServerAlias www.equality-tech.net
  ServerAlias     equality-tech.org
  ServerAlias www.equality-tech.org
  Redirect permanent "/" "https://equality-tech.com/"
</VirtualHost>


<VirtualHost *:443>
  ServerName      equality-tech.com
  # answer calls to these numbers as well
  ServerAlias www.equality-tech.com
  ServerAlias     equality-tech.info
  ServerAlias www.equality-tech.info
  ServerAlias     equality-tech.net
  ServerAlias www.equality-tech.net
  ServerAlias     equality-tech.org
  ServerAlias www.equality-tech.org
  ServerAlias equality-tech.local
  
  # forward all calls to our canonical name
  RewriteEngine on
  RewriteCond %{HTTP_HOST} !^equality-tech.com [NC]
  RewriteCond %{HTTP_HOST} !^$
  RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE]

Flags: No Case, Last, Redirect permanent, No Escape ^[1]
Response Code: 301 = Permanent ^[2]

Rewrites[edit]

Use .htaccess ONLY for testing rules on-the-fly during development so that you don't have to constantly reload Apache.

Once the rule is tested and works, it should be placed into the proper Virtual Host configuration file. e.g. /etc/apache2/sites-available/foo.conf

This is because the conf gets loaded into memory once during startup whereas the .htaccess file needs to be loaded FROM DISK on every single request. This slows a web server. So, don't even leave .htaccess files lying around empty. Nuke 'em.

See https://httpd.apache.org/docs/2.4/rewrite/tech.html about the differences between per-directory context. Basically, the path as seen in .conf will start with / whereas the path as seen by .htaccess in / will have the leading slash stripped already. That's why we use ^/? to make rules work in both contexts. But rules further down the filesystem hierarchy will have a greater difference between the .conf version and the .htaccess version (or you can place the rules in a <directory> stanza)

Secure Server[edit]

These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache

For Debian-based distros, the apache binary is apache2 rather than httpd, so for finding out what modules are built-in or enabled you would type

sudo apache2 -l

If mod_ssl.so is not listed in the output, it can be easily enabled by using the a2enmod command

sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!

A script for generating randomness (to help in creating a more cryptographically secure SSL key)

#! /usr/bin/env python

import string
from random import Random
import sys

for x in range(1, 10000): sys.stdout.write(
  Random().sample(string.letters +
  string.digits, 1)[0])

And then use that to create and store some randomness.

./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
# which is then fed into openssl
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024

Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)

sudo openssl rsa -in server.key -out server.pem

Generate the signed certificate

sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt

Copy certificate over to the configuration directory

sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt

Because Debian-based systems use "mods-available" and "mods-enabled" through a convention of symbolic links which get included by wildcard in the main apache2.conf; and also because the default "load" configuration file for the module (ssl.conf.load) is already present on the system, you don't have to do anything more than the previous "a2enmod" command to get the module, and it's configuration file read into apache

Modify the (default) configuration file (only if you want to change the available ciphers used)

sudo vi /etc/apache2/mods-available/ssl.conf

My ubuntu system comes pre-configured to allow medium to highly secure ciphers SSLCipherSuite HIGH:MEDIUM:!ADH

Now configure our directory paths, and permissions in an Apache configuration file

sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl

In addition to setting Document Root, I modified these two directives:

 SSLCertificateFile    /etc/apache2/server.crt
 SSLCertificateKeyFile /etc/apache2/server.pem

# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful

SSL Providers[edit]

Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. We use the Lets Encrypt project: They automate free certificate installation, making TLS security accessible to all. If you want expert help in getting your site secured, contact eQuality Technology

Security[edit]

Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.

http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip

http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip

Thank the US tax payers =)

Support / Customization[edit]

There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.

Quick Check[edit]

You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with apache2ctl -S, you can also do a bit more parsing of the output to be able to quickly check if they're all responding.

for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done

Who are the zombies trying to crack your WordPress site?

awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log

or,

grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c

References[edit]

[1] ttps://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne

[2] ttps://tools.ietf.org/html/rfc2616

[1]

[2]

@@ Line 8: / Line 8: @@
 ==Canonical Domain==
 Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.
-<source lang="apache">
+<syntaxhighlight lang="apache">
 <VirtualHost *:80>
    # redirect 'www' subdomain
@@ Line 41: / Line 41: @@
    RewriteCond %{HTTP_HOST} !^$
    RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE]
-</source>
+</syntaxhighlight>
 *Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref>
@@ Line 74: / Line 74: @@
 For Debian-based distros, the apache binary is '''apache2''' rather than httpd, so for finding out what modules are built-in or enabled you would type
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo apache2 -l
-</source>
+</syntaxhighlight>
 If mod_ssl.so is not listed in the output, it can be easily enabled by using the [[a2enmod]] command
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo a2enmod ssl
 Enabling module ssl.
 See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
 Run '/etc/init.d/apache2 restart' to activate new configuration!
-</source>
+</syntaxhighlight>
 A script for generating randomness (to help in creating a more cryptographically secure SSL key)
-<source lang="python">
+<syntaxhighlight lang="python">
 #! /usr/bin/env python
@@ Line 98: / Line 98: @@
    Random().sample(string.letters +
    string.digits, 1)[0])
-</source>
+</syntaxhighlight>
 And then use that to create and store some randomness.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 ./randomness.py > file1
 ./randomness.py > file2
@@ Line 106: / Line 106: @@
 # which is then fed into openssl
 sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
-</source>
+</syntaxhighlight>
 Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo openssl rsa -in server.key -out server.pem
-</source>
+</syntaxhighlight>
 Generate the signed certificate
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo openssl req -new -key server.pem -out server.csr
 sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
-</source>
+</syntaxhighlight>
 Copy certificate over to the configuration directory
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo cp server.pem server.crt /etc/apache2/
 sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
-</source>
+</syntaxhighlight>
 {{Messagebox
@@ Line 131: / Line 131: @@
 Modify the (default) configuration file (only if you want to change the available ciphers used)
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo vi /etc/apache2/mods-available/ssl.conf
-</source>
+</syntaxhighlight>
 My ubuntu system comes pre-configured to allow medium to highly secure ciphers
@@ Line 139: / Line 139: @@
 Now configure our directory paths, and permissions in an Apache configuration file
-<source lang="bash">
+<syntaxhighlight lang="bash">
 sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
 sudo vi /etc/apache2/sites-available/mysite-ssl
-</source>
+</syntaxhighlight>
 In addition to setting Document Root, I modified these two directives:
@@ Line 150: / Line 150: @@
 </pre>
-<source lang="bash">
+<syntaxhighlight lang="bash">
 # enable the site
 sudo a2ensite mysite-ssl
@@ Line 157: / Line 157: @@
 # restart the server
 sudo apache2ctl graceful
-</source>
+</syntaxhighlight>
 ==SSL Providers==
@@ Line 178: / Line 178: @@
 You have a bunch of virtual hosts configured by various files in your Apache's configuration directories.  Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done
-</source>
+</syntaxhighlight>
 Who are the zombies trying to crack your WordPress site?
-<source lang="awk">
+<syntaxhighlight lang="awk">
 awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log
-</source>
+</syntaxhighlight>
 or,
-<source lang="bash">
+<syntaxhighlight lang="bash">
 grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c
-</source>
+</syntaxhighlight>
 {{References}}