Apache
Apache (the webserver) is a freely licensed project of the Apache Software Foundation.
Contents
Docs
In addition to the extensive online documentation of the Apache project, you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
Canonical Domain
Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.
<VirtualHost *:80>
# redirect 'www' subdomain
# and all tld aliases
ServerName equality-tech.com
ServerAlias www.equality-tech.com
ServerAlias equality-tech.info
ServerAlias www.equality-tech.info
ServerAlias equality-tech.net
ServerAlias www.equality-tech.net
ServerAlias equality-tech.org
ServerAlias www.equality-tech.org
Redirect permanent "/" "https://equality-tech.com/"
</VirtualHost>
<VirtualHost *:443>
ServerName equality-tech.com
# answer calls to these numbers as well
ServerAlias www.equality-tech.com
ServerAlias equality-tech.info
ServerAlias www.equality-tech.info
ServerAlias equality-tech.net
ServerAlias www.equality-tech.net
ServerAlias equality-tech.org
ServerAlias www.equality-tech.org
ServerAlias equality-tech.local
# forward all calls to our canonical name
RewriteEngine on
RewriteCond %{HTTP_HOST} !^equality-tech.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE]
Secure Server
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
For Debian-based distros, the apache binary is apache2 rather than httpd, so for finding out what modules are built-in or enabled you would type
sudo apache2 -l
If mod_ssl.so is not listed in the output, it can be easily enabled by using the a2enmod command
sudo a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new configuration!
A script for generating randomness (to help in creating a more cryptographically secure SSL key)
#! /usr/bin/env python
import string
from random import Random
import sys
for x in range(1, 10000): sys.stdout.write(
Random().sample(string.letters +
string.digits, 1)[0])
And then use that to create and store some randomness.
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
# which is then fed into openssl
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
Do this if you want to remove the server key (useful if you want the SSL server to restart unattended)
sudo openssl rsa -in server.key -out server.pem
Generate the signed certificate
sudo openssl req -new -key server.pem -out server.csr
sudo openssl x509 -req -in server.csr -signkey server.pem -out server.crt
Copy certificate over to the configuration directory
sudo cp server.pem server.crt /etc/apache2/
sudo chmod 600 /etc/apache2/server.pem /etc/apache2/server.crt
Modify the (default) configuration file (only if you want to change the available ciphers used)
sudo vi /etc/apache2/mods-available/ssl.conf
My ubuntu system comes pre-configured to allow medium to highly secure ciphers
SSLCipherSuite HIGH:MEDIUM:!ADH
Now configure our directory paths, and permissions in an Apache configuration file
sudo cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/mysite-ssl
sudo vi /etc/apache2/sites-available/mysite-ssl
In addition to setting Document Root, I modified these two directives:
SSLCertificateFile /etc/apache2/server.crt SSLCertificateKeyFile /etc/apache2/server.pem
# enable the site
sudo a2ensite mysite-ssl
# test the configuration syntax
sudo apache2ctl configtest
# restart the server
sudo apache2ctl graceful
SSL Providers
Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. You can still get a free SSL certificate from StartSSL.com. However, a new and very interesting service is available from the Lets Encrypt project: They automate free certificate installation, making TLS security accessible to all. If you want expert help in getting your site secured, contact eQuality Technology
Security
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
Thank the US tax payers =)
Support / Customization
There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.