SLUUG Wiki

User Tools

Site Tools

Trace:
build:apache

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
build:apache [2008/04/20 23:03]
4.245.78.244 		build:apache [2009/03/03 16:02] (current)
151.145.245.20 Add separate default site. (CMB)
Line 2: Line 2:
  
 These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now. These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now.
 +
  
 ===== Requirements ===== ===== Requirements =====
Line 10: Line 11:
   * [[http://​www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org)   * [[http://​www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org)
   * [[http://​wiki.sluug.org | wiki.sluug.org]] - this Wiki   * [[http://​wiki.sluug.org | wiki.sluug.org]] - this Wiki
-  * [[http://​stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (aka stllinux.org, ​linux, lug) +  * [[http://​stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (AKA linux, lug, stllinux.org
-  * [[http://​hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (aka hazlug, hzwlug, hazelwood, newbie) +  * [[http://​hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (AKA hazlug, hzwlug, hazelwood, newbie) 
-  * [[http://​stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (stcharles, saintcharles) +  * [[http://​stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (AKA stcharles, saintcharles) 
-  * [[http://​security.sluug.org | security.sluug.org]] - Security SIG (aka stlsug)+  * [[http://​security.sluug.org | security.sluug.org]] - Security SIG (AKA stlsug)
   * [[http://​solaris.sluug.org | solaris.sluug.org]] - Solaris SIG   * [[http://​solaris.sluug.org | solaris.sluug.org]] - Solaris SIG
   * [[http://​slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club   * [[http://​slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club
 +  * [[http://​snug.sluug.org | snug.sluug.org]] - St. Louis Novell Users Group
   * dev.sluug.org - development site   * dev.sluug.org - development site
   * test.sluug.org - test site   * test.sluug.org - test site
Line 97: Line 99:
 </​code>​ </​code>​
  
 +
 +==== Default Site ====
 +
 +The default site is a "​catch-all"​ that will serve any site that doesn'​t have a domain name specified in a site config file.
 +We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites.
 +(Some attempts even had "​proxy_test_referer"​ in the Referer field.)
 +
 +Edit ''/​etc/​apache2/​sites-available/​000-default'':​
 +<​file>​
 +NameVirtualHost *
 +<​VirtualHost *>
 +    # Minimize logging of this junk.
 +    #CustomLog /dev/null ""​
 +    #ErrorLog /dev/null
 +    CustomLog /​var/​log/​apache2/​attack.log combined
 +    ErrorLog /​var/​log/​apache2/​attack_error.log
 +    LogLevel emerg
 +
 +    # Don't allow access to anything, causing a 403 error message for any request.
 +    ErrorDocument 403 "Site does not exist on this server!"​
 +    <​Location />
 +        Order allow,deny
 +        Deny from all
 +    </​Location>​
 +</​VirtualHost>​
 +</​file>​
 +
 +<code rootshell>​
 +a2ensite 000-default
 +</​code>​
  
 ==== Main SLUUG Site ==== ==== Main SLUUG Site ====
Line 106: Line 138:
 </​code>​ </​code>​
  
-Edit ''<​nowiki>/​etc/​apache2/​sites-available/​000-www.sluug.org</​nowiki>'':​+Edit ''<​nowiki>/​etc/​apache2/​sites-available/​www.sluug.org</​nowiki>'':​
 <​file>​ <​file>​
-NameVirtualHost * 
 <​VirtualHost *> <​VirtualHost *>
  ServerName www.sluug.org  ServerName www.sluug.org
Line 117: Line 148:
  <​Directory /​home/​web/​www.sluug.org/​public>​  <​Directory /​home/​web/​www.sluug.org/​public>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews IncludesNoExec+ Options FollowSymLinks MultiViews IncludesNoExec
  DirectoryIndex index.shtml index.html  DirectoryIndex index.shtml index.html
  Order allow,deny  Order allow,deny
Line 130: Line 161:
  
 <code rootshell>​ <code rootshell>​
-a2ensite ​000-www.sluug.org+a2ensite www.sluug.org
 </​code>​ </​code>​
  
Line 148: Line 179:
  <​Directory /​home/​web/​wiki.sluug.org>​  <​Directory /​home/​web/​wiki.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 182: Line 213:
  <​Directory /​home/​web/​stllug.sluug.org/​public>​  <​Directory /​home/​web/​stllug.sluug.org/​public>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 214: Line 245:
  <​Directory /​home/​web/​hzwlug.sluug.org>​  <​Directory /​home/​web/​hzwlug.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 243: Line 274:
  <​Directory /​home/​web/​stclug.sluug.org>​  <​Directory /​home/​web/​stclug.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 272: Line 303:
  <​Directory /​home/​web/​security.sluug.org>​  <​Directory /​home/​web/​security.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 300: Line 331:
  <​Directory /​home/​web/​solaris.sluug.org>​  <​Directory /​home/​web/​solaris.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 310: Line 341:
 a2ensite solaris.sluug.org a2ensite solaris.sluug.org
 </​code>​ </​code>​
 +
 +
  
