Apache

These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now.

Requirements

Apache doesn't need much itself. However, the configuration we plan to use does require several components. We're assuming that some of our web pages will require Perl, PHP, Python, MySQL, and possibly PostgreSQL.

We'd like to run several virtual hosts:

Installation

Install Apache. We require the prefork MPM, due to some PHP libraries that are not thread-safe. The worker MPM would be preferable, if not for that.

apt-get install -y apache2 apache2.2-common apache2-utils apache2-mpm-prefork
apt-get install apache2-doc

PHP

Install PHP 5.x CLI:

apt-get install -y php5-cli php-pear php5-common

Install PHP 5.x Apache module:

apt-get install libapache2-mod-php5

Install some commonly used PHP libraries:

apt-get install php5-mysql libmysqlclient15off mysql-common
apt-get install php5-curl libcurl3

Modules

Enable some modules:

a2enmod rewrite
a2enmod ssl
a2enmod info
a2enmod include
a2enmod deflate
a2enmod userdir # Only on Budlight.

Configuration

mkdir /home/web
chown -R www-data:www-data /home/web
a2dissite default

Edit /etc/apache2/conf.d/index_files:

DirectoryIndex index.shtml index.html index.cgi index.pl index.php index.xhtml

NOTE: The DirectoryIndex directive seems to have stopped working for us, so we had to add it to /etc/apache2/sites-enabled/000-www.sluug.org as well.

Edit /etc/apache2/conf.d/logging:

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined

Edit /etc/apache2/conf.d/server_sig:

ServerSignature Off
ServerTokens Minor

Remove the ServerSignature and ServerTokens settings from the main Apache config file, as it overrides the settings in the conf.d/server_sig file.

sed -i -e 's/^ServerSignature .*/ServerSignature Off/' /etc/apache2/apache2.conf
sed -i -e 's/^ServerTokens .*/ServerTokens Minor/' /etc/apache2/apache2.conf

Default Site

The default site is a "catch-all" that will serve any site that doesn't have a domain name specified in a site config file. We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites. (Some attempts even had "proxy_test_referer" in the Referer field.)

Edit /etc/apache2/sites-available/000-default:

NameVirtualHost *
<VirtualHost *>
    # Minimize logging of this junk.
    #CustomLog /dev/null ""
    #ErrorLog /dev/null
    CustomLog /var/log/apache2/attack.log combined
    ErrorLog /var/log/apache2/attack_error.log
    LogLevel emerg

    # Don't allow access to anything, causing a 403 error message for any request.
    ErrorDocument 403 "Site does not exist on this server!"
    <Location />
        Order allow,deny
        Deny from all
    </Location>
</VirtualHost>
a2ensite 000-default

Main SLUUG Site

mkdir -p /home/web/www.sluug.org/public /home/web/www.sluug.org/cgi-bin
chown -R www-data:www /home/web/www.sluug.org
chmod g+s /home/web/www.sluug.org

Edit /etc/apache2/sites-available/www.sluug.org:

<VirtualHost *>
	ServerName www.sluug.org
	ServerAlias sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/www.sluug.org/public
	ScriptAlias /cgi-bin/ "/home/web/www.sluug.org/cgi-bin/"
	<Directory /home/web/www.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews IncludesNoExec
		DirectoryIndex index.shtml index.html
		Order allow,deny
		Allow from all
	</Directory>
	<Directory "/home/web/www.sluug.org/cgi-bin">
		AllowOverride None
		Options ExecCGI
	</Directory>
</VirtualHost>
a2ensite www.sluug.org

Wiki Site

mkdir /home/web/wiki.sluug.org
chown -R www-data:www /home/web/wiki.sluug.org

Edit /etc/apache2/sites-available/wiki.sluug.org:

<VirtualHost *>
	ServerName wiki.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/wiki.sluug.org
	<Directory /home/web/wiki.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite wiki.sluug.org

Saint Louis LUG Site

mkdir /home/web/stllug.sluug.org /home/web/stllug.sluug.org/public
chown -R www-data:stllug /home/web/stllug.sluug.org
chmod g+s /home/web/stllug.sluug.org

Edit /etc/apache2/sites-available/stllug.sluug.org:

<VirtualHost *>
	ServerName stllug.sluug.org
	ServerAlias stllinux.sluug.org
	ServerAlias linux.sluug.org
	ServerAlias lug.sluug.org
	ServerAlias stl.sluug.org
	ServerAlias stllinux.org
	ServerAlias www.stllinux.org
	UseCanonicalName On
	DocumentRoot /home/web/stllug.sluug.org/public
	<Directory /home/web/stllug.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite stllug.sluug.org

Hazelwood LUG Site

mkdir /home/web/hzwlug.sluug.org
chown -R www-data:hazelwood /home/web/hzwlug.sluug.org
chmod g+s /home/web/hzwlug.sluug.org

Edit /etc/apache2/sites-available/hzwlug.sluug.org:

<VirtualHost *>
	ServerName hazlug.sluug.org
	ServerAlias hzlug.sluug.org
	ServerAlias hzwlug.sluug.org
	ServerAlias hazelwood.sluug.org
	ServerAlias newbie.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/hzwlug.sluug.org
	<Directory /home/web/hzwlug.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite hzwlug.sluug.org

Saint Charles LUG Site

mkdir /home/web/stclug.sluug.org
chown -R www-data:stclug /home/web/stclug.sluug.org
chmod g+s /home/web/stclug.sluug.org

Edit /etc/apache2/sites-available/stclug.sluug.org:

<VirtualHost *>
	ServerName stclug.sluug.org
	ServerAlias stcharles.sluug.org
	ServerAlias saintcharles.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/stclug.sluug.org
	<Directory /home/web/stclug.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite stclug.sluug.org

Security Users Group Site

mkdir /home/web/security.sluug.org
chown -R www-data:security /home/web/security.sluug.org
chmod g+s /home/web/security.sluug.org

Edit /etc/apache2/sites-available/security.sluug.org:

<VirtualHost *>
	ServerName security.sluug.org
	ServerAlias secure.sluug.org
	ServerAlias sec.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/security.sluug.org
	<Directory /home/web/security.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite security.sluug.org

Solaris Users Group Site

mkdir /home/web/solaris.sluug.org
chown -R www-data:solaris /home/web/solaris.sluug.org
chmod g+s /home/web/solaris.sluug.org

Edit /etc/apache2/sites-available/solaris.sluug.org:

<VirtualHost *>
	ServerName solaris.sluug.org
	ServerAlias sun.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/solaris.sluug.org
	<Directory /home/web/solaris.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite solaris.sluug.org

SLACC Site

mkdir /home/web/slacc.sluug.org
chown -R www-data:slacc /home/web/slacc.sluug.org
chmod g+s /home/web/slacc.sluug.org

Edit /etc/apache2/sites-available/slacc.sluug.org:

<VirtualHost *>
	ServerName slacc.sluug.org
	ServerAlias www.slacc.com
	ServerAlias slacc.com
	UseCanonicalName On
	DocumentRoot /home/web/slacc.sluug.org
	<Directory /home/web/slacc.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite slacc.sluug.org

SNUG Site

mkdir /home/web/snug.sluug.org
chown -R www-data:snug /home/web/snug.sluug.org
chmod g+s /home/web/snug.sluug.org

Edit /etc/apache2/sites-available/snug.sluug.org:

<VirtualHost *>
	ServerName snug.sluug.org
	ServerAlias novell.sluug.org
	ServerAlias netware.sluug.org
	ServerAlias www.stl-nui.org
	ServerAlias stl-nui.org
	UseCanonicalName On
	DocumentRoot /home/web/snug.sluug.org
	<Directory /home/web/snug.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite snug.sluug.org

Webmail Site

mkdir /var/www/webmail.sluug.org
chown -R www-data:www-data /var/www/webmail.sluug.org
chmod g+s /var/www/webmail.sluug.org

Edit /etc/apache2/sites-available/webmail.sluug.org:

<VirtualHost *>
	ServerName webmail.sluug.org
	ServerAlias mail.sluug.org
	UseCanonicalName On
	DocumentRoot /var/www/webmail.sluug.org/public
	<Directory /var/www/webmail.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite webmail.sluug.org

Test Site

mkdir -p /home/web/test.sluug.org/public
chown -R www-data:www /home/web/test.sluug.org
chmod g+s /home/web/test.sluug.org

Edit /etc/apache2/sites-available/test.sluug.org:

<VirtualHost *>
	ServerName test.sluug.org
	ServerAlias drupal.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/test.sluug.org/public
	<Directory /home/web/test.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite test.sluug.org

Woodlandchows.com

The woodlandchows website was imported from the back ups of dark onto budlight.sluug.org. All actions were taken on budlight.

vi /etc/apache2/sites-available/woodlandchows.com
ln -s /etc/apache2/sites-available/woodlandchows.com /etc/apache2/sites-enabled/.

