SLUUG Wiki

User Tools

Site Tools

Trace:
build:apache

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
build:apache [2008/02/01 13:49]
24.107.99.139 Enable userdir Apache module on Budlight. (CMB / cfit) 		build:apache [2009/01/26 15:46]
151.145.245.20 Don't allow Indexes to be visible in web sites, as it leaks information that may be helpful to attackers. (CMB)
Line 2: Line 2:
  
 These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now. These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now.
 +
  
 ===== Requirements ===== ===== Requirements =====
Line 10: Line 11:
   * [[http://​www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org)   * [[http://​www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org)
   * [[http://​wiki.sluug.org | wiki.sluug.org]] - this Wiki   * [[http://​wiki.sluug.org | wiki.sluug.org]] - this Wiki
-  * [[http://​stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (aka stllinux.org, ​linux, lug) +  * [[http://​stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (AKA linux, lug, stllinux.org
-  * [[http://​hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (aka hazlug, hzwlug, hazelwood, newbie) +  * [[http://​hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (AKA hazlug, hzwlug, hazelwood, newbie) 
-  * [[http://​stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (stcharles, saintcharles) +  * [[http://​stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (AKA stcharles, saintcharles) 
-  * [[http://​security.sluug.org | security.sluug.org]] - Security SIG (aka stlsug)+  * [[http://​security.sluug.org | security.sluug.org]] - Security SIG (AKA stlsug)
   * [[http://​solaris.sluug.org | solaris.sluug.org]] - Solaris SIG   * [[http://​solaris.sluug.org | solaris.sluug.org]] - Solaris SIG
   * [[http://​slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club   * [[http://​slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club
 +  * [[http://​snug.sluug.org | snug.sluug.org]] - St. Louis Novell Users Group
   * dev.sluug.org - development site   * dev.sluug.org - development site
   * test.sluug.org - test site   * test.sluug.org - test site
Line 28: Line 30:
 apt-get install apache2-doc apt-get install apache2-doc
 </​code>​ </​code>​
 +
  
  
Line 45: Line 48:
 <code rootshell>​ <code rootshell>​
 apt-get install php5-mysql libmysqlclient15off mysql-common apt-get install php5-mysql libmysqlclient15off mysql-common
-apt-get install php5-curl+apt-get install php5-curl ​libcurl3
 </​code>​ </​code>​
  
Line 95: Line 98:
 sed -i -e '​s/​^ServerTokens .*/​ServerTokens Minor/'​ /​etc/​apache2/​apache2.conf sed -i -e '​s/​^ServerTokens .*/​ServerTokens Minor/'​ /​etc/​apache2/​apache2.conf
 </​code>​ </​code>​
 +
  
 ==== Main SLUUG Site ==== ==== Main SLUUG Site ====
Line 115: Line 119:
  <​Directory /​home/​web/​www.sluug.org/​public>​  <​Directory /​home/​web/​www.sluug.org/​public>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews IncludesNoExec+ Options FollowSymLinks MultiViews IncludesNoExec
  DirectoryIndex index.shtml index.html  DirectoryIndex index.shtml index.html
  Order allow,deny  Order allow,deny
Line 128: Line 132:
  
 <code rootshell>​ <code rootshell>​
-a2ensite www.sluug.org+a2ensite ​000-www.sluug.org
 </​code>​ </​code>​
  
Line 146: Line 150:
  <​Directory /​home/​web/​wiki.sluug.org>​  <​Directory /​home/​web/​wiki.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 180: Line 184:
  <​Directory /​home/​web/​stllug.sluug.org/​public>​  <​Directory /​home/​web/​stllug.sluug.org/​public>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 212: Line 216:
  <​Directory /​home/​web/​hzwlug.sluug.org>​  <​Directory /​home/​web/​hzwlug.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 241: Line 245:
  <​Directory /​home/​web/​stclug.sluug.org>​  <​Directory /​home/​web/​stclug.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 270: Line 274:
  <​Directory /​home/​web/​security.sluug.org>​  <​Directory /​home/​web/​security.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 298: Line 302:
  <​Directory /​home/​web/​solaris.sluug.org>​  <​Directory /​home/​web/​solaris.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 308: Line 312:
 a2ensite solaris.sluug.org a2ensite solaris.sluug.org
 </​code>​ </​code>​
 +
 +
  
 ==== SLACC Site ==== ==== SLACC Site ====
Line 327: Line 333:
  <​Directory /​home/​web/​slacc.sluug.org>​  <​Directory /​home/​web/​slacc.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 336: Line 342:
 <code rootshell>​ <code rootshell>​
 a2ensite slacc.sluug.org a2ensite slacc.sluug.org
 +</​code>​
 +
 +==== SNUG Site ====
 +
 +<code rootshell>​
 +mkdir /​home/​web/​snug.sluug.org
 +chown -R www-data:​snug /​home/​web/​snug.sluug.org
 +chmod g+s /​home/​web/​snug.sluug.org
 +</​code>​
 +
 +Edit ''/​etc/​apache2/​sites-available/​snug.sluug.org'':​
 +<​file>​
 +<​VirtualHost *>
 + ServerName snug.sluug.org
 + ServerAlias novell.sluug.org
 + ServerAlias netware.sluug.org
 + ServerAlias www.stl-nui.org
 + ServerAlias stl-nui.org
 + UseCanonicalName On
 + DocumentRoot /​home/​web/​snug.sluug.org
 + <​Directory /​home/​web/​snug.sluug.org>​
 + AllowOverride All
 + Options FollowSymLinks MultiViews
 + Order allow,deny
 + Allow from all
 + </​Directory>​
 +</​VirtualHost>​
 +</​file>​
 +
 +<code rootshell>​
 +a2ensite snug.sluug.org
 +</​code>​
 +
 +
 +==== Webmail Site ====
 +
 +<code rootshell>​
 +mkdir /​var/​www/​webmail.sluug.org
 +chown -R www-data:​www-data /​var/​www/​webmail.sluug.org
 +chmod g+s /​var/​www/​webmail.sluug.org
 +</​code>​
 +
 +Edit ''/​etc/​apache2/​sites-available/​webmail.sluug.org'':​
 +<​file>​
 +<​VirtualHost *>
 + ServerName webmail.sluug.org
 + ServerAlias mail.sluug.org
 + UseCanonicalName On
 + DocumentRoot /​var/​www/​webmail.sluug.org/​public
 + <​Directory /​var/​www/​webmail.sluug.org/​public>​
 + AllowOverride All
 + Options FollowSymLinks MultiViews
 + Order allow,deny
 + Allow from all
 + </​Directory>​
 +</​VirtualHost>​
 +</​file>​
 +
 +<code rootshell>​
 +a2ensite webmail.sluug.org
 </​code>​ </​code>​
  
Line 355: Line 421:
  <​Directory /​home/​web/​test.sluug.org/​public>​  <​Directory /​home/​web/​test.sluug.org/​public>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 364: Line 430:
 <code rootshell>​ <code rootshell>​
 a2ensite test.sluug.org a2ensite test.sluug.org
 +</​code>​
 +
 +====Woodlandchows.com====
 +The woodlandchows website was imported from the back ups of dark onto budlight.sluug.org. All actions were taken on budlight.
 +<code rootshell>​
 +vi /​etc/​apache2/​sites-available/​woodlandchows.com
 +ln -s /​etc/​apache2/​sites-available/​woodlandchows.com /​etc/​apache2/​sites-enabled/​.
 +</​code>​
 +Edit ''/​etc/​apache2/​sites-available/​woodlandchhows.com'':​
 +<​file>​
 +<​VirtualHost *>
 +         ​ServerName woodlandchows.com
 +         ​ServerAlias www.woodlandchows.com
 +         ​UseCanonicalName On
 +         ​ServerAdmin wehner@sluug.org
 +         ​DocumentRoot /​home/​myrna/​public_html
 +         <​Directory /​home/​myrna/​public_html>​
 +                AllowOverride All
 +                Options Indexes FollowSymLinks MultiViews
 +                Order allow,deny
 +                Allow from all
 +         </​Directory>​
 +         #​ErrorLog logs/​archrivals/​error_log
 +         #​CustomLog logs/​archrivals/​access_log common
 +</​VirtualHost>​
 +</​file>​
 +<code rootshell>​
 +chmod 711 /​home/​myrna/​
 +chmod 711 /​home/​myrna/​public_html/​
 +/​etc/​init.d/​apache2 reload ​
 </​code>​ </​code>​
  
Line 383: Line 479:
  <​Directory /​home/​booch/​web/​blog.craigbuchek.com>​  <​Directory /​home/​booch/​web/​blog.craigbuchek.com>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 426: Line 522:
  
 ==== Migration ==== ==== Migration ====
 +
 +The main web site is on bud, but user web sites are on budlight, so we set up ''​.htaccess''​ in <​nowiki>/​home/​web/​www.sluug.org/​public</​nowiki>​ to redirect ​ requests for home directory (`) pages to the budlight using the ''​users.sluug.org''​ name.
 +
 +<​file>​
 +# Rewrite rules to point to home directories on budlight.
 +RewriteEngine on
 +RewriteRule ^~(.*) ​   http://​users.sluug.org/​~$1 ​  ​[r=301,​nc,​l]
 +</​file>​
 +
 +== This is old information that is no longer used since we finally got off dark, but it is left here for a period of time until problems with the transition are completed. ==
  
 We had to migrate off of our existing site in stages. We migrated the majority of the site, but did not want to migrate any of the forms and associated scripts, list archives, or user pages. So in the interim, we set up ''​.htaccess''​ in <​nowiki>/​home/​web/​www.sluug.org/​public</​nowiki>​ to redirect those pages to the old site. We had to migrate off of our existing site in stages. We migrated the majority of the site, but did not want to migrate any of the forms and associated scripts, list archives, or user pages. So in the interim, we set up ''​.htaccess''​ in <​nowiki>/​home/​web/​www.sluug.org/​public</​nowiki>​ to redirect those pages to the old site.
Line 431: Line 537:
 <​file>​ <​file>​
 # Rewrite rules to point home directories and form pages to Dark. # Rewrite rules to point home directories and form pages to Dark.
-RewriteEngine on 
 # NOTE: List archives are located at ~archives, so this rule covers them too. # NOTE: List archives are located at ~archives, so this rule covers them too.
-RewriteRule ^~(.*) ​   http://​users.sluug.org/​~$1 ​  ​[r=301,​nc,​l] 
 RewriteRule ^(members/​join.*)$ ​ http://​users.sluug.org/​$1 ​  ​[r=302,​nc,​l] RewriteRule ^(members/​join.*)$ ​ http://​users.sluug.org/​$1 ​  ​[r=302,​nc,​l]
 RewriteRule ^(volunteer.*)$ ​ http://​users.sluug.org/​$1 ​  ​[r=302,​nc,​l] RewriteRule ^(volunteer.*)$ ​ http://​users.sluug.org/​$1 ​  ​[r=302,​nc,​l]
 RewriteRule ^(resources/​list_servs.*)$ ​ http://​users.sluug.org/​$1 ​  ​[r=302,​nc,​l] RewriteRule ^(resources/​list_servs.*)$ ​ http://​users.sluug.org/​$1 ​  ​[r=302,​nc,​l]
 </​file>​ </​file>​
- 
  
 ===== TODO ===== ===== TODO =====
Line 449: Line 552:
  
 Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors. Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.
 +
 +==== Application Defenses ====
 +
 +Implement these defenses from [[http://​www.0x000000.com/​index.php?​i=567&​bin=1000110111]]:​
 +
 +<​file>​
 +# NC - Not Case sensitive, OR - previous rule OR following rul
 +
 +# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
 +RewriteCond %{REQUEST_METHOD} ​ ^(TRACE|DELETE|TRACK) [NC,OR]
 +
 +# Prevent CRLF injection.
 +RewriteCond %{THE_REQUEST} ​    ​^.*(\\r|\\n|%0A|%0D).* [NC,OR]
 +
 +# Prevent mangled referrers and cookies, intended to exploit log files and such.
 +RewriteCond %{HTTP_REFERER} ​   ^(.*)(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 +RewriteCond %{HTTP_COOKIE} ​    ​^.*(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 +
 +# Clean up URIs and make sure they'​re 9999 characters or less.
 +RewriteCond %{REQUEST_URI} ​    ​^/​(,​|;​|:​|<​|>​|">​|"<​|/​|\\\.\.\\).{0,​9999}.* [NC,OR]
 +
 +# Disallow some nasty user agents.
 +RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 +RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
 +RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
 +RewriteCond %{HTTP_USER_AGENT} ^.*(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 +
 +# Disallow nasty query strings.
 +RewriteCond %{QUERY_STRING} ​   ^.*(;​|<​|>​|'​|"​|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/​\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
 +RewriteCond %{QUERY_STRING} ​   ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
 +RewriteCond %{QUERY_STRING} ​   ^.*\.[A-Za-z0-9].* [NC,OR]
 +RewriteCond %{QUERY_STRING} ​   ^.*(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC]
 +
 +# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
 +RewriteRule ^(.*)$ access_log.php
 +</​file>​
 +
  
 ==== SSL ==== ==== SSL ====
 +
 Turn on SSL. Turn on SSL.
  
build/apache.txt · Last modified: 2009/03/03 16:02 by 151.145.245.20

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki