Table of Contents
Apache
These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now.
Requirements
Apache doesn't need much itself. However, the configuration we plan to use does require several components. We're assuming that some of our web pages will require Perl, PHP, Python, MySQL, and possibly PostgreSQL.
We'd like to run several virtual hosts:
- www.sluug.org - main content (default site, aka sluug.org)
- wiki.sluug.org - this Wiki
- stllug.sluug.org - St. Louis LUG (AKA linux, lug, stllinux.org)
- hzlug.sluug.org - Hazelwood LUG (AKA hazlug, hzwlug, hazelwood, newbie)
- stclug.sluug.org - St. Charles LUG (AKA stcharles, saintcharles)
- security.sluug.org - Security SIG (AKA stlsug)
- solaris.sluug.org - Solaris SIG
- slacc.sluug.org - St. Louis Area Computer Club
- snug.sluug.org - St. Louis Novell Users Group
- dev.sluug.org - development site
- test.sluug.org - test site
- users.sluug.org - user's pages
- webmail.sluug.org - webmail (requires its own real IP for SSL certificate)
Installation
Install Apache. We require the prefork MPM, due to some PHP libraries that are not thread-safe. The worker MPM would be preferable, if not for that.
apt-get install -y apache2 apache2.2-common apache2-utils apache2-mpm-prefork apt-get install apache2-doc
PHP
Install PHP 5.x CLI:
apt-get install -y php5-cli php-pear php5-common
Install PHP 5.x Apache module:
apt-get install libapache2-mod-php5
Install some commonly used PHP libraries:
apt-get install php5-mysql libmysqlclient15off mysql-common apt-get install php5-curl libcurl3
Modules
Enable some modules:
a2enmod rewrite a2enmod ssl a2enmod info a2enmod include a2enmod deflate a2enmod userdir # Only on Budlight.
Configuration
mkdir /home/web chown -R www-data:www-data /home/web a2dissite default
Edit /etc/apache2/conf.d/index_files:
DirectoryIndex index.shtml index.html index.cgi index.pl index.php index.xhtml
NOTE: The DirectoryIndex directive seems to have stopped working for us, so we had to add it to /etc/apache2/sites-enabled/000-www.sluug.org as well.
Edit /etc/apache2/conf.d/logging:
ErrorLog /var/log/apache2/error.log LogLevel warn CustomLog /var/log/apache2/access.log combined
Edit /etc/apache2/conf.d/server_sig:
ServerSignature Off ServerTokens Minor
Remove the ServerSignature and ServerTokens settings from the main Apache config file, as it overrides the settings in the conf.d/server_sig file.
sed -i -e 's/^ServerSignature .*/ServerSignature Off/' /etc/apache2/apache2.conf sed -i -e 's/^ServerTokens .*/ServerTokens Minor/' /etc/apache2/apache2.conf
Default Site
The default site is a "catch-all" that will serve any site that doesn't have a domain name specified in a site config file. We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites. (Some attempts even had "proxy_test_referer" in the Referer field.)
Edit /etc/apache2/sites-available/000-default:
NameVirtualHost *
<VirtualHost *>
# Minimize logging of this junk.
#CustomLog /dev/null ""
#ErrorLog /dev/null
CustomLog /var/log/apache2/attack.log combined
ErrorLog /var/log/apache2/attack_error.log
LogLevel emerg
# Don't allow access to anything, causing a 403 error message for any request.
ErrorDocument 403 "Site does not exist on this server!"
<Location />
Order allow,deny
Deny from all
</Location>
</VirtualHost>
a2ensite 000-default
Main SLUUG Site
mkdir -p /home/web/www.sluug.org/public /home/web/www.sluug.org/cgi-bin chown -R www-data:www /home/web/www.sluug.org chmod g+s /home/web/www.sluug.org
Edit /etc/apache2/sites-available/www.sluug.org:
<VirtualHost *> ServerName www.sluug.org ServerAlias sluug.org UseCanonicalName On DocumentRoot /home/web/www.sluug.org/public ScriptAlias /cgi-bin/ "/home/web/www.sluug.org/cgi-bin/" <Directory /home/web/www.sluug.org/public> AllowOverride All Options FollowSymLinks MultiViews IncludesNoExec DirectoryIndex index.shtml index.html Order allow,deny Allow from all </Directory> <Directory "/home/web/www.sluug.org/cgi-bin"> AllowOverride None Options ExecCGI </Directory> </VirtualHost>
a2ensite www.sluug.org
Wiki Site
mkdir /home/web/wiki.sluug.org chown -R www-data:www /home/web/wiki.sluug.org
Edit /etc/apache2/sites-available/wiki.sluug.org:
<VirtualHost *> ServerName wiki.sluug.org UseCanonicalName On DocumentRoot /home/web/wiki.sluug.org <Directory /home/web/wiki.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite wiki.sluug.org
Saint Louis LUG Site
mkdir /home/web/stllug.sluug.org /home/web/stllug.sluug.org/public chown -R www-data:stllug /home/web/stllug.sluug.org chmod g+s /home/web/stllug.sluug.org
Edit /etc/apache2/sites-available/stllug.sluug.org:
<VirtualHost *> ServerName stllug.sluug.org ServerAlias stllinux.sluug.org ServerAlias linux.sluug.org ServerAlias lug.sluug.org ServerAlias stl.sluug.org ServerAlias stllinux.org ServerAlias www.stllinux.org UseCanonicalName On DocumentRoot /home/web/stllug.sluug.org/public <Directory /home/web/stllug.sluug.org/public> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite stllug.sluug.org
Hazelwood LUG Site
mkdir /home/web/hzwlug.sluug.org chown -R www-data:hazelwood /home/web/hzwlug.sluug.org chmod g+s /home/web/hzwlug.sluug.org
Edit /etc/apache2/sites-available/hzwlug.sluug.org:
<VirtualHost *> ServerName hazlug.sluug.org ServerAlias hzlug.sluug.org ServerAlias hzwlug.sluug.org ServerAlias hazelwood.sluug.org ServerAlias newbie.sluug.org UseCanonicalName On DocumentRoot /home/web/hzwlug.sluug.org <Directory /home/web/hzwlug.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite hzwlug.sluug.org
Saint Charles LUG Site
mkdir /home/web/stclug.sluug.org chown -R www-data:stclug /home/web/stclug.sluug.org chmod g+s /home/web/stclug.sluug.org
Edit /etc/apache2/sites-available/stclug.sluug.org:
<VirtualHost *> ServerName stclug.sluug.org ServerAlias stcharles.sluug.org ServerAlias saintcharles.sluug.org UseCanonicalName On DocumentRoot /home/web/stclug.sluug.org <Directory /home/web/stclug.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite stclug.sluug.org
Security Users Group Site
mkdir /home/web/security.sluug.org chown -R www-data:security /home/web/security.sluug.org chmod g+s /home/web/security.sluug.org
Edit /etc/apache2/sites-available/security.sluug.org:
<VirtualHost *> ServerName security.sluug.org ServerAlias secure.sluug.org ServerAlias sec.sluug.org UseCanonicalName On DocumentRoot /home/web/security.sluug.org <Directory /home/web/security.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite security.sluug.org
Solaris Users Group Site
mkdir /home/web/solaris.sluug.org chown -R www-data:solaris /home/web/solaris.sluug.org chmod g+s /home/web/solaris.sluug.org
Edit /etc/apache2/sites-available/solaris.sluug.org:
<VirtualHost *> ServerName solaris.sluug.org ServerAlias sun.sluug.org UseCanonicalName On DocumentRoot /home/web/solaris.sluug.org <Directory /home/web/solaris.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite solaris.sluug.org
SLACC Site
mkdir /home/web/slacc.sluug.org chown -R www-data:slacc /home/web/slacc.sluug.org chmod g+s /home/web/slacc.sluug.org
Edit /etc/apache2/sites-available/slacc.sluug.org:
<VirtualHost *> ServerName slacc.sluug.org ServerAlias www.slacc.com ServerAlias slacc.com UseCanonicalName On DocumentRoot /home/web/slacc.sluug.org <Directory /home/web/slacc.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite slacc.sluug.org
SNUG Site
mkdir /home/web/snug.sluug.org chown -R www-data:snug /home/web/snug.sluug.org chmod g+s /home/web/snug.sluug.org
Edit /etc/apache2/sites-available/snug.sluug.org:
<VirtualHost *> ServerName snug.sluug.org ServerAlias novell.sluug.org ServerAlias netware.sluug.org ServerAlias www.stl-nui.org ServerAlias stl-nui.org UseCanonicalName On DocumentRoot /home/web/snug.sluug.org <Directory /home/web/snug.sluug.org> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite snug.sluug.org
Webmail Site
mkdir /var/www/webmail.sluug.org chown -R www-data:www-data /var/www/webmail.sluug.org chmod g+s /var/www/webmail.sluug.org
Edit /etc/apache2/sites-available/webmail.sluug.org:
<VirtualHost *> ServerName webmail.sluug.org ServerAlias mail.sluug.org UseCanonicalName On DocumentRoot /var/www/webmail.sluug.org/public <Directory /var/www/webmail.sluug.org/public> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite webmail.sluug.org
Test Site
mkdir -p /home/web/test.sluug.org/public chown -R www-data:www /home/web/test.sluug.org chmod g+s /home/web/test.sluug.org
Edit /etc/apache2/sites-available/test.sluug.org:
<VirtualHost *> ServerName test.sluug.org ServerAlias drupal.sluug.org UseCanonicalName On DocumentRoot /home/web/test.sluug.org/public <Directory /home/web/test.sluug.org/public> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite test.sluug.org
Woodlandchows.com
The woodlandchows website was imported from the back ups of dark onto budlight.sluug.org. All actions were taken on budlight.
vi /etc/apache2/sites-available/woodlandchows.com ln -s /etc/apache2/sites-available/woodlandchows.com /etc/apache2/sites-enabled/.
Edit /etc/apache2/sites-available/woodlandchhows.com:
<VirtualHost *>
ServerName woodlandchows.com
ServerAlias www.woodlandchows.com
UseCanonicalName On
ServerAdmin wehner@sluug.org
DocumentRoot /home/myrna/public_html
<Directory /home/myrna/public_html>
AllowOverride All
Options Indexes FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
#ErrorLog logs/archrivals/error_log
#CustomLog logs/archrivals/access_log common
</VirtualHost>
chmod 711 /home/myrna/ chmod 711 /home/myrna/public_html/ /etc/init.d/apache2 reload
Craig's Blog Site
mkdir -p /home/booch/web/blog.craigbuchek.com chown -R booch:www-data /home/booch/web/blog.craigbuchek.com chmod g+s /home/booch/web/blog.craigbuchek.com
Edit /etc/apache2/sites-available/blog.craigbuchek.com:
<VirtualHost *> ServerName blog.craigbuchek.com ServerAlias blog.boochtek.com UseCanonicalName On DocumentRoot /home/booch/web/blog.craigbuchek.com <Directory /home/booch/web/blog.craigbuchek.com> AllowOverride All Options FollowSymLinks MultiViews Order allow,deny Allow from all </Directory> </VirtualHost>
a2ensite blog.craigbuchek.com
Startup
Restart the HTTP server:
/etc/init.d/apache2 restart
To reload the configuration:
/etc/init.d/apache2 reload
Personal Pages
The members personal pages are hosted on budlight.sluug.org. The basic install of apache2 was run on budlight:
apt-get install apache2
Make the appropriate changes as noted in the rest of this document for installing PHP.
Next turn on UserDir by creating the appropriate links in /etc/apache2/mods-enabled
cd /etc/apache2/mods-enabled ln -s ../mods-available/userdir.* . /etc/init.d/apache2 reload
Notes
Migration
The main web site is on bud, but user web sites are on budlight, so we set up .htaccess in /home/web/www.sluug.org/public to redirect requests for home directory (`) pages to the budlight using the users.sluug.org name.
# Rewrite rules to point to home directories on budlight. RewriteEngine on RewriteRule ^~(.*) http://users.sluug.org/~$1 [r=301,nc,l]
This is old information that is no longer used since we finally got off dark, but it is left here for a period of time until problems with the transition are completed.
We had to migrate off of our existing site in stages. We migrated the majority of the site, but did not want to migrate any of the forms and associated scripts, list archives, or user pages. So in the interim, we set up .htaccess in /home/web/www.sluug.org/public to redirect those pages to the old site.
# Rewrite rules to point home directories and form pages to Dark. # NOTE: List archives are located at ~archives, so this rule covers them too. RewriteRule ^(members/join.*)$ http://users.sluug.org/$1 [r=302,nc,l] RewriteRule ^(volunteer.*)$ http://users.sluug.org/$1 [r=302,nc,l] RewriteRule ^(resources/list_servs.*)$ http://users.sluug.org/$1 [r=302,nc,l]
TODO
Need to better use group permissions to allow different users the ability to edit different web sites. Especially need to add a group for the main web site.
Could probably use some tuning and routine maintenance.
Backups. (We currently rely on backups of /home.)
Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.
Application Defenses
Implement these defenses from http://www.0x000000.com/index.php?i=567&bin=1000110111:
# NC - Not Case sensitive, OR - previous rule OR following rul
# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC,OR]
# Prevent CRLF injection.
RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
# Prevent mangled referrers and cookies, intended to exploit log files and such.
RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Clean up URIs and make sure they're 9999 characters or less.
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
# Disallow some nasty user agents.
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
# Disallow nasty query strings.
RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
RewriteRule ^(.*)$ access_log.php
SSL
Turn on SSL.
Edit /usr/sbin/make-ssl-cert? James changed some things, but that was for Debian 3.1.
Create the certificate (this also from Debian 3.1):
make-ssl-cert /usr/share/massa-cert/ssleay.cnf apache.pem --force-overwrite
Did we configure an SSL Certificate when the Apache-SSL (actually a dependency) installation asked us?
- It looks like we did, and entered:
- State: Missouri
- Locality: Saint Louis
- Organization: Saint Louis UNIX Users Group, Inc.
- Organizational Unit: Geeks
- Host: budlight.sluug.org
- Email: webmaster@sluug.org
Make sure SSL version works the same as the regular version.
Credits
Initially installed, configured, and documented by James Pattie, 2005-02-19.
Installed and configured by Craig Buchek, 2005-09-10.
Re-installed and configured by Craig Buchek, 2007-05-30.
