====== Apache ======

These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now.


===== Requirements =====

Apache doesn't need much itself. However, the configuration we plan to use does require several components. We're assuming that some of our web pages will require Perl, PHP, Python, MySQL, and possibly PostgreSQL.

We'd like to run several virtual hosts:
  * [[http://www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org)
  * [[http://wiki.sluug.org | wiki.sluug.org]] - this Wiki
  * [[http://stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (AKA linux, lug, stllinux.org)
  * [[http://hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (AKA hazlug, hzwlug, hazelwood, newbie)
  * [[http://stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (AKA stcharles, saintcharles)
  * [[http://security.sluug.org | security.sluug.org]] - Security SIG (AKA stlsug)
  * [[http://solaris.sluug.org | solaris.sluug.org]] - Solaris SIG
  * [[http://slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club
  * [[http://snug.sluug.org | snug.sluug.org]] - St. Louis Novell Users Group
  * dev.sluug.org - development site
  * test.sluug.org - test site
  * users.sluug.org - user's pages
  * webmail.sluug.org - webmail (requires its own real IP for SSL certificate)

===== Installation =====

Install Apache. We require the prefork MPM, due to some PHP libraries that are not thread-safe. The worker MPM would be preferable, if not for that.
<code rootshell>
apt-get install -y apache2 apache2.2-common apache2-utils apache2-mpm-prefork
apt-get install apache2-doc
</code>



===== PHP =====

Install PHP 5.x CLI:
<code rootshell>
apt-get install -y php5-cli php-pear php5-common
</code>

Install PHP 5.x Apache module:
<code rootshell>
apt-get install libapache2-mod-php5
</code>

Install some commonly used PHP libraries:
<code rootshell>
apt-get install php5-mysql libmysqlclient15off mysql-common
apt-get install php5-curl libcurl3
</code>



===== Modules =====

Enable some modules:
<code rootshell>
a2enmod rewrite
a2enmod ssl
a2enmod info
a2enmod include
a2enmod deflate
a2enmod userdir # Only on Budlight.
</code>

===== Configuration =====

<code rootshell>
mkdir /home/web
chown -R www-data:www-data /home/web
a2dissite default
</code>

Edit ''/etc/apache2/conf.d/index_files'':
<file>
DirectoryIndex index.shtml index.html index.cgi index.pl index.php index.xhtml
</file>

NOTE: The ''DirectoryIndex'' directive seems to have stopped working for us, so we had to add it to ''<nowiki>/etc/apache2/sites-enabled/000-www.sluug.org</nowiki>'' as well.

Edit ''/etc/apache2/conf.d/logging'':
<file>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
</file>

Edit ''/etc/apache2/conf.d/server_sig'':
<file>
ServerSignature Off
ServerTokens Minor
</file>

Remove the ''ServerSignature'' and ''ServerTokens'' settings from the main Apache config file, as it overrides the settings in the ''conf.d/server_sig'' file.
<code rootshell>
sed -i -e 's/^ServerSignature .*/ServerSignature Off/' /etc/apache2/apache2.conf
sed -i -e 's/^ServerTokens .*/ServerTokens Minor/' /etc/apache2/apache2.conf
</code>


==== Default Site ====

The default site is a "catch-all" that will serve any site that doesn't have a domain name specified in a site config file.
We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites.
(Some attempts even had "proxy_test_referer" in the Referer field.)

Edit ''/etc/apache2/sites-available/000-default'':
<file>
NameVirtualHost *
<VirtualHost *>
    # Minimize logging of this junk.
    #CustomLog /dev/null ""
    #ErrorLog /dev/null
    CustomLog /var/log/apache2/attack.log combined
    ErrorLog /var/log/apache2/attack_error.log
    LogLevel emerg

    # Don't allow access to anything, causing a 403 error message for any request.
    ErrorDocument 403 "Site does not exist on this server!"
    <Location />
        Order allow,deny
        Deny from all
    </Location>
</VirtualHost>
</file>

<code rootshell>
a2ensite 000-default
</code>

==== Main SLUUG Site ====

<code rootshell>
mkdir -p /home/web/www.sluug.org/public /home/web/www.sluug.org/cgi-bin
chown -R www-data:www /home/web/www.sluug.org
chmod g+s /home/web/www.sluug.org
</code>

Edit ''<nowiki>/etc/apache2/sites-available/www.sluug.org</nowiki>'':
<file>
<VirtualHost *>
	ServerName www.sluug.org
	ServerAlias sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/www.sluug.org/public
	ScriptAlias /cgi-bin/ "/home/web/www.sluug.org/cgi-bin/"
	<Directory /home/web/www.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews IncludesNoExec
		DirectoryIndex index.shtml index.html
		Order allow,deny
		Allow from all
	</Directory>
	<Directory "/home/web/www.sluug.org/cgi-bin">
		AllowOverride None
		Options ExecCGI
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite www.sluug.org
</code>

==== Wiki Site ====

<code rootshell>
mkdir /home/web/wiki.sluug.org
chown -R www-data:www /home/web/wiki.sluug.org
</code>

Edit ''/etc/apache2/sites-available/wiki.sluug.org'':
<file>
<VirtualHost *>
	ServerName wiki.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/wiki.sluug.org
	<Directory /home/web/wiki.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite wiki.sluug.org
</code>


==== Saint Louis LUG Site ====

<code rootshell>
mkdir /home/web/stllug.sluug.org /home/web/stllug.sluug.org/public
chown -R www-data:stllug /home/web/stllug.sluug.org
chmod g+s /home/web/stllug.sluug.org
</code>

Edit ''/etc/apache2/sites-available/stllug.sluug.org'':
<file>
<VirtualHost *>
	ServerName stllug.sluug.org
	ServerAlias stllinux.sluug.org
	ServerAlias linux.sluug.org
	ServerAlias lug.sluug.org
	ServerAlias stl.sluug.org
	ServerAlias stllinux.org
	ServerAlias www.stllinux.org
	UseCanonicalName On
	DocumentRoot /home/web/stllug.sluug.org/public
	<Directory /home/web/stllug.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite stllug.sluug.org
</code>

==== Hazelwood LUG Site ====

<code rootshell>
mkdir /home/web/hzwlug.sluug.org
chown -R www-data:hazelwood /home/web/hzwlug.sluug.org
chmod g+s /home/web/hzwlug.sluug.org
</code>

Edit ''/etc/apache2/sites-available/hzwlug.sluug.org'':

<file>
<VirtualHost *>
	ServerName hazlug.sluug.org
	ServerAlias hzlug.sluug.org
	ServerAlias hzwlug.sluug.org
	ServerAlias hazelwood.sluug.org
	ServerAlias newbie.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/hzwlug.sluug.org
	<Directory /home/web/hzwlug.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite hzwlug.sluug.org
</code>

==== Saint Charles LUG Site ====

<code rootshell>
mkdir /home/web/stclug.sluug.org
chown -R www-data:stclug /home/web/stclug.sluug.org
chmod g+s /home/web/stclug.sluug.org
</code>

Edit ''/etc/apache2/sites-available/stclug.sluug.org'':
<file>
<VirtualHost *>
	ServerName stclug.sluug.org
	ServerAlias stcharles.sluug.org
	ServerAlias saintcharles.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/stclug.sluug.org
	<Directory /home/web/stclug.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite stclug.sluug.org
</code>

==== Security Users Group Site ====

<code rootshell>
mkdir /home/web/security.sluug.org
chown -R www-data:security /home/web/security.sluug.org
chmod g+s /home/web/security.sluug.org
</code>

Edit ''/etc/apache2/sites-available/security.sluug.org'':
<file>
<VirtualHost *>
	ServerName security.sluug.org
	ServerAlias secure.sluug.org
	ServerAlias sec.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/security.sluug.org
	<Directory /home/web/security.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite security.sluug.org
</code>

==== Solaris Users Group Site ====

<code rootshell>
mkdir /home/web/solaris.sluug.org
chown -R www-data:solaris /home/web/solaris.sluug.org
chmod g+s /home/web/solaris.sluug.org
</code>

Edit ''/etc/apache2/sites-available/solaris.sluug.org'':
<file>
<VirtualHost *>
	ServerName solaris.sluug.org
	ServerAlias sun.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/solaris.sluug.org
	<Directory /home/web/solaris.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite solaris.sluug.org
</code>



==== SLACC Site ====

<code rootshell>
mkdir /home/web/slacc.sluug.org
chown -R www-data:slacc /home/web/slacc.sluug.org
chmod g+s /home/web/slacc.sluug.org
</code>

Edit ''/etc/apache2/sites-available/slacc.sluug.org'':
<file>
<VirtualHost *>
	ServerName slacc.sluug.org
	ServerAlias www.slacc.com
	ServerAlias slacc.com
	UseCanonicalName On
	DocumentRoot /home/web/slacc.sluug.org
	<Directory /home/web/slacc.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite slacc.sluug.org
</code>

==== SNUG Site ====

<code rootshell>
mkdir /home/web/snug.sluug.org
chown -R www-data:snug /home/web/snug.sluug.org
chmod g+s /home/web/snug.sluug.org
</code>

Edit ''/etc/apache2/sites-available/snug.sluug.org'':
<file>
<VirtualHost *>
	ServerName snug.sluug.org
	ServerAlias novell.sluug.org
	ServerAlias netware.sluug.org
	ServerAlias www.stl-nui.org
	ServerAlias stl-nui.org
	UseCanonicalName On
	DocumentRoot /home/web/snug.sluug.org
	<Directory /home/web/snug.sluug.org>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite snug.sluug.org
</code>


==== Webmail Site ====

<code rootshell>
mkdir /var/www/webmail.sluug.org
chown -R www-data:www-data /var/www/webmail.sluug.org
chmod g+s /var/www/webmail.sluug.org
</code>

Edit ''/etc/apache2/sites-available/webmail.sluug.org'':
<file>
<VirtualHost *>
	ServerName webmail.sluug.org
	ServerAlias mail.sluug.org
	UseCanonicalName On
	DocumentRoot /var/www/webmail.sluug.org/public
	<Directory /var/www/webmail.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite webmail.sluug.org
</code>

==== Test Site ====

<code rootshell>
mkdir -p /home/web/test.sluug.org/public
chown -R www-data:www /home/web/test.sluug.org
chmod g+s /home/web/test.sluug.org
</code>

Edit ''/etc/apache2/sites-available/test.sluug.org'':
<file>
<VirtualHost *>
	ServerName test.sluug.org
	ServerAlias drupal.sluug.org
	UseCanonicalName On
	DocumentRoot /home/web/test.sluug.org/public
	<Directory /home/web/test.sluug.org/public>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite test.sluug.org
</code>

====Woodlandchows.com====
The woodlandchows website was imported from the back ups of dark onto budlight.sluug.org. All actions were taken on budlight.
<code rootshell>
vi /etc/apache2/sites-available/woodlandchows.com
ln -s /etc/apache2/sites-available/woodlandchows.com /etc/apache2/sites-enabled/.
</code>
Edit ''/etc/apache2/sites-available/woodlandchhows.com'':
<file>
<VirtualHost *>
         ServerName woodlandchows.com
         ServerAlias www.woodlandchows.com
         UseCanonicalName On
         ServerAdmin wehner@sluug.org
         DocumentRoot /home/myrna/public_html
         <Directory /home/myrna/public_html>
                AllowOverride All
                Options Indexes FollowSymLinks MultiViews
                Order allow,deny
                Allow from all
         </Directory>
         #ErrorLog logs/archrivals/error_log
         #CustomLog logs/archrivals/access_log common
</VirtualHost>
</file>
<code rootshell>
chmod 711 /home/myrna/
chmod 711 /home/myrna/public_html/
/etc/init.d/apache2 reload 
</code>

==== Craig's Blog Site ====

<code rootshell>
mkdir -p /home/booch/web/blog.craigbuchek.com
chown -R booch:www-data /home/booch/web/blog.craigbuchek.com
chmod g+s /home/booch/web/blog.craigbuchek.com
</code>

Edit ''/etc/apache2/sites-available/blog.craigbuchek.com'':
<file>
<VirtualHost *>
	ServerName blog.craigbuchek.com
	ServerAlias blog.boochtek.com
	UseCanonicalName On
	DocumentRoot /home/booch/web/blog.craigbuchek.com
	<Directory /home/booch/web/blog.craigbuchek.com>
		AllowOverride All
		Options FollowSymLinks MultiViews
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>
</file>

<code rootshell>
a2ensite blog.craigbuchek.com
</code>


===== Startup =====

Restart the HTTP server:
<code rootshell>
/etc/init.d/apache2 restart
</code>

To reload the configuration:
<code rootshell>
/etc/init.d/apache2 reload
</code>


===== Personal Pages =====
The members personal pages are hosted on budlight.sluug.org. The basic install of apache2 was run on budlight:
<code>
apt-get install apache2
</code>

Make the appropriate changes as noted in the rest of this document for installing PHP.

Next turn on UserDir by creating the appropriate links in **/etc/apache2/mods-enabled**
<code>
cd /etc/apache2/mods-enabled
ln -s ../mods-available/userdir.* .
/etc/init.d/apache2 reload
</code>

===== Notes =====

==== Migration ====

The main web site is on bud, but user web sites are on budlight, so we set up ''.htaccess'' in <nowiki>/home/web/www.sluug.org/public</nowiki> to redirect  requests for home directory (`) pages to the budlight using the ''users.sluug.org'' name.

<file>
# Rewrite rules to point to home directories on budlight.
RewriteEngine on
RewriteRule ^~(.*)    http://users.sluug.org/~$1   [r=301,nc,l]
</file>

== This is old information that is no longer used since we finally got off dark, but it is left here for a period of time until problems with the transition are completed. ==

We had to migrate off of our existing site in stages. We migrated the majority of the site, but did not want to migrate any of the forms and associated scripts, list archives, or user pages. So in the interim, we set up ''.htaccess'' in <nowiki>/home/web/www.sluug.org/public</nowiki> to redirect those pages to the old site.

<file>
# Rewrite rules to point home directories and form pages to Dark.
# NOTE: List archives are located at ~archives, so this rule covers them too.
RewriteRule ^(members/join.*)$  http://users.sluug.org/$1   [r=302,nc,l]
RewriteRule ^(volunteer.*)$  http://users.sluug.org/$1   [r=302,nc,l]
RewriteRule ^(resources/list_servs.*)$  http://users.sluug.org/$1   [r=302,nc,l]
</file>

===== TODO =====

Need to better use group permissions to allow different users the ability to edit different web sites. Especially need to add a group for the main web site.

Could probably use some tuning and routine maintenance.

Backups. (We currently rely on backups of /home.)

Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.

==== Application Defenses ====

Implement these defenses from [[http://www.0x000000.com/index.php?i=567&bin=1000110111]]:

<file>
# NC - Not Case sensitive, OR - previous rule OR following rul

# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
RewriteCond %{REQUEST_METHOD}  ^(TRACE|DELETE|TRACK) [NC,OR]

# Prevent CRLF injection.
RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]

# Prevent mangled referrers and cookies, intended to exploit log files and such.
RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE}     ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

# Clean up URIs and make sure they're 9999 characters or less.
RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]

# Disallow some nasty user agents.
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]

# Disallow nasty query strings.
RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING}    ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]

# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
RewriteRule ^(.*)$ access_log.php
</file>


==== SSL ====

Turn on SSL.

Edit /usr/sbin/make-ssl-cert? James changed some things, but that was for Debian 3.1.

Create the certificate (this also from Debian 3.1):
<code rootshell>
make-ssl-cert /usr/share/massa-cert/ssleay.cnf apache.pem --force-overwrite
</code>

Did we configure an SSL Certificate when the Apache-SSL (actually a dependency) 
installation asked us?
  * It looks like we did, and entered:
    * State: Missouri
    * Locality: Saint Louis
    * Organization: Saint Louis UNIX Users Group, Inc.
    * Organizational Unit: Geeks
    * Host: budlight.sluug.org
    * Email: webmaster@sluug.org

Make sure SSL version works the same as the regular version.

===== Credits =====

Initially installed, configured, and documented by James Pattie, 2005-02-19.

Installed and configured by Craig Buchek, 2005-09-10.

Re-installed and configured by Craig Buchek, 2007-05-30.