 ==== SLACC Site ==== ==== SLACC Site ====
Line 329: Line 362:
  <​Directory /​home/​web/​slacc.sluug.org>​  <​Directory /​home/​web/​slacc.sluug.org>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 340: Line 373:
 </​code>​ </​code>​
  
 +==== SNUG Site ====
 +
 +<code rootshell>​
 +mkdir /​home/​web/​snug.sluug.org
 +chown -R www-data:​snug /​home/​web/​snug.sluug.org
 +chmod g+s /​home/​web/​snug.sluug.org
 +</​code>​
 +
 +Edit ''/​etc/​apache2/​sites-available/​snug.sluug.org'':​
 +<​file>​
 +<​VirtualHost *>
 + ServerName snug.sluug.org
 + ServerAlias novell.sluug.org
 + ServerAlias netware.sluug.org
 + ServerAlias www.stl-nui.org
 + ServerAlias stl-nui.org
 + UseCanonicalName On
 + DocumentRoot /​home/​web/​snug.sluug.org
 + <​Directory /​home/​web/​snug.sluug.org>​
 + AllowOverride All
 + Options FollowSymLinks MultiViews
 + Order allow,deny
 + Allow from all
 + </​Directory>​
 +</​VirtualHost>​
 +</​file>​
 +
 +<code rootshell>​
 +a2ensite snug.sluug.org
 +</​code>​
 +
 +
 +==== Webmail Site ====
 +
 +<code rootshell>​
 +mkdir /​var/​www/​webmail.sluug.org
 +chown -R www-data:​www-data /​var/​www/​webmail.sluug.org
 +chmod g+s /​var/​www/​webmail.sluug.org
 +</​code>​
 +
 +Edit ''/​etc/​apache2/​sites-available/​webmail.sluug.org'':​
 +<​file>​
 +<​VirtualHost *>
 + ServerName webmail.sluug.org
 + ServerAlias mail.sluug.org
 + UseCanonicalName On
 + DocumentRoot /​var/​www/​webmail.sluug.org/​public
 + <​Directory /​var/​www/​webmail.sluug.org/​public>​
 + AllowOverride All
 + Options FollowSymLinks MultiViews
 + Order allow,deny
 + Allow from all
 + </​Directory>​
 +</​VirtualHost>​
 +</​file>​
 +
 +<code rootshell>​
 +a2ensite webmail.sluug.org
 +</​code>​
  
 ==== Test Site ==== ==== Test Site ====
Line 358: Line 450:
  <​Directory /​home/​web/​test.sluug.org/​public>​  <​Directory /​home/​web/​test.sluug.org/​public>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 416: Line 508:
  <​Directory /​home/​booch/​web/​blog.craigbuchek.com>​  <​Directory /​home/​booch/​web/​blog.craigbuchek.com>​
  AllowOverride All  AllowOverride All
- Options ​Indexes ​FollowSymLinks MultiViews+ Options FollowSymLinks MultiViews
  Order allow,deny  Order allow,deny
  Allow from all  Allow from all
Line 489: Line 581:
  
 Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors. Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.
 +
 +==== Application Defenses ====
 +
 +Implement these defenses from [[http://​www.0x000000.com/​index.php?​i=567&​bin=1000110111]]:​
 +
 +<​file>​
 +# NC - Not Case sensitive, OR - previous rule OR following rul
 +
 +# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
 +RewriteCond %{REQUEST_METHOD} ​ ^(TRACE|DELETE|TRACK) [NC,OR]
 +
 +# Prevent CRLF injection.
 +RewriteCond %{THE_REQUEST} ​    ​^.*(\\r|\\n|%0A|%0D).* [NC,OR]
 +
 +# Prevent mangled referrers and cookies, intended to exploit log files and such.
 +RewriteCond %{HTTP_REFERER} ​   ^(.*)(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 +RewriteCond %{HTTP_COOKIE} ​    ​^.*(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 +
 +# Clean up URIs and make sure they'​re 9999 characters or less.
 +RewriteCond %{REQUEST_URI} ​    ​^/​(,​|;​|:​|<​|>​|">​|"<​|/​|\\\.\.\\).{0,​9999}.* [NC,OR]
 +
 +# Disallow some nasty user agents.
 +RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
 +RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
 +RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
 +RewriteCond %{HTTP_USER_AGENT} ^.*(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
 +
 +# Disallow nasty query strings.
 +RewriteCond %{QUERY_STRING} ​   ^.*(;​|<​|>​|'​|"​|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/​\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
 +RewriteCond %{QUERY_STRING} ​   ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
 +RewriteCond %{QUERY_STRING} ​   ^.*\.[A-Za-z0-9].* [NC,OR]
 +RewriteCond %{QUERY_STRING} ​   ^.*(<​|>​|'​|%0A|%0D|%27|%3C|%3E|%00).* [NC]
 +
 +# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
 +RewriteRule ^(.*)$ access_log.php
 +</​file>​
 +
  
 ==== SSL ==== ==== SSL ====
 +
 Turn on SSL. Turn on SSL.
  
build/apache.1208750588.txt.gz · Last modified: 2008/04/20 23:03 by 4.245.78.244

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki