|
|
(45 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| + | [[Category:Linux]] |
| + | |
| + | |
| + | |
| =Requirements= | | =Requirements= |
| + | |
| Before going through this tutorial, I recommend you to setup: | | Before going through this tutorial, I recommend you to setup: |
| * [[MySQL server]] | | * [[MySQL server]] |
| * [[SSL server]] | | * [[SSL server]] |
| * [[LDAP server]] | | * [[LDAP server]] |
| + | |
| + | |
| + | |
| | | |
| =Installation= | | =Installation= |
Line 15: |
Line 23: |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | apt-get install apache2 apache2-mpm-prefork apache2-utils ssl-cert | + | apt install apache2 apache2-utils |
− | </syntaxhighlight>
| + | apt install ssl-cert |
− | | |
− | | |
− | ===Additional libraries===
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install libapache2-mod-fcgid libruby | |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| + | Since Ubuntu 16.04 <code>apache2-mpm-prefork</code> is not required |
| | | |
| ===Doc=== | | ===Doc=== |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | apt-get install apache2-doc | + | apt install apache2-doc |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
Line 55: |
Line 58: |
| | | |
| | | |
| + | ==PHP 8== |
| + | 2021-11: PHP 8 is not included in Ubuntu 20.04 LTS. |
| | | |
− | ==PHP 5== | + | Source article: http://www.daxiongmao.eu/wiki/index.php?title=Apache_2&action=edit |
| | | |
− | | + | ===Add PHP 8.0 repository=== |
− | ===Core=== | |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | apt-get install libapache2-mod-php5 php5 php5-common | + | apt install software-properties-common |
| + | add-apt-repository ppa:ondrej/php |
| + | apt update |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| + | ===Install core packages=== |
| | | |
− | ===Modules PHP5===
| + | To install the latest version of PHP: |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | apt-get install php5-curl php5-dev php5-gd php-pear php5-imagick php5-imap php5-mcrypt | + | # PHP core |
− | apt-get install php5-memcache php5-mhash php5-mysql php5-snmp php5-xmlrpc php5-xcache php5-curl php5-xsl | + | apt-get install php |
| + | apt-get install php-cli |
| + | # Apache2 support |
| + | apt install libapache2-mod-php |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| | | |
− | ===Additional libs=== | + | ===Modules PHP=== |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | apt-get install php5-cli php5-cgi php-pear php-auth php5-mcrypt mcrypt | + | apt-get install php-cgi |
| + | #apt-get install php-opcache |
| + | apt-get install php-gd |
| + | apt-get install php-bz2 |
| + | apt-get install php-curl |
| + | apt-get install php-xmlrpc |
| + | apt-get install php-json |
| + | apt-get install php-mysql |
| + | apt-get install php-imap |
| + | apt-get install php-mbstring |
| + | # Performances |
| + | apt install php-fpm libapache2-mod-fcgid |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | | + | Enable modules |
− | ===Image Magick===
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | apt-get install php5-imagick imagemagick
| + | sudo a2enmod proxy_fcgi setenvif |
| + | sudo a2enconf php8.0-fpm |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | | + | ===Utility=== |
− | ===Configuration=== | |
− | | |
− | Edit PHP config file:
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | vim /etc/php5/apache2/php.ini
| + | apt install php-pear |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | Add / uncomment the following lines in Dynamic extensions area (~ line 865)
| + | ===Configuration=== |
− | * extension=mysql.so
| |
− | * extension=gd.so
| |
− | | |
− | | |
− | !! Note this is NOT required on Ubuntu 14.04 because these modules are enabled by default !!
| |
− | | |
− | | |
− | | |
− | ==Firewall== | |
− | | |
− | You have to open the following ports:
| |
− | * Port 80 = HTTP
| |
− | * Port 443 = HTTPS
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | $IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT
| |
− | $IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT
| |
− | </syntaxhighlight>
| |
| | | |
− | Restart the firewall
| + | Edit '''PHP config''' file: |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | /etc/init.d/firewall restart | + | vim /etc/php/8.0/cli/php.ini |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| + | * Let CGI behaves like before: set <code>cgi.fix_pathinfo=1</code> |
| + | * Adjust file upload size <code>upload_max_filesize = 32M</code> |
| + | * Adjust post size <code>post_max_size = 32M</code> |
| + | * Adjust time zone <code>date.timezone = Europe/Paris</code> |
| + | * Save path: <code>session.save_path = "/tmp"</code> |
| | | |
| + | ===Check PHP version and configuration=== |
| | | |
− | ==Test your installation==
| + | To ensure PHP 8.0 is well-installed just type: |
− | | |
− | | |
− | Restart the Apache2 server
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | service apache2 restart
| + | php -v |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| | | |
− | | + | ===Image Magick=== |
− | You can now test your installation by going to 'http://localhost' or 'http://myServer'. You should see the default page.
