This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
build:apache [2008/04/20 23:03] 4.245.78.244 |
build:apache [2009/03/03 16:02] 151.145.245.20 Add separate default site. (CMB) |
||
---|---|---|---|
Line 2: | Line 2: | ||
These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now. | These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now. | ||
+ | |||
===== Requirements ===== | ===== Requirements ===== | ||
Line 10: | Line 11: | ||
* [[http://www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org) | * [[http://www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org) | ||
* [[http://wiki.sluug.org | wiki.sluug.org]] - this Wiki | * [[http://wiki.sluug.org | wiki.sluug.org]] - this Wiki | ||
- | * [[http://stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (aka stllinux.org, linux, lug) | + | * [[http://stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (AKA linux, lug, stllinux.org) |
- | * [[http://hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (aka hazlug, hzwlug, hazelwood, newbie) | + | * [[http://hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (AKA hazlug, hzwlug, hazelwood, newbie) |
- | * [[http://stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (stcharles, saintcharles) | + | * [[http://stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (AKA stcharles, saintcharles) |
- | * [[http://security.sluug.org | security.sluug.org]] - Security SIG (aka stlsug) | + | * [[http://security.sluug.org | security.sluug.org]] - Security SIG (AKA stlsug) |
* [[http://solaris.sluug.org | solaris.sluug.org]] - Solaris SIG | * [[http://solaris.sluug.org | solaris.sluug.org]] - Solaris SIG | ||
* [[http://slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club | * [[http://slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club | ||
+ | * [[http://snug.sluug.org | snug.sluug.org]] - St. Louis Novell Users Group | ||
* dev.sluug.org - development site | * dev.sluug.org - development site | ||
* test.sluug.org - test site | * test.sluug.org - test site | ||
Line 97: | Line 99: | ||
</code> | </code> | ||
+ | |||
+ | ==== Default Site ==== | ||
+ | |||
+ | The default site is a "catch-all" that will serve any site that doesn't have a domain name specified in a site config file. | ||
+ | We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites. | ||
+ | (Some attempts even had "proxy_test_referer" in the Referer field.) | ||
+ | |||
+ | Edit ''/etc/apache2/sites-available/000-default'': | ||
+ | <file> | ||
+ | NameVirtualHost * | ||
+ | <VirtualHost *> | ||
+ | # Minimize logging of this junk. | ||
+ | #CustomLog /dev/null "" | ||
+ | #ErrorLog /dev/null | ||
+ | CustomLog /var/log/apache2/attack.log combined | ||
+ | ErrorLog /var/log/apache2/attack_error.log | ||
+ | LogLevel emerg | ||
+ | |||
+ | # Don't allow access to anything, causing a 403 error message for any request. | ||
+ | ErrorDocument 403 "Site does not exist on this server!" | ||
+ | <Location /> | ||
+ | Order allow,deny | ||
+ | Deny from all | ||
+ | </Location> | ||
+ | </VirtualHost> | ||
+ | </file> | ||
+ | |||
+ | <code rootshell> | ||
+ | a2ensite 000-default | ||
+ | </code> | ||
==== Main SLUUG Site ==== | ==== Main SLUUG Site ==== | ||
Line 106: | Line 138: | ||
</code> | </code> | ||
- | Edit ''<nowiki>/etc/apache2/sites-available/000-www.sluug.org</nowiki>'': | + | Edit ''<nowiki>/etc/apache2/sites-available/www.sluug.org</nowiki>'': |
<file> | <file> | ||
- | NameVirtualHost * | ||
<VirtualHost *> | <VirtualHost *> | ||
ServerName www.sluug.org | ServerName www.sluug.org | ||
Line 117: | Line 148: | ||
<Directory /home/web/www.sluug.org/public> | <Directory /home/web/www.sluug.org/public> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews IncludesNoExec | + | Options FollowSymLinks MultiViews IncludesNoExec |
DirectoryIndex index.shtml index.html | DirectoryIndex index.shtml index.html | ||
Order allow,deny | Order allow,deny | ||
Line 130: | Line 161: | ||
<code rootshell> | <code rootshell> | ||
- | a2ensite 000-www.sluug.org | + | a2ensite www.sluug.org |
</code> | </code> | ||
Line 148: | Line 179: | ||
<Directory /home/web/wiki.sluug.org> | <Directory /home/web/wiki.sluug.org> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 182: | Line 213: | ||
<Directory /home/web/stllug.sluug.org/public> | <Directory /home/web/stllug.sluug.org/public> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 214: | Line 245: | ||
<Directory /home/web/hzwlug.sluug.org> | <Directory /home/web/hzwlug.sluug.org> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 243: | Line 274: | ||
<Directory /home/web/stclug.sluug.org> | <Directory /home/web/stclug.sluug.org> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 272: | Line 303: | ||
<Directory /home/web/security.sluug.org> | <Directory /home/web/security.sluug.org> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 300: | Line 331: | ||
<Directory /home/web/solaris.sluug.org> | <Directory /home/web/solaris.sluug.org> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 310: | Line 341: | ||
a2ensite solaris.sluug.org | a2ensite solaris.sluug.org | ||
</code> | </code> | ||
+ | |||
+ | |||
==== SLACC Site ==== | ==== SLACC Site ==== | ||
Line 329: | Line 362: | ||
<Directory /home/web/slacc.sluug.org> | <Directory /home/web/slacc.sluug.org> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 340: | Line 373: | ||
</code> | </code> | ||
+ | ==== SNUG Site ==== | ||
+ | |||
+ | <code rootshell> | ||
+ | mkdir /home/web/snug.sluug.org | ||
+ | chown -R www-data:snug /home/web/snug.sluug.org | ||
+ | chmod g+s /home/web/snug.sluug.org | ||
+ | </code> | ||
+ | |||
+ | Edit ''/etc/apache2/sites-available/snug.sluug.org'': | ||
+ | <file> | ||
+ | <VirtualHost *> | ||
+ | ServerName snug.sluug.org | ||
+ | ServerAlias novell.sluug.org | ||
+ | ServerAlias netware.sluug.org | ||
+ | ServerAlias www.stl-nui.org | ||
+ | ServerAlias stl-nui.org | ||
+ | UseCanonicalName On | ||
+ | DocumentRoot /home/web/snug.sluug.org | ||
+ | <Directory /home/web/snug.sluug.org> | ||
+ | AllowOverride All | ||
+ | Options FollowSymLinks MultiViews | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | </Directory> | ||
+ | </VirtualHost> | ||
+ | </file> | ||
+ | |||
+ | <code rootshell> | ||
+ | a2ensite snug.sluug.org | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ==== Webmail Site ==== | ||
+ | |||
+ | <code rootshell> | ||
+ | mkdir /var/www/webmail.sluug.org | ||
+ | chown -R www-data:www-data /var/www/webmail.sluug.org | ||
+ | chmod g+s /var/www/webmail.sluug.org | ||
+ | </code> | ||
+ | |||
+ | Edit ''/etc/apache2/sites-available/webmail.sluug.org'': | ||
+ | <file> | ||
+ | <VirtualHost *> | ||
+ | ServerName webmail.sluug.org | ||
+ | ServerAlias mail.sluug.org | ||
+ | UseCanonicalName On | ||
+ | DocumentRoot /var/www/webmail.sluug.org/public | ||
+ | <Directory /var/www/webmail.sluug.org/public> | ||
+ | AllowOverride All | ||
+ | Options FollowSymLinks MultiViews | ||
+ | Order allow,deny | ||
+ | Allow from all | ||
+ | </Directory> | ||
+ | </VirtualHost> | ||
+ | </file> | ||
+ | |||
+ | <code rootshell> | ||
+ | a2ensite webmail.sluug.org | ||
+ | </code> | ||
==== Test Site ==== | ==== Test Site ==== | ||
Line 358: | Line 450: | ||
<Directory /home/web/test.sluug.org/public> | <Directory /home/web/test.sluug.org/public> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 416: | Line 508: | ||
<Directory /home/booch/web/blog.craigbuchek.com> | <Directory /home/booch/web/blog.craigbuchek.com> | ||
AllowOverride All | AllowOverride All | ||
- | Options Indexes FollowSymLinks MultiViews | + | Options FollowSymLinks MultiViews |
Order allow,deny | Order allow,deny | ||
Allow from all | Allow from all | ||
Line 489: | Line 581: | ||
Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors. | Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors. | ||
+ | |||
+ | ==== Application Defenses ==== | ||
+ | |||
+ | Implement these defenses from [[http://www.0x000000.com/index.php?i=567&bin=1000110111]]: | ||
+ | |||
+ | <file> | ||
+ | # NC - Not Case sensitive, OR - previous rule OR following rul | ||
+ | |||
+ | # Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV. | ||
+ | RewriteCond %{REQUEST_METHOD} ^(TRACE|DELETE|TRACK) [NC,OR] | ||
+ | |||
+ | # Prevent CRLF injection. | ||
+ | RewriteCond %{THE_REQUEST} ^.*(\\r|\\n|%0A|%0D).* [NC,OR] | ||
+ | |||
+ | # Prevent mangled referrers and cookies, intended to exploit log files and such. | ||
+ | RewriteCond %{HTTP_REFERER} ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] | ||
+ | RewriteCond %{HTTP_COOKIE} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] | ||
+ | |||
+ | # Clean up URIs and make sure they're 9999 characters or less. | ||
+ | RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR] | ||
+ | |||
+ | # Disallow some nasty user agents. | ||
+ | RewriteCond %{HTTP_USER_AGENT} ^$ [OR] | ||
+ | RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR] | ||
+ | RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR] | ||
+ | RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR] | ||
+ | |||
+ | # Disallow nasty query strings. | ||
+ | RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR] | ||
+ | RewriteCond %{QUERY_STRING} ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR] | ||
+ | RewriteCond %{QUERY_STRING} ^.*\.[A-Za-z0-9].* [NC,OR] | ||
+ | RewriteCond %{QUERY_STRING} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC] | ||
+ | |||
+ | # Rewrite the request to a fail-safe page. FIXME: Set to an actual page. | ||
+ | RewriteRule ^(.*)$ access_log.php | ||
+ | </file> | ||
+ | |||
==== SSL ==== | ==== SSL ==== | ||
+ | |||
Turn on SSL. | Turn on SSL. | ||