Apache (the webserver) is a [https://www.apache.org/free/ freely licensed] project of the Apache Software Foundation. == Docs ==
In addition to the extensive [http://httpd.apache.org online documentation of the Apache project], you should consult the local documentation on your system under /usr/share/doc/apache2.2-common or similar
The [https://help.ubuntu.com/lts/serverguide/httpd.html Ubuntu Server Guide] is also a helpful documentation source. ==Canonical Domain==Here is how we use Apache to answer requests to our multiple registered TLDs, but direct everything to our canonical "bare" domain.<source lang="apache"><VirtualHost *:80> # redirect 'www' subdomain # and all tld aliases ServerName equality-tech.com ServerAlias www.equality-tech.com ServerAlias equality-tech.info ServerAlias www.equality-tech.info ServerAlias equality-tech.net ServerAlias www.equality-tech.net ServerAlias equality-tech.org ServerAlias www.equality-tech.org Redirect permanent "/" "https://equality-tech.com/"</VirtualHost> <VirtualHost *:443> ServerName equality-tech.com # answer calls to these numbers as well ServerAlias www.equality-tech.com ServerAlias equality-tech.info ServerAlias www.equality-tech.info ServerAlias equality-tech.net ServerAlias www.equality-tech.net ServerAlias equality-tech.org ServerAlias www.equality-tech.org ServerAlias equality-tech.local # forward all calls to our canonical name RewriteEngine on RewriteCond %{HTTP_HOST} !^equality-tech.com [NC] RewriteCond %{HTTP_HOST} !^$ RewriteRule ^/?(.*) https://equality-tech.com/$1 [L,R=301,NE] </source> *Flags: No Case, Last, Redirect permanent, No Escape <ref>https://httpd.apache.org/docs/current/rewrite/flags.html#flag_ne</ref>*Response Code: 301 = Permanent <ref>https://tools.ietf.org/html/rfc2616</ref> ==Rewrites==Use .htaccess ONLY for testing rules on-the-fly during developmentso that you don't have to constantly reload Apache. Once the rule is tested and works, it should be placed into theproper Virtual Host configuration file.e.g. /etc/apache2/sites-available/foo.conf This is because the conf gets loaded into memory once duringstartup whereas the .htaccess file needs to be loadedFROM DISK on every single request. This slows a webserver. So, don't even leave .htaccess files lying aroundempty. Nuke 'em. See https://httpd.apache.org/docs/2.4/rewrite/tech.htmlabout the differences between per-directory context.Basically, the path as seen in .conf will start with /whereas the path as seen by .htaccess in / will have theleading slash stripped already. That's why we use <code>^/?</code>to make rules work in both contexts. But rules further downthe filesystem hierarchy will have a greater differencebetween the .conf version and the .htaccess version (or you can place the rules in a <directory> stanza) == Secure Server ==
These notes illustrate what I did for my Ubuntu system and are based on an instructional video from Linux Journal for RedHat systems see http://www.linuxjournal.com/video/set-secure-virtual-host-apache
string.digits, 1)[0])
</source>
And then use that to create and store some randomness.
<source lang="bash">
./randomness.py > file1
./randomness.py > file2
./randomness.py > file3
# which is then fed into openssl
sudo openssl genrsa -des3 -rand file1:file2:file3 -out server.key 1024
</source>
{{Messagebox
| type = success
| text = Because Debian-based systems use "mods-available" and "mods-enabled" through a convention of symbolic links which get included by wildcard in the main apache2.conf; and also because the default "load" configuration file for the module (ssl.conf.load) is already present on the system, you don't have to do anything more than the previous "a2enmod" command to get the module, and it's configuration file read into apache
}}
In addition to setting Document Root, I modified these two directives:
<pre>
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.pem
</pre>
sudo apache2ctl graceful
</source>
==SSL Providers==
Check your domain registrar for their services or products around SSL certificates. There are a lot of Certificate Authorities to choose from. Plus a lot of options on those certificates. We use the [[TLS|Lets Encrypt]] project: They automate free certificate installation, making TLS security accessible to all. If you want expert help in getting your site secured, contact {{CompanyName}}
==Security==
Check out the NIST and DISA checklist and STIG docs, they are good places to start - their checks are based on industry best practices and Apache httpd CVEs.
http://iase.disa.mil/stigs/downloads/zip/unclassified_web_srr_checklist_apache_v6r1-12_20100423.zip
http://iase.disa.mil/stigs/app_security/web_server/u_apache_2.2_unix_v1r4_stig.zip
Thank the US tax payers =)
==Support / Customization==
There is a presentation on http://OutOfOrder.cc about Mass Virtual Hosting approaches that is worth a look if you're considering that. OutOfOrder.cc is a collaborative effort between Paul Querna and Edward Rudd -- two guys who have a lot of experience with Apache.
==Quick Check==
You have a bunch of virtual hosts configured by various files in your Apache's configuration directories. Since you can output them all with <code>apache2ctl -S</code>, you can also do a bit more parsing of the output to be able to quickly check if they're all responding.
<source lang="bash">
for x in `apachectl -S 2>&1 | awk '/default server / { g=$3; print g} /namevhost / { g=$4; print g } /alias/ { g=$2; print g }' | sort -u`; do echo "checking $x"; curl --head --location http://$x; done
</source>
Who are the zombies trying to crack your WordPress site?
<source lang="awk">
awk '$6 ~ "POST" && $7 ~ "wp-login" { ips[$1]++ } END {for (ip in ips) { print ip, " ", ips[ip], " POSTs" }}' /var/log/apache2/access.log
</source>
or,
<source lang="bash">
grep POST /var/log/apache2/access.log | cut -d ' ' -f 1 | sort | uniq -c
</source>
{{References}}
[[Category:Howto]]
[[Category:Apache]]
[[Category:System Administration]]
[[Category:Security]]
[[Category:Company]]
[[Category:Webserver]]