| |
− | | |
− | | |
− | | |
− | | |
− | | |
− | | |
− | =Apache 2 configuration # Virtual host= | |
− | | |
− | | |
− | ==Preparation== | |
− | | |
− | Initialize configuration
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | cd /etc/apache2/sites-available/
| + | apt install php-gd php-imagick imagemagick |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| + | ===Configuration=== |
| | | |
− | Create target directory
| + | Edit PHP config file: |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | mkdir -p /var/www/myServer
| + | vim /etc/php/8.0/apache2/php.ini |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | | + | Add / uncomment the following lines in Dynamic extensions area |
− | Prepare the log files
| + | <syntaxhighlight lang="php"> |
− | | + | // PHP 8 (~ line 904) |
− | <syntaxhighlight lang="bash"> | + | extension=bz2 |
− | mkdir -p /var/log/apache2/myServer
| + | extension=curl |
− | touch /var/log/apache2/myServer/access.log
| + | extension=gd |
− | touch /var/log/apache2/myServer/error.log
| + | extension=imap |
− | chmod -R 660 /var/log/apache2/myServer/*
| + | extension=mysqli |
− | chown -R www-data:www-data /var/log/apache2/myServer/*
| |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| | | |
− | Copy default index file
| + | !! Note this is NOT required on Ubuntu 20.04 because these modules are enabled by default !! |
| | | |
− | <syntaxhighlight lang="bash">
| + | ==Firewall== |
− | cp /var/www/html/index.html /var/www/myServer
| |
− | chown -R www-data:www-data /var/log/apache2/myServer/*
| |
− | </syntaxhighlight>
| |
| | | |
| + | see [[Firewall INPUT filters#Web server]] |
| | | |
− | | + | Restart the firewall |
− | ==Configuration==
| |
− | | |
− | Init configuration
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/myServer.conf
| + | /etc/init.d/firewall restart |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
| | | |
− | '''Edit configuration'''
| |
| | | |
− | <syntaxhighlight lang="bash">
| + | ==Test your installation== |
− | vim /etc/apache2/sites-available/myServer
| |
− | </syntaxhighlight>
| |
| | | |
| | | |
− | To begin the virtual host, write the following lines:
| + | Restart the Apache2 server |
− | * Adjust the settings to your own configuration
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | <VirtualHost 192.168.0.100:80> → Choose the best options for your needs
| |
− | <VirtualHost *:80>
| |
− | | |
− | #############################
| |
− | # Server main properties
| |
− | #############################
| |
− | | |
− | ServerName myServer
| |
− | ServerAlias www.myServer *.myServer
| |
− | ServerAdmin webmaster@domain
| |
− |
| |
− | # Logs settings
| |
− | LogLevel Warn
| |
− | CustomLog ${APACHE_LOG_DIR}/myServer/access.log combined
| |
− | ErrorLog ${APACHE_LOG_DIR}/myServer/error.log
| |
− | | |
− | | |
− | #############################
| |
− | # Root folder properties
| |
− | #############################
| |
− | DocumentRoot /var/www/myServer
| |
− | | |
− | # Restrict access to server root
| |
− | <Directory />
| |
− | Options FollowSymLinks
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | deny from all
| |
− | </Directory>
| |
− | | |
− | # SECURITY: forbid access to .htaccess so no outsider can ever change it
| |
− | <Files ~ "^\.ht">
| |
− | Order allow,deny
| |
− | Deny from all
| |
− | </Files>
| |
− | | |
− | # Virtual host root directory
| |
− | <Directory /var/www/myServer>
| |
− | Require all granted
| |
− | Options Indexes FollowSymLinks MultiViews
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | allow from all
| |
− | </Directory>
| |
− | | |
− | | |
− | #############################
| |
− | # Other configuration
| |
− | # Alias, proxy redirections, CGI scripts, Directory, etc.
| |
− | #############################
| |
− | | |
− | | |
− | | |
− | </VirtualHost>
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Enable / disable virtual host(s)==
| |
− | | |
− | | |
− | '''Virtual Host desactivation'''
| |
− | | |
− | If you're listening on '''*:80''' then you should probably disable the default virtual host before enabling yours!
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | a2dissite 000-default
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | '''Virtual Host activation'''
| |
− | | |
− | To activate a Virtual Host, just type
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | a2ensite myServer
| |
− | </syntaxhighlight>
| |
− | | |
− | Then, restart your web server
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/apache2 restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Check your server! You should see your "index.html" page.
| |
− | | |
− | | |
− | | |
− | =Apache 2 configuration # SSL Virtual host=
| |
− | | |
− | | |
− | ==Create SSL certificate==
| |
− | | |
− | First of all, you need to create a server certificate.
| |
− | Cf. SSL dedicated document → Create a new server certificate
| |
− | | |
− | >> see [[SSL server]]
| |
− | | |
− | | |
− | | |
− | ==Enable SSL module==
| |
− | | |
− | You have to either copy or create symlinks for server certificate.
| |
− | | |
− | To avoid rights collision I'm using a ''copy'' operation. However I know from past experience that ''symLinks'' work very well if you set the correct rights.
| |
− | | |
− | | |
− | -Note-
| |
− | | |
− | You MUST use the NON-ENCRYPTED private key if you want to start Apache2 automatically on each reboot.
| |
− | | |
− | | |
− | | |
− | '''Copy certificates'''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cp /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
| |
− | cp /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | Alternative: '''Symlinks to /srv/ssl/'''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | ln -s /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
| |
− | ln -s /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | '''Activate the SSL module'''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod ssl
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Prepare virtual host (optional)==
| |
− | | |
− | Create virtual host folder
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | mkdir -p /var/www/myServer-ssl
| |
− | cp /var/www/index.html /var/www/myServer-ssl
| |
− | chown -R www-data:www-data /var/www/myServer-ssl
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Prepare the log files (optional)==
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # That should already exists from before
| |
− | mkdir -p /var/log/apache2/myServer
| |
− | | |
− | # Create *-ssl.log
| |
− | touch /var/log/apache2/myServer/error-ssl.log
| |
− | touch /var/log/apache2/myServer/access-ssl.log
| |
− | chmod -R 660 /var/log/apache2/myServer/*
| |
− | chown -R www-data:www-data /var/log/apache2/myServer/*
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | Create a default "/var/www/myServer-ssl/index.html" to check your virtual host.
| |
− | | |
− | If you'd like you can use this ultra-simple file [http://daxiongmao.eu/wiki_upload_files/apache2/index.html]
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | cd /var/www/myServer-ssl/
| |
− | wget http://daxiongmao.eu/wiki_upload_files/apache2/index.html
| |
− | chown www-data:www-data index.html
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | | |
− | ==Virtual host declaration==
| |
− | | |
− | You have 2 possibilities:
| |
− | * Update your current virtual host (recommended)
| |
− | * Create a new one, only for the SSL virtual host
| |
− | | |
− | | |
− | '''Update non-ssl V.Host configuration'''
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/sites-available/myServer
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | !! Adjust the settings to your own configuration !!
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | # Secure web server
| |
− | <VirtualHost _default_:443>
| |
− | <VirtualHost 192.168.0.100:443> → Choose the best options for your needs
| |
− | <VirtualHost *:443>
| |
− | | |
− | #############################
| |
− | # Server main properties
| |
− | #############################
| |
− | | |
− | ServerName myServer
| |
− | ServerAlias www.myServer *.myServer
| |
− | ServerAdmin webmaster@domain
| |
− |
| |
− | # Logs settings
| |
− | LogLevel Warn
| |
− | CustomLog ${APACHE_LOG_DIR}/myServer/access-ssl.log combined
| |
− | ErrorLog ${APACHE_LOG_DIR}/myServer/error-ssl.log
| |
− | | |
− | # Enable SSL
| |
− | SSLEngine On
| |
− | SSLCertificateFile /etc/apache2/webServer.pem
| |
− | SSLCertificateKeyFile /etc/apache2/webServer.key
| |
− | | |
− | #############################
| |
− | # Root folder properties
| |
− | #############################
| |
− | DocumentRoot /var/www/myServer-ssl
| |
− | | |
− | # Restrict access to server root
| |
− | <Directory />
| |
− | Options FollowSymLinks
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | deny from all
| |
− | </Directory>
| |
− | | |
− | # SECURITY: forbid access to .htaccess so no outsider can ever change it
| |
− | <Files ~ "^\.ht">
| |
− | Order allow,deny
| |
− | Deny from all
| |
− | </Files>
| |
− | | |
− | # Virtual host root directory
| |
− | <Directory /var/www/myServer-ssl>
| |
− | Require all granted
| |
− | Options Indexes FollowSymLinks MultiViews
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | allow from all
| |
− | </Directory>
| |
− | | |
− | | |
− | #############################
| |
− | # Other configuration
| |
− | # Alias, proxy redirections, CGI scripts, Directory, etc.
| |
− | #############################
| |
− | | |
− | </VirtualHost>
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Restart the web server
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | service apache2 restart
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | Now you can test your server ''https://myServer''
| |
− | | |
− | | |
− | If you've use a self-signed certificate you might see some alert. Just discarded it and process anyway!
| |
− | | |
− | | |
− | | |
− | | |
− | =Apache 2 configuration # Redirections=
| |
− | | |
− | | |
− | ==Enable redirections==
| |
− | | |
− | Module "rewrite" allows you to redirect source URL to another one.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod rewrite
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ==Redirect HTTP to HTTPS==
| |
− | | |
− | The safer way to redirect HTTP to HTTPS is use to adjust the virtual host configuration.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | <VirtualHost *:80>
| |
− | ServerAdmin guillaume@qin-diaz.com
| |
− | ServerName dev.daxiongmao.eu
| |
− | ServerAlias *.dev.daxiongmao.eu
| |
− | | |
− | ### LOG ###
| |
− | ErrorLog ${APACHE_LOG_DIR}/daxiongmao/error.log
| |
− | LogLevel warn
| |
− | CustomLog ${APACHE_LOG_DIR}/daxiongmao/access.log combined
| |
− |
| |
− | | |
− | ############################################
| |
− | ## Redirect all traffic to HTTPS website
| |
− | ############################################
| |
− | RewriteEngine On
| |
− | # This checks to make sure the connection is not already HTTPS
| |
− | RewriteCond %{HTTPS} off
| |
− | # This rule will redirect users from their original location, to the same location but using HTTPS.
| |
− | RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
| |
− | # Alternate (fail-over) solution
| |
− | redirect permanent / https://myServer/
| |
− | | |
− | | |
− | ## No need of a document root anymore as everything is redirect
| |
− |
| |
− | </VirtualHost>
| |
− | </syntaxhighlight>
| |
− | | |
− | ==Take changes into account==
| |
− | | |
− | You have to restart the server to use this settings
| |
| | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
Line 531: |
Line 186: |
| | | |
| | | |
− | | + | Create a simple PHP script |
− | ==Alias redirection==
| |
− | | |
− | Edit configuration
| |
− | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | vim /etc/apache2/sites-available/myServer | + | vim /var/www/html/phpinfo.php |
| </syntaxhighlight> | | </syntaxhighlight> |
− |
| |
− |
| |
− |
| |
− | The following example will redirect a /myAlias from HTTP to HTTPS.
| |
− |
| |
− | You can adjust that example to redirect to another server too by adjusting the rewrite rule.
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | <VirtualHost *:80>
| |
− | ...
| |
− | RewriteRule ^/myAlias(/.*|$) https://%{HTTP_HOST}/myAlias$1 [L,R]
| |
− | <Location /myAlias >
| |
− | order deny,allow
| |
− | deny from all
| |
− | # Only allow specific IP@
| |
− | # allow from 127.0.0.1 192.168.1.0/24
| |
− | allow from all
| |
− | </Location>
| |
− | ...
| |
− | </VirtualHost>
| |
− | <VirtualHost *:443>
| |
− | ...
| |
− | # PHPSecInfo
| |
− | Alias /myAlias /var/www/myAlias
| |
− | <Location /myAlias >
| |
− | order deny,allow
| |
− | deny from all
| |
− | # Only allow specific IP@
| |
− | # allow from 127.0.0.1 192.168.0.0/255.255.255.0
| |
− | allow from all
| |
− | </Location>
| |
− | ...
| |
− | </VirtualHost>
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | Reload your configuration
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/apache2 reload
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Module configuration==
| |
− |
| |
− | Create the module configuration file
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/conf.d/rewrite.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− | Copy / paste this configuration (adjust to your own settings!)
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | RewriteEngine On
| |
− | # --------------------- SECURITY RULES (JOOMLA) ------------------------ #
| |
− | ## End of deny access to extension xml files
| |
− | RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
| |
− | # Block out any script trying to base64_encode crap to send via URL
| |
− | RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
| |
− | # Block out any script that includes a <script> tag in URL
| |
− | RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
| |
− | # Block out any script trying to set a PHP GLOBALS variable via URL
| |
− | RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
| |
− | # Block out any script trying to modify a _REQUEST variable via URL
| |
− | RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
| |
− | # Send all blocked request to homepage with 403 Forbidden error!
| |
− | RewriteRule ^(.*)$ index.php [F,L]
| |
− | # --------------------- SECURITY RULES (PERSONAL) ------------------------ #
| |
− | ## DENY REQUEST BASED ON REQUEST METHOD ###
| |
− | RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
| |
− | RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
| |
− | RewriteRule ^.*$ - [F]
| |
− | # Eviter les failles de securite
| |
− | RewriteCond %{QUERY_STRING} ^(.*)http(\:|\%3A)(.*)$
| |
− | RewriteCond %{QUERY_STRING} mosConfig_ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^(.*)(SELECT|INSERT|DELETE|CHAR\(|UPDATE|REPLACE|LIMIT)(.*)$
| |
− | # Eviter les erreurs basiques
| |
− | RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} tag\= [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} http\: [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} https\: [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|'|"|\?|\*).* [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3D|%3E|%7B|%7C).* [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%F|127\.0).* [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
| |
− | RewriteCond %{QUERY_STRING} ^.*(select|insert|union|declare|drop).* [NC]
| |
− | RewriteRule ^(.*)$ - [F,L]
| |
− |
| |
− | # Ban Typical Vulnerability Scanners and others
| |
− | # Kick out Script Kiddies
| |
− | RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|wkito|pikto|scan|acunetix).* [NC,OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
| |
− | # Eviter les programmes de Zombies
| |
− | RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
| |
− | RewriteCond %{HTTP_USER_AGENT} ^Zeus
| |
− | RewriteRule ^.* - [F,L]
| |
− |
| |
− | # Allow the robots to reference our website
| |
− | RewriteCond %{HTTP_USER_AGENT} !^Googlebot [NC]
| |
− | RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Image [NC]
| |
− | RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Mobile [NC]
| |
− | RewriteCond %{HTTP_USER_AGENT} !^Msnbot [NC]
| |
− | RewriteCond %{HTTP_USER_AGENT} !^Mediapartners-Google [NC]
| |
− |
| |
− | # Keep request without referer
| |
− | RewriteCond %{HTTP_REFERER} !^$
| |
− |
| |
− | # To allow your pictures to be displayed on Google
| |
− | RewriteCond %{HTTP_REFERER} !^http://.*google\.(comŠ(co\.)?[a-z]{2})/
| |
− | # To forbid the copy of your pictures to anyone else : display an other image !
| |
− | RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/hotlinkis.jpg [L]
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =Apache 2 # redirections using mod_proxy=
| |
− |
| |
− |
| |
− | Thanks to Julien Rialland for his insight regarding this part!
| |
− |
| |
− |
| |
− | ==Principle==
| |
− |
| |
− | The proxy module allow you to redirect remote user to a specific server that can be host on a different machine or port through a clear URL.
| |
− |
| |
− |
| |
− | ===Current limits===
| |
− |
| |
− | Some application are not available from outside…
| |
− |
| |
− | * For security reasons [default URL is not allowed]
| |
− |
| |
− | [[File:Apache2 proxy security limit.png|none|Proxy for security]]
| |
− |
| |
− |
| |
− | * Due to network issues
| |
− |
| |
− | [[File:Apache2 proxy network issues.png|none|Proxy to improve network]]
| |
− |
| |
− |
| |
− | ===Proxy module role===
| |
− |
| |
− | The proxy module allow you to provide access through transparent redirection.
| |
− |
| |
− | It relies on:
| |
− | * Already open port (80 or 443)
| |
− | * Redirection rule
| |
− | * Each service URL must be unique
| |
− | * The target service must be reachable by the web server
| |
− |
| |
− | [[File:Apache2 proxy role.png|none|Proxy role]]
| |
− |
| |
− |
| |
− | As you can see on the following example, the previous services will be accessible using some dedicated URL.
| |
− | Remote “http://myServer/myService” will redirect to “http://localhost:8081”
| |
− |
| |
− | → The ''mod_proxy'' is none intrusive.
| |
− | You don’t have to change anything is the orginal service configuration. Apache2 will handle all the transformations.
| |
− |
| |
− |
| |
− | ==Proxy / redirect / rewrite==
| |
− |
| |
− | When Apache2 receive a request it will be process in the following order:
| |
− |
| |
− | [[File:Apache2 proxy rewrite.png|none|Proxy rewrite]]
| |
− |
| |
− |
| |
− | So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy.
| |
− |
| |
− |
| |
− | ==Enable proxy module==
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod proxy proxy_http proxy_ajp
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Configure proxy redirections==
| |
− |
| |
− | You can configure the redirections in 2 ways:
| |
− | * Through your virtual host configuration
| |
− | * Through the module configuration file
| |
− |
| |
− |
| |
− | ===Module configuration file===
| |
− |
| |
− | You have to edit / create the configuration file.
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/mods-enabled/proxy.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ===Virtual host===
| |
− |
| |
− | Just edit again your previous V.Host:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/sites-available/myServer.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ===Proxy declaration===
| |
− |
| |
− | Adjust the file to:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | <VirtualHost *:80>
| |
− | ...
| |
− | ## Proxy
| |
− | ProxyVia On
| |
− | ProxyPreserveHost On
| |
− | <Proxy *>
| |
− | AddDefaultCharset off
| |
− | Order deny,allow
| |
− | Allow from all
| |
− | </Proxy>
| |
− |
| |
− | #### To allow some URLs to go through without being proxy ####
| |
− | # Active MQ REST web-service, required for hawt.io management
| |
− | ProxyPass /activemq-api http://localhost:8161/activemq-api
| |
− | ProxyPassReverse /activemq-api http://localhost:8161/activemq-api
| |
− | </VirtualHost>
| |
− |
| |
− | <VirtualHost *:443>
| |
− | ...
| |
− | ## Proxy
| |
− | ProxyVia On
| |
− | ProxyPreserveHost On
| |
− | <Proxy *>
| |
− | AddDefaultCharset off
| |
− | Order deny,allow
| |
− | Allow from all
| |
− | Satisfy Any
| |
− | </Proxy>
| |
− |
| |
− | RewriteEngine On
| |
− |
| |
− | ########################
| |
− | # Allow some URLs to go through without being proxy
| |
− | ########################
| |
− | # URL to discard => Classic HTTP services
| |
− | ProxyPass /menu !
| |
− | ProxyPass /maintenance !
| |
− |
| |
− | # PhpMyAdmin
| |
− | <Location /phpmyadmin>
| |
− | Order allow,deny
| |
− | Allow from 127.0.0.1 192.168.1.0/24
| |
− | Require all granted
| |
− | ProxyPass !
| |
− | </Location>
| |
− |
| |
− | ########################
| |
− | # Proxy redirections
| |
− | ########################
| |
− |
| |
− | # Proxy to a Java application running over Tomcat
| |
− | ProxyPass /webdav/ ajp://localhost:8009/webdav/
| |
− | ProxyPassReverse /webdav/ ajp://localhost:8009/webdav
| |
− |
| |
− | # Proxy to a Java application running over Tomcat, with IP filter
| |
− | <Location /manager>
| |
− | Order allow,deny
| |
− | Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
| |
− | ProxyPass ajp://localhost:8009/manager/
| |
− | ProxyPassReverse ajp://localhost:8009/manager/
| |
− | </Location>
| |
− |
| |
− | # Proxy to another server
| |
− | ProxyPass /jira http://192.168.1.12:8080/jira
| |
− | ProxyPassReverse /jira http://192.168.1.12:8080/jira
| |
− | </VirtualHost>
| |
− |
| |
− |
| |
− | #
| |
− | # Instead of "VirtualHost" you can use "IfModule" if you're editing the "proxy.conf" file
| |
− | #
| |
− | <IfModule mod_proxy.c>
| |
− |
| |
− | </IfModule>
| |
− | </syntaxhighlight>
| |
− |
| |
− | Some notes:
| |
− | * Do NOT put a / after the target URL
| |
− | * Do NOT use / as ProxyPass source, use the previous redirect permanent instead
| |
− |
| |
− |
| |
− | Apply changes and test result
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | service apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | For example, Navigate to http://myServer/jira
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =Apache 2 configuration # LDAP authentication=
| |
− |
| |
− |
| |
− | ==Modules and options lips==
| |
− |
| |
− | List of apache 2.2.x modules with roles and recommended values:
| |
− |
| |
− |
| |
− | * AuthType
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || This tells Apache which authentication module you want to use
| |
− | |-
| |
− | | Value || '''basic'''
| |
− | |-
| |
− | | Mandatory || Yes
| |
− | |}
| |
− |
| |
− |
| |
− | * AuthName
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || Authentication window name
| |
− | |-
| |
− | | Value || “Authentication to my service”
| |
− | |-
| |
− | | Mandatory || Yes
| |
− | |}
| |
− |
| |
− |
| |
− | * AuthBasicProvider
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || This tells Apache which authentication module you want to use
| |
− | |-
| |
− | | Value || '''ldaps'''
| |
− | |-
| |
− | | Mandatory || Yes
| |
− | |}
| |
− |
| |
− |
| |
− | * AuthzLDAPAuthoritative
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || Tells Apache whether or not a failed authentication request can be passed to other Apache modules
| |
− | |-
| |
− | | Value || '''off'''
| |
− | |-
| |
− | | Mandatory || Yes
| |
− | |}
| |
− |
| |
− |
| |
− | * AuthLDAPBindDN
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || The distinguished name (DN) of service account.
| |
− |
| |
− | This user will be used to scan the LDAP and perform real user authentication
| |
− | |-
| |
− | | Value || '''UID=myUser,OU=myGroup,DC=myServer'''
| |
− |
| |
− | uid=svn,ou=applications,dc=dev,dc=daxiongmao,dc=eu
| |
− | |-
| |
− | | Mandatory || No
| |
− | |}
| |
− |
| |
− |
| |
− | * AuthLDAPBindPassword
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || The password for the user account configured via the AuthLDAPBindDN directive
| |
− | |-
| |
− | | Value ||
| |
− | |-
| |
− | | Mandatory || No
| |
− | |}
| |
− |
| |
− |
| |
− | * AuthLDAPURL
| |
− |
| |
− | {| class="wikitable"
| |
− | |-
| |
− | | Role || URL that tells:
| |
− | * Where the directory server is,
| |
− | * Where to look for users at,
| |
− | * What user attribute is used to identify a user
| |
− | |-
| |
− | | Value || '''ldaps://myServer:636/OU=group&,OU=group2,DC=myServer?attribute'''
| |
− |
| |
− | ldap://myServer:389/OU=group&,OU=group2,DC=myServer?attribute
| |
− |
| |
− | ldap://192.168.1.2:389/cn=users,dc=server2,dc=intranet,dc=myCompany,dc=com
| |
− |
| |
− | ldap://localhost:389/ou=people,dc=vehco,dc=com?uid
| |
− |
| |
− | |-
| |
− | | Mandatory || Yes
| |
− | |}
| |
− |
| |
− |
| |
− |
| |
− | ==Modules==
| |
− |
| |
− | Installation:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install libapache2-mod-ldap-userdir
| |
− | apt-get install libapache2-mod-vhost-ldap libapache2-mod-webauthldap
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | You have to enable to the following modules:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod ldap authnz_ldap
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | Restart server to apply changes:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | service apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Configuration==
| |
− |
| |
− | You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
| |
− |
| |
− | Edit configuration
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/sites-available/myServer
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | Adjust your virtual-host like that:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | # LDAP protected directory
| |
− | <Directory /var/www/ssl/secure>
| |
− | Options Indexes FollowSymLinks MultiViews
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | allow from all
| |
− |
| |
− | AuthType basic
| |
− | AuthName "Secure area"
| |
− | ###########################
| |
− | # Choose a LDAP provider
| |
− | ###########################
| |
− | # If "localhost" then use LDAP.
| |
− | AuthBasicProvider ldap
| |
− | AuthLDAPUrl "ldap://localhost:389/{LDAP ou=,dc=}?uid"
| |
− | # If remote URL then use LDAP over SSL
| |
− | #AuthBasicProvider ldaps
| |
− | #AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=,dc=}?uid"
| |
− |
| |
− | Require valid-user
| |
− |
| |
− | # example
| |
− | # AuthLDAPBindDN "cn=admin,dc=dev,dc=daxiongmao,dc=eu"
| |
− | # AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
| |
− | # AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
| |
− |
| |
− | </Directory>
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Secure all the website==
| |
− |
| |
− | You have to adjust you document root like that:
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | <VirtualHost _default_:443>
| |
− |
| |
− | # Restrict access to document root
| |
− | DocumentRoot /var/www/daxiongmao-ssl
| |
− | <Directory />
| |
− | Options FollowSymLinks
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | deny from all
| |
− | </Directory>
| |
− | <Directory /var/www/daxiongmao-ssl>
| |
− | Options Indexes FollowSymLinks MultiViews
| |
− | AllowOverride None
| |
− | Order allow,deny
| |
− | allow from all
| |
− |
| |
− | AuthType basic
| |
− | AuthName "Secure area"
| |
− | AuthBasicProvider ldap
| |
− | AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
| |
− | Require valid-user
| |
− | </Directory>
| |
− | […]
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =Advanced configuration=
| |
− |
| |
− |
| |
− | ==Ports number==
| |
− |
| |
− | You can change the Apache2 server ports
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/ports.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | Edit
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | # HTTP
| |
− | Listen 80
| |
− | # HTTPS
| |
− | Listen 443
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Restricted access==
| |
− |
| |
− | Edit configuration
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/sites-available/myServer
| |
− | </syntaxhighlight>
| |
− |
| |
− | If your server is directly accessible on Internet: you should protect it!
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | # Disable access to the entire file system except for the directories that
| |
− | # are explicitly allowed later.
| |
− | #
| |
− | <Directory />
| |
− | AllowOverride None
| |
− | Order Deny,Allow
| |
− | Deny from all
| |
− | </Directory>
| |
− |
| |
− | # Protect .htacess files
| |
− | <Files ~ "^\.ht">
| |
− | Order allow,deny
| |
− | Deny from all
| |
− | </Files>
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Be discreet!==
| |
− |
| |
− |
| |
− | ===PHP info===
| |
− |
| |
− | Check the current server status using a simple PHP info file.
| |
− |
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /var/www/myServer/phpinfo.php
| |
− | </syntaxhighlight>
| |
− |
| |
| | | |
| Put the following: | | Put the following: |
− |
| |
| <syntaxhighlight lang="php"> | | <syntaxhighlight lang="php"> |
| <?php | | <?php |
− | // Show all information, defaults to INFO_ALL
| |
| phpinfo(); | | phpinfo(); |
| ?> | | ?> |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | | + | Adjust rights |
− | Adjust rights and ownership: | |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | chown -R www-data:www-data /var/www/myServer
| |
− | chmod -R 755 /var/www/myServer
| |
− | </syntaxhighlight>
| |
− | | |
− | | |
− | | |
− | ===Adjust verbose level===
| |
− | | |
− | Do not gives details about your configuration to outsiders.
| |
− | | |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/conf.d/security
| |
− | </syntaxhighlight>
| |
− | | |
− | Set the following settings
| |
− | | |
| <syntaxhighlight lang="bash"> | | <syntaxhighlight lang="bash"> |
− | #### Ask your server to be more discret!
| + | chown www-data:www-data /var/www/html/phpinfo.php |
− | # ServerTokens
| + | chmod 755 /var/www/html/phpinfo.php |
− | # Set to one of: Full | OS | Minimal | Minor | Major | Prod
| |
− | ServerTokens Prod
| |
− | | |
− | ServerSignature Off
| |
− | TraceEnable Off
| |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | Restart Apache2
| |
− | <syntaxhighlight lang="bash">
| |
− | service apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− | Re-run PHP info, you should have less information.
| |
− |
| |
− |
| |
− |
| |
− | =Apache 2 and PHP5: Secure your installation!=
| |
− |
| |
− |
| |
− | ==PHP Security Info==
| |
− | If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html
| |
− |
| |
− |
| |
− | ===Installation===
| |
− | <syntaxhighlight lang="bash">
| |
− | cd /tmp
| |
− | wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
| |
− | unzip phpsecinfo.zip
| |
− | mv phpsecinfo-Version phpsecinfo
| |
− | mv phpsecinfo/ /var/www
| |
− | cd /var/www
| |
− | chown -R www-data:www-data phpsecinfo
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ===Virtual host configuration===
| |
− | Edit configuration
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/sites-available/myServer
| |
− | </syntaxhighlight>
| |
− |
| |
− | !! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.
| |
− | <syntaxhighlight lang="bash">
| |
− | <VirtualHost *:80>
| |
− | # Advanced redirection – Only allow specific IP @
| |
− | RewriteRule ^/phpsec(/.*|$) https://%{HTTP_HOST}/phpsec$1 [L,R]
| |
− | <Location /phpsec >
| |
− | order deny,allow
| |
− | deny from all
| |
− | # Only allow specific IP@
| |
− | # allow from 127.0.0.1 192.168.0.0/255.255.255.0
| |
− | allow from all
| |
− | </Location>
| |
− | </VirtualHost>
| |
− |
| |
− | <VirtualHost _default_:443>
| |
− | # PHPSecInfo
| |
− | Alias /phpsec /var/www/phpsecinfo
| |
− | <Location /phpsec >
| |
− | order deny,allow
| |
− | deny from all
| |
− | # Only allow specific IP@
| |
− | # allow from 127.0.0.1 192.168.0.0/255.255.255.0
| |
− | allow from all
| |
− | </Location>
| |
− | </VirtualHost>
| |
− | </syntaxhighlight>
| |
− |
| |
− | Reload your configuration
| |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/apache2 reload
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ===Run the test===
| |
− | To asset your current installation you can run the test: https:// myServer/phpsec
| |
− |
| |
− |
| |
− | ==Improve security==
| |
− |
| |
− | ===PHP5 sessions and temp files===
| |
− | Create specific directory to store the sessions and temp files:
| |
− | <syntaxhighlight lang="bash">
| |
− | mkdir -p /etc/php5/temp
| |
− | mkdir -p /etc/php5/session
| |
− | chown -R www-data:root /etc/php5/temp
| |
− | chown -R www-data:root /etc/php5/session
| |
− | chmod -R 770 /etc/php5/session
| |
− | chmod -R 770 /etc/php5/temp
| |
− | </syntaxhighlight>
| |
− |
| |
− | Edit the configuration file
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/php5/apache2/php.ini
| |
− | </syntaxhighlight>
| |
− |
| |
− | line 798 → upload_tmp_dir = /etc/php5/temp
| |
− | line 1409 → session.save_path = "/etc/php5/session"
| |
− |
| |
− | ===PHP5 tweak===
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/php5/apache2/php.ini
| |
− | </syntaxhighlight>
| |
− |
| |
− | line 261 → expose_php = Off
| |
− | line 480 → display_errors=Off
| |
− | line 675 → post_max_size=256K
| |
− | line 814 → allow_url_fopen=Off
| |
− |
| |
− | DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)
| |
− |
| |
− | Restart your server to load the changes:
| |
− | <syntaxhighlight lang="bash">
| |
− | service apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− | Re-run the test. Then:
| |
− | * Ignore the open_basedir and upload_tmp_dir alerts, if any.
| |
− | * You can enable some specific options with a .htaccess file
| |
− |
| |
− |
| |
− | ===Change Apache 2 UID===
| |
− | Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...
| |
− |
| |
− | ====Change the Apache UID====
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/group
| |
− | </syntaxhighlight>
| |
− |
| |
− | Change www-data UID
| |
− | <syntaxhighlight lang="bash">
| |
− | www-data:x:10033:
| |
− | </syntaxhighlight>
| |
− |
| |
− | ====Change the Apache GID====
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/passwd
| |
− | </syntaxhighlight>
| |
− |
| |
− | Change the group settings
| |
− | <syntaxhighlight lang="bash">
| |
− | www-data:x:10033:10033:www-data:/var/www:/bin/false
| |
− | </syntaxhighlight>
| |
− |
| |
− | Apply modifications
| |
− | <syntaxhighlight lang="bash">
| |
− | chown -R www-data:www-data /var/www/*
| |
− | chown -R www-data:root /etc/php5/*
| |
− | </syntaxhighlight>
| |
− |
| |
− | To take on the modifications you have to reboot your server.
| |
− |
| |
− |
| |
− | ===Avoid DOS attacks===
| |
− | Source: Linux mag’ – Hors serie Apache2
| |
− |
| |
− | You can protect your server from Denial Of Service (DOS) attacks through mod_evasive
| |
− | <syntaxhighlight lang="bash">
| |
− | apt-get install libapache2-mod-evasive
| |
− | </syntaxhighlight>
| |
− |
| |
− | Prepare log directory
| |
− | <syntaxhighlight lang="bash">
| |
− | mkdir /var/log/apache2/mod_evasive
| |
− | chown -R www-data:www-data /var/log/apache2/mod_evasive
| |
− | </syntaxhighlight>
| |
− |
| |
− | Enable module
| |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod mod-evasive
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ===Configuration===
| |
− | Create the configuration file
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/conf.d/mod_evasive.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− | Put:
| |
− | <syntaxhighlight lang="bash">
| |
− | # Mod evasive configuration
| |
− | # Based upon Linux Mag
| |
− | <IfModule mod_evasive20.c>
| |
− | DOSHashTableSize 3097
| |
− |
| |
− | # Limit user to 5 pages per 2 seconds
| |
− | DOSPageCount 5
| |
− | DOSPageInterval 2
| |
− |
| |
− | # No more than 100 HTTP request per second (HTML, CSS, images, …)
| |
− | DOSSiteCount 100
| |
− | DOSSiteInterval 1
| |
− |
| |
− | # Block client for 300 seconds
| |
− | DOSBlockingPeriod 300
| |
− | # Send alert email
| |
− | #DOSEmailNotify "admin@myDomain"
| |
− |
| |
− | # Log directory
| |
− | DOSLogDir "/var/log/apache2/mod_evasive"
| |
− |
| |
− | # Command to execute on ban
| |
− | #DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"
| |
− |
| |
− | # Ignore following IP and networks
| |
− | DOSWhiteList 127.0.0.1
| |
− | #DOSWhitelist 66.249.65.*
| |
− | <IfModule mod_evasive20.c>
| |
− | </syntaxhighlight>
| |
− |
| |
− | DosHashTableSize = Size of the hash table.
| |
− | * The greater, the more memory is required but the faster it is! The value must be a prime number
| |
− |
| |
− |
| |
− | Apply changes
| |
− | <syntaxhighlight lang="bash">
| |
− | service apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− | =Apache2 configuration # Improve server performances=
| |
− |
| |
− | ==Mod deflate: improved the bandwidth==
| |
− |
| |
− | To improve the bandwidth, you can compress pages and type of content.
| |
− |
| |
− | => You can improved your bandwidth from 20 to 30%.
| |
− |
| |
− |
| |
− | To do so, you need a specific module for Apache: mod_deflate
| |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod deflate
| |
− | touch /var/log/apache2/deflate.log
| |
− | chown www-data:www-data /var/log/apache2/deflate.log
| |
− | chmod 740 /var/log/apache2/deflate.log
| |
− | </syntaxhighlight>
| |
− |
| |
− | Edit your web server configuration file:
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/conf.d/deflate.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− | Add the following lines:
| |
− | <syntaxhighlight lang="bash">
| |
− | ### Bandwidth optimization
| |
− | <IfModule mod_deflate.c>
| |
− | AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css application/x-javascript
| |
− | DeflateFilterNote deflate_ratio
| |
− | LogFormat "%v %h %l %u %t \"%r\" %>s %b"
| |
− | CustomLog /var/log/apache2/deflate.log vhost_with_deflate_info
| |
− | </IfModule>
| |
− | </syntaxhighlight>
| |
− |
| |
− | Restart your web server:
| |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− | ==Mod expires: use the cache of your clients==
| |
− | Another way to improve performances and bandwidth: use the client's cache.
| |
− |
| |
− | To do so, you need a specific module for Apache: mod_expires
| |
− | <syntaxhighlight lang="bash">
| |
− | a2enmod expires
| |
− | </syntaxhighlight>
| |
− |
| |
− | Edit your web server configuration file:
| |
− | <syntaxhighlight lang="bash">
| |
− | vim /etc/apache2/expires.conf
| |
− | </syntaxhighlight>
| |
− |
| |
− | Add the following lines
| |
− | <syntaxhighlight lang="bash">
| |
− | #### Client's cache settings
| |
− | <IfModule mod_expires.c>
| |
− | ExpiresActive on
| |
− | # set the default to 24 hours
| |
− | ExpiresDefault "access plus 24 hours"
| |
− | # cache shockwave-flash for 2 weeks (days | weeks | mounths | years)
| |
− | ExpiresByType application/x-shockwave-flash "access plus 2 weeks"
| |
− | ExpiresByType flv-application/octet-stream "access plus 3 days"
| |
− | # cache common graphics for 3 days
| |
− | ExpiresByType image/jpg "access plus 2 weeks"
| |
− | ExpiresByType image/gif "access plus 2 weeks"
| |
− | ExpiresByType image/jpeg "access plus 2 weeks"
| |
− | ExpiresByType image/png "access plus 2 weeks"
| |
− | # cache CSS for 24 hours
| |
− | ExpiresByType text/css "access plus 24 hours"
| |
− | </IfModule>
| |
− | </syntaxhighlight>
| |
− |
| |
− | Restart your web server:
| |
− | <syntaxhighlight lang="bash">
| |
− | /etc/init.d/apache2 restart
| |
− | </syntaxhighlight>
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− |
| |
− | =Related topics=
| |
− |
| |
− |
| |
− | ==Distribute and install the certificates==
| |
| | | |
− | see [[Apache 2 - SSL certificates page]] | + | You can now test your installation by going to 'http://localhost/phpinfo.php' or 'http://myServer/phpinfo.php'. You should see the default page. |