Edit /etc/apache2/sites-available/woodlandchhows.com:

<VirtualHost *>
         ServerName woodlandchows.com
         ServerAlias www.woodlandchows.com
         UseCanonicalName On
         ServerAdmin wehner@sluug.org
         DocumentRoot /home/myrna/public_html
         <Directory /home/myrna/public_html>
                AllowOverride All
                Options Indexes FollowSymLinks MultiViews
                Order allow,deny
                Allow from all
         </Directory>
         #ErrorLog logs/archrivals/error_log
         #CustomLog logs/archrivals/access_log common
</VirtualHost>
chmod 711 /home/myrna/
chmod 711 /home/myrna/public_html/
/etc/init.d/apache2 reload 

Craig's Blog Site

mkdir -p /home/booch/web/blog.craigbuchek.com
chown -R booch:www-data /home/booch/web/blog.craigbuchek.com
chmod g+s /home/booch/web/blog.craigbuchek.com

Edit /etc/apache2/sites-available/blog.craigbuchek.com:

<VirtualHost *>
	ServerName blog.craigbuchek.com
	ServerAlias blog.boochtek.com
	UseCanonicalName On
	DocumentRoot /home/booch/web/blog.craigbuchek.com
	<Directory /home/booch/web/blog.craigbuchek.com>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
a2ensite blog.craigbuchek.com

Startup

Restart the HTTP server:

/etc/init.d/apache2 restart

To reload the configuration:

/etc/init.d/apache2 reload

Personal Pages

The members personal pages are hosted on budlight.sluug.org. The basic install of apache2 was run on budlight:

apt-get install apache2

Make the appropriate changes as noted in the rest of this document for installing PHP.

Next turn on UserDir by creating the appropriate links in /etc/apache2/mods-enabled

cd /etc/apache2/mods-enabled
ln -s ../mods-available/userdir.* .
/etc/init.d/apache2 reload

Notes

Migration

The main web site is on bud, but user web sites are on budlight, so we set up .htaccess in /home/web/www.sluug.org/public to redirect requests for home directory (`) pages to the budlight using the users.sluug.org name.

# Rewrite rules to point to home directories on budlight.
RewriteEngine on
RewriteRule ^~(.*)    http://users.sluug.org/~$1   [r=301,nc,l]
This is old information that is no longer used since we finally got off dark, but it is left here for a period of time until problems with the transition are completed.

We had to migrate off of our existing site in stages. We migrated the majority of the site, but did not want to migrate any of the forms and associated scripts, list archives, or user pages. So in the interim, we set up .htaccess in /home/web/www.sluug.org/public to redirect those pages to the old site.

# Rewrite rules to point home directories and form pages to Dark.
# NOTE: List archives are located at ~archives, so this rule covers them too.
RewriteRule ^(members/join.*)$  http://users.sluug.org/$1   [r=302,nc,l]
RewriteRule ^(volunteer.*)$  http://users.sluug.org/$1   [r=302,nc,l]
RewriteRule ^(resources/list_servs.*)$  http://users.sluug.org/$1   [r=302,nc,l]

TODO

Need to better use group permissions to allow different users the ability to edit different web sites. Especially need to add a group for the main web site.

Could probably use some tuning and routine maintenance.

Backups. (We currently rely on backups of /home.)

Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.

Application Defenses

Implement these defenses from http://www.0x000000.com/index.php?i=567&bin=1000110111:

# NC - Not Case sensitive, OR - previous rule OR following rul

# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
RewriteCond %{REQUEST_METHOD}  ^(TRACE|DELETE|TRACK) [NC,OR]

# Prevent CRLF injection.
RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]

# Prevent mangled referrers and cookies, intended to exploit log files and such.
RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE}     ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

# Clean up URIs and make sure they're 9999 characters or less.
RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

# Disallow some nasty user agents.
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

# Disallow nasty query strings.
RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]

# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
RewriteRule ^(.*)$ access_log.php

SSL

Turn on SSL.

Edit /usr/sbin/make-ssl-cert? James changed some things, but that was for Debian 3.1.

Create the certificate (this also from Debian 3.1):

make-ssl-cert /usr/share/massa-cert/ssleay.cnf apache.pem --force-overwrite

Did we configure an SSL Certificate when the Apache-SSL (actually a dependency) installation asked us?

  • It looks like we did, and entered:
    • State: Missouri
    • Locality: Saint Louis
    • Organization: Saint Louis UNIX Users Group, Inc.
    • Organizational Unit: Geeks
    • Host: budlight.sluug.org
    • Email: webmaster@sluug.org

Make sure SSL version works the same as the regular version.

Credits

Initially installed, configured, and documented by James Pattie, 2005-02-19.

Installed and configured by Craig Buchek, 2005-09-10.

Re-installed and configured by Craig Buchek, 2007-05-30.

 
build/apache.txt · Last modified: 2009/03/03 16:02 by 151.145.245.20
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki