Apache

From wiki.techunit.org
Jump to: navigation, search

Introduction

Aim of this page is to provide a simple guide to manage Apache Web service. Apache is the world's most used web server.
We will see how to secure your Apache configuration, how to use Virtualhosts and the useful commands to manage and debug your configuration.

  • Realized on debian 8
  • Apache version : 2.4

See Also

Migration to Apache2

Configure Varnish with Apache to provide HTTPS

How to configure Apache SSL module

Optimize your Apache performances with modules

Configuration

Install packages

aptitude install apache2 -y
  • Congrats, Apache is installed and is running.

Files location

  • Configuration : /etc/apache2/*
  • Default web directory : /var/www/html

Virtualhosts

Creating virtual host configurations on your Apache server does not magically cause DNS entries to be created for those host names. You must have the names in DNS, resolving to your IP address, or nobody else will be able to see your web site. You can put entries in your hosts file for local testing, but that will work only from the machine with those hosts entries.
httpd.apache.org

minimal

  • Create your site directory and index
mkdir -p /var/www/www.example.com
echo "Hello b*tches!" > /var/www/www.example.com/index.html
chown www-data: /var/www/www.example.com
  • Create the Vhost config file : /etc/apache2/sites-available/www.example.com.conf
tee /etc/apache2/sites-available/www.example.com.conf << EOF &> /dev/null
<VirtualHost *:80>
    DocumentRoot "/var/www/www.example.com"
    ServerName www.example.com
    # Other directives here
</VirtualHost>
EOF
  • Disable default vhost / enable www.example.com
a2dissite 000-default
a2ensite www.example.com
service apache2 reload

Config file autopsy

#Listen on all network interface, on port 80
<VirtualHost *:80>
    #Site root directory
    DocumentRoot "/var/www/www.example.com"

    #Match the names
    ServerName www.example.com
    ServerAlias example example.com
    #OR
    ServerAlias *.example.com

    #contact in case of technical issue
    ServerAdmin www-admin@foo.example.com 

    #Logging
    LogLevel info #debug
    CustomLog /var/log/apache2/example.com.access.log combined
    ErrorLog /var/log/apache2/example.com.errors.log

    #index file
    DirectoryIndex index.html index.htm index.php

    #Enable/disable options applied to directory
    <Directory "/var/www/www.example.com">
     Options Indexes FollowSymLinks
     #OR
     Options +Indexes -FollowSymLinks -ExecCGI
     #OR
     Options -Indexes -FollowSymLinks -ExecCGI

     #Access
     Order Deny,Allow
     Allow from all
     #OR
     Deny from all
     #OR
     Allow from 127.0.0.1
    </Directory>
</VirtualHost>

Reverse proxy

  • Enable mod proxy
a2enmod proxy_http
a2enmod proxy
service apache2 restart
  • Edit And modify the Vhost
<VirtualHost *:80>
    ServerName www.example.com
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass / http://www.int.example.com:8080/
    ProxyPassReverse / http://www.int.example.com:8080/
</VirtualHost>

Rewrite URL

  • Enable mod rewrite
a2enmod rewrite
service apache2 restart
  • Edit And modify the Vhost
<VirtualHost *:80>
    ServerName www.example1.com
    RewriteEngine on
    #Redirect to HTTPS
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

<VirtualHost *:80>
    ServerName www.example2.com
    RewriteEngine on
    #Redirect to another URL
    RewriteRule ^ http://www.example3.com%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

HTTPS vhost sample

a2enmod ssl
service apache2 restart
  • Edit and adapt your virtualhost
<IfModule mod_ssl.c>
<VirtualHost 196.154.168.73:443>
ServerName www.example.com
DocumentRoot /var/www/www.example.com
SSLEngine On
SSLCertificateFile /path/to/your/www.example.com.crt.pem
SSLCertificateKeyFile /path/to/your/www.example.com.key.pem
</VirtualHost>
</IfModule>

Modify Apache default port

  • Edit /etc/apache2/ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf

#Default HTTP
#Listen 80
Listen 8080

<IfModule ssl_module>
        #Default HTTPS
        #Listen 443
        Listen 8443
</IfModule>

<IfModule mod_gnutls.c>
        #Default HTTPS
        #Listen 443
        Listen 8443
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
<VirtualHost *:8080>
    DocumentRoot "/var/www/www.example.com"
    ServerName www.example.com
    # Other directives here
</VirtualHost>
  • Restart apache
service apache2 restart


Secure your configuration from public access

Hide Apache Version and OS Identity

  • BEFORE - I use this command to show that Apache display the version used and server distribution (curl package needed):
curl http://127.0.0.1/toto |grep Apache
#>>> <address>Apache/2.4.10 (Debian) Server at 127.0.0.1 Port 80</address>
  • Edit /etc/apache/apache2.conf, search and modify/add theses lines:
ServerSignature Off
ServerTokens Prod
  • Restart Apache : service apache2 restart
  • AFTER :
curl http://127.0.0.1/toto |grep Apache
#>>> No informations provided

Enable additional modules

mod_security

  • This feature is a free web application firewall, here we will just see how to enable it, but I suggest you to configure it (a full article about it is coming).
aptitude install libapache2-mod-security2 -y
cp /etc/modsecurity/modsecurity.conf{-recommended,}
service apache2 reload

mod_evasive

  • mod_evasive takes one request to process and processes it very well. It prevents DDOS attacks from doing as much damage. This feature of mod_evasive enables it to handle the HTTP brute force and Dos or DDos attack.
aptitude install libapache2-mod-evasive -y
  • Add this block to /etc/apache2/apache2.conf
<ifmodule mod_evasive20.c>
 DOSHashTableSize 3097
 DOSPageCount 20
 DOSSiteCount 100
 DOSPageInterval 1
 DOSSiteInterval 1
 DOSBlockingPeriod 10
 DOSLogDir /var/log/apache2/mod_evasive.log
 DOSWhitelist 127.0.0.1
</ifmodule>

Check those points

Useful commandlines

apache2ctl

#Elegant restart
apache2ctl graceful
#Check config (before restart)
apache2ctl configtest
#display status
apache2ctl fullstatus

Enable/disable

vhost management

#Enable
a2ensite www.example.com
#Disable
a2dissite www.example.com

module management

#Enable
a2enmod modname
#Disable
a2dismod modname

config management

#Enable
a2enconf confname
#Disable
a2disconf confname

Sources

Elliot
techUnit's cofounder