Differences

This shows you the differences between two versions of the page.

--- build:apache [2007/07/25 14:34]
206.197.251.70
+++ build:apache [2009/03/03 16:02] (current)
151.145.245.20 Add separate default site. (CMB)
@@ Line 2: / Line 2: @@
 These instructions document the installation and configuration of Apache 2.2 on our Debian 4.0 system. We chose Apache 2 primarily due to its simpler SSL configuration. It also seems to be the preferred version in Debian now.
 ===== Requirements =====
@@ Line 10: / Line 11: @@
   * [[http://www.sluug.org | www.sluug.org]] - main content (default site, aka sluug.org)
   * [[http://wiki.sluug.org | wiki.sluug.org]] - this Wiki
-  * [[http://stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (aka stllinux.org, linux, lug)
+  * [[http://stllug.sluug.org | stllug.sluug.org]] - St. Louis LUG (AKA linux, lug, stllinux.org)
-  * [[http://hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (aka hazlug, hzwlug, hazelwood, newbie)
+  * [[http://hzlug.sluug.org | hzlug.sluug.org]] - Hazelwood LUG (AKA hazlug, hzwlug, hazelwood, newbie)
-  * [[http://stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (stcharles, saintcharles)
+  * [[http://stclug.sluug.org | stclug.sluug.org]] - St. Charles LUG (AKA stcharles, saintcharles)
-  * [[http://security.sluug.org | security.sluug.org]] - Security SIG (aka stlsug)
+  * [[http://security.sluug.org | security.sluug.org]] - Security SIG (AKA stlsug)
   * [[http://solaris.sluug.org | solaris.sluug.org]] - Solaris SIG
   * [[http://slacc.sluug.org | slacc.sluug.org]] - St. Louis Area Computer Club
+  * [[http://snug.sluug.org | snug.sluug.org]] - St. Louis Novell Users Group
   * dev.sluug.org - development site
   * test.sluug.org - test site
@@ Line 28: / Line 30: @@
 apt-get install apache2-doc
 </code>
@@ Line 45: / Line 48: @@
 <code rootshell>
 apt-get install php5-mysql libmysqlclient15off mysql-common
-apt-get install php5-curl
+apt-get install php5-curl libcurl3
 </code>
@@ Line 58: / Line 62: @@
 a2enmod include
 a2enmod deflate
+a2enmod userdir # Only on Budlight.
 </code>
 ===== Configuration =====
@@ Line 75: / Line 78: @@
 </file>
-NOTE: The ''DirectoryIndex'' directive seems to have stopped working for us, so we had to add it to ''/etc/apache2/sites-enabled/000-www.sluug.org'' as well.
+NOTE: The ''DirectoryIndex'' directive seems to have stopped working for us, so we had to add it to ''<nowiki>/etc/apache2/sites-enabled/000-www.sluug.org</nowiki>'' as well.
 Edit ''/etc/apache2/conf.d/logging'':
@@ Line 94: / Line 97: @@
 sed -i -e 's/^ServerSignature .*/ServerSignature Off/' /etc/apache2/apache2.conf
 sed -i -e 's/^ServerTokens .*/ServerTokens Minor/' /etc/apache2/apache2.conf
+</code>
+==== Default Site ====
+The default site is a "catch-all" that will serve any site that doesn't have a domain name specified in a site config file.
+We've set this up to deny all requests, since we were getting a lot of attacks trying to use the server as a proxy to other sites.
+(Some attempts even had "proxy_test_referer" in the Referer field.)
+Edit ''/etc/apache2/sites-available/000-default'':
+<file>
+NameVirtualHost *
+<VirtualHost *>
+    # Minimize logging of this junk.
+    #CustomLog /dev/null ""
+    #ErrorLog /dev/null
+    CustomLog /var/log/apache2/attack.log combined
+    ErrorLog /var/log/apache2/attack_error.log
+    LogLevel emerg
+    # Don't allow access to anything, causing a 403 error message for any request.
+    ErrorDocument 403 "Site does not exist on this server!"
+    <Location />
+        Order allow,deny
+        Deny from all
+    </Location>
+</VirtualHost>
+</file>
+<code rootshell>
+a2ensite 000-default
 </code>
@@ Line 100: / Line 134: @@
 <code rootshell>
 mkdir -p /home/web/www.sluug.org/public /home/web/www.sluug.org/cgi-bin
-chown -R www-data:www-data /home/web/wwww.sluug.org
+chown -R www-data:www /home/web/www.sluug.org
 chmod g+s /home/web/www.sluug.org
 </code>
-Edit ''<nowiki>/etc/apache2/sites-available/000-www.sluug.org</nowiki>'':
+Edit ''<nowiki>/etc/apache2/sites-available/www.sluug.org</nowiki>'':
 <file>
-NameVirtualHost *
 <VirtualHost *>
 	ServerName www.sluug.org
@@ Line 115: / Line 148: @@
 	<Directory /home/web/www.sluug.org/public>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews IncludesNoExec
+		Options FollowSymLinks MultiViews IncludesNoExec
 		DirectoryIndex index.shtml index.html
 		Order allow,deny
@@ Line 135: / Line 168: @@
 <code rootshell>
 mkdir /home/web/wiki.sluug.org
-chown -R www-data:www-data /home/web/wiki.sluug.org
+chown -R www-data:www /home/web/wiki.sluug.org
 </code>
@@ Line 146: / Line 179: @@
 	<Directory /home/web/wiki.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 162: / Line 195: @@
 <code rootshell>
 mkdir /home/web/stllug.sluug.org /home/web/stllug.sluug.org/public
-chown -R www-data:www-data /home/web/stllug.sluug.org
+chown -R www-data:stllug /home/web/stllug.sluug.org
+chmod g+s /home/web/stllug.sluug.org
 </code>
@@ Line 179: / Line 213: @@
 	<Directory /home/web/stllug.sluug.org/public>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 194: / Line 228: @@
 <code rootshell>
 mkdir /home/web/hzwlug.sluug.org
-chown -R www-data:hzwlug /home/web/hzwlug.sluug.org
+chown -R www-data:hazelwood /home/web/hzwlug.sluug.org
+chmod g+s /home/web/hzwlug.sluug.org
 </code>
@@ Line 210: / Line 245: @@
 	<Directory /home/web/hzwlug.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 226: / Line 261: @@
 mkdir /home/web/stclug.sluug.org
 chown -R www-data:stclug /home/web/stclug.sluug.org
+chmod g+s /home/web/stclug.sluug.org
 </code>
@@ Line 238: / Line 274: @@
 	<Directory /home/web/stclug.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 254: / Line 290: @@
 mkdir /home/web/security.sluug.org
 chown -R www-data:security /home/web/security.sluug.org
+chmod g+s /home/web/security.sluug.org
 </code>
@@ Line 266: / Line 303: @@
 	<Directory /home/web/security.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 282: / Line 319: @@
 mkdir /home/web/solaris.sluug.org
 chown -R www-data:solaris /home/web/solaris.sluug.org
+chmod g+s /home/web/solaris.sluug.org
 </code>
@@ Line 293: / Line 331: @@
 	<Directory /home/web/solaris.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 303: / Line 341: @@
 a2ensite solaris.sluug.org
 </code>
 ==== SLACC Site ====
@@ Line 308: / Line 348: @@
 <code rootshell>
 mkdir /home/web/slacc.sluug.org
-chown -R www-data:www-data /home/web/slacc.sluug.org
+chown -R www-data:slacc /home/web/slacc.sluug.org
+chmod g+s /home/web/slacc.sluug.org
 </code>
@@ Line 321: / Line 362: @@
 	<Directory /home/web/slacc.sluug.org>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 330: / Line 371: @@
 <code rootshell>
 a2ensite slacc.sluug.org
+</code>
+==== SNUG Site ====
+<code rootshell>
+mkdir /home/web/snug.sluug.org
+chown -R www-data:snug /home/web/snug.sluug.org
+chmod g+s /home/web/snug.sluug.org
+</code>
+Edit ''/etc/apache2/sites-available/snug.sluug.org'':
+<file>
+<VirtualHost *>
+	ServerName snug.sluug.org
+	ServerAlias novell.sluug.org
+	ServerAlias netware.sluug.org
+	ServerAlias www.stl-nui.org
+	ServerAlias stl-nui.org
+	UseCanonicalName On
+	DocumentRoot /home/web/snug.sluug.org
+	<Directory /home/web/snug.sluug.org>
+		AllowOverride All
+		Options FollowSymLinks MultiViews
+		Order allow,deny
+		Allow from all
+	</Directory>
+</VirtualHost>
+</file>
+<code rootshell>
+a2ensite snug.sluug.org
+</code>
+==== Webmail Site ====
+<code rootshell>
+mkdir /var/www/webmail.sluug.org
+chown -R www-data:www-data /var/www/webmail.sluug.org
+chmod g+s /var/www/webmail.sluug.org
+</code>
+Edit ''/etc/apache2/sites-available/webmail.sluug.org'':
+<file>
+<VirtualHost *>
+	ServerName webmail.sluug.org
+	ServerAlias mail.sluug.org
+	UseCanonicalName On
+	DocumentRoot /var/www/webmail.sluug.org/public
+	<Directory /var/www/webmail.sluug.org/public>
+		AllowOverride All
+		Options FollowSymLinks MultiViews
+		Order allow,deny
+		Allow from all
+	</Directory>
+</VirtualHost>
+</file>
+<code rootshell>
+a2ensite webmail.sluug.org
 </code>
@@ Line 336: / Line 437: @@
 <code rootshell>
 mkdir -p /home/web/test.sluug.org/public
-chown -R www-data:www-data /home/web/test.sluug.org
+chown -R www-data:www /home/web/test.sluug.org
 chmod g+s /home/web/test.sluug.org
 </code>
@@ Line 349: / Line 450: @@
 	<Directory /home/web/test.sluug.org/public>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 358: / Line 459: @@
 <code rootshell>
 a2ensite test.sluug.org
+</code>
+====Woodlandchows.com====
+The woodlandchows website was imported from the back ups of dark onto budlight.sluug.org. All actions were taken on budlight.
+<code rootshell>
+vi /etc/apache2/sites-available/woodlandchows.com
+ln -s /etc/apache2/sites-available/woodlandchows.com /etc/apache2/sites-enabled/.
+</code>
+Edit ''/etc/apache2/sites-available/woodlandchhows.com'':
+<file>
+<VirtualHost *>
+         ServerName woodlandchows.com
+         ServerAlias www.woodlandchows.com
+         UseCanonicalName On
+         ServerAdmin wehner@sluug.org
+         DocumentRoot /home/myrna/public_html
+         <Directory /home/myrna/public_html>
+                AllowOverride All
+                Options Indexes FollowSymLinks MultiViews
+                Order allow,deny
+                Allow from all
+         </Directory>
+         #ErrorLog logs/archrivals/error_log
+         #CustomLog logs/archrivals/access_log common
+</VirtualHost>
+</file>
+<code rootshell>
+chmod 711 /home/myrna/
+chmod 711 /home/myrna/public_html/
+/etc/init.d/apache2 reload
 </code>
@@ Line 377: / Line 508: @@
 	<Directory /home/booch/web/blog.craigbuchek.com>
 		AllowOverride All
-		Options Indexes FollowSymLinks MultiViews
+		Options FollowSymLinks MultiViews
 		Order allow,deny
 		Allow from all
@@ Line 387: / Line 518: @@
 a2ensite blog.craigbuchek.com
 </code>
 ===== Startup =====
@@ Line 397: / Line 529: @@
 To reload the configuration:
 <code rootshell>
+/etc/init.d/apache2 reload
+</code>
+===== Personal Pages =====
+The members personal pages are hosted on budlight.sluug.org. The basic install of apache2 was run on budlight:
+<code>
+apt-get install apache2
+</code>
+Make the appropriate changes as noted in the rest of this document for installing PHP.
+Next turn on UserDir by creating the appropriate links in **/etc/apache2/mods-enabled**
+<code>
+cd /etc/apache2/mods-enabled
+ln -s ../mods-available/userdir.* .
 /etc/init.d/apache2 reload
 </code>
@@ Line 403: / Line 551: @@
 ==== Migration ====
+The main web site is on bud, but user web sites are on budlight, so we set up ''.htaccess'' in <nowiki>/home/web/www.sluug.org/public</nowiki> to redirect  requests for home directory (`) pages to the budlight using the ''users.sluug.org'' name.
+<file>
+# Rewrite rules to point to home directories on budlight.
+RewriteEngine on
+RewriteRule ^~(.*)    http://users.sluug.org/~$1   [r=301,nc,l]
+</file>
+== This is old information that is no longer used since we finally got off dark, but it is left here for a period of time until problems with the transition are completed. ==
 We had to migrate off of our existing site in stages. We migrated the majority of the site, but did not want to migrate any of the forms and associated scripts, list archives, or user pages. So in the interim, we set up ''.htaccess'' in <nowiki>/home/web/www.sluug.org/public</nowiki> to redirect those pages to the old site.
@@ Line 408: / Line 566: @@
 <file>
 # Rewrite rules to point home directories and form pages to Dark.
-RewriteEngine on
 # NOTE: List archives are located at ~archives, so this rule covers them too.
-RewriteRule ^~(.*)    http://users.sluug.org/~$1   [r=301,nc,l]
 RewriteRule ^(members/join.*)$  http://users.sluug.org/$1   [r=302,nc,l]
 RewriteRule ^(volunteer.*)$  http://users.sluug.org/$1   [r=302,nc,l]
 RewriteRule ^(resources/list_servs.*)$  http://users.sluug.org/$1   [r=302,nc,l]
 </file>
 ===== TODO =====
+Need to better use group permissions to allow different users the ability to edit different web sites. Especially need to add a group for the main web site.
 Could probably use some tuning and routine maintenance.
 Backups. (We currently rely on backups of /home.)
+Should monitor log files to analyze them to see if there are any pages missing that we should add, or any errors.
+==== Application Defenses ====
+Implement these defenses from [[http://www.0x000000.com/index.php?i=567&bin=1000110111]]:
+<file>
+# NC - Not Case sensitive, OR - previous rule OR following rul
+# Disallow these HTTP methods. NOTE: Allow DELETE is we've got a Web API or WebDAV.
+RewriteCond %{REQUEST_METHOD}  ^(TRACE|DELETE|TRACK) [NC,OR]
+# Prevent CRLF injection.
+RewriteCond %{THE_REQUEST}     ^.*(\\r|\\n|%0A|%0D).* [NC,OR]
+# Prevent mangled referrers and cookies, intended to exploit log files and such.
+RewriteCond %{HTTP_REFERER}    ^(.*)(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
+RewriteCond %{HTTP_COOKIE}     ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
+# Clean up URIs and make sure they're 9999 characters or less.
+RewriteCond %{REQUEST_URI}     ^/(,|;|:|<|>|">|"<|/|\\\.\.\\).{0,9999}.* [NC,OR]
+# Disallow some nasty user agents.
+RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
+RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
+RewriteCond %{HTTP_USER_AGENT} ^.*(nikto|scan).* [NC,OR]
+RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
+# Disallow nasty query strings.
+RewriteCond %{QUERY_STRING}    ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC,OR]
+RewriteCond %{QUERY_STRING}    ^.*(localhost|loopback|127\.0\.0\.1).* [NC,OR]
+RewriteCond %{QUERY_STRING}    ^.*\.[A-Za-z0-9].* [NC,OR]
+RewriteCond %{QUERY_STRING}    ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC]
+# Rewrite the request to a fail-safe page. FIXME: Set to an actual page.
+RewriteRule ^(.*)$ access_log.php
+</file>
 ==== SSL ====
 Turn on SSL.

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools