Apache Web Server Complete Guide Dedoimedo www.dedoimedo.com www.dedoimedo.com all rights reserved Contents 1 Introduction 15 2 Basic Setup 16 2.1 Verify installation......................... 16 2.2 Package files............................ 16 2.3 Main configuration file(s)..................... 18 2.3.1 Backup........................... 18 2.4 Edit the httpd.conf configuration file............... 18 2.4.1 ServerRoot......................... 19 2.4.2 PidFile........................... 20 2.4.3 ServerName........................ 20 2.4.4 Add site to /etc/hosts file................. 21 2.4.5 DocumentRoot....................... 24 2.4.6 ErrorLog.......................... 25 2.4.7 Listen........................... 26 2.5 Create your HTML documents.................. 27 2.6 Start the Web Server....................... 29 2.7 Access the web site........................ 32 2.7.1 Local access........................ 32 2.7.2 Internal & external access................. 34 2.8 Summary of basic setup...................... 37 3 Advanced setup 38 3.1 Directory tags........................... 38 3.1.1 Order (allow, deny).................... 40 3.1.2 Indexes........................... 43 2 www.dedoimedo.com all rights reserved 3.1.3 DirectoryMatch...................... 46 3.2 Files tags.............................. 46 3.3 Location tags............................ 48 3.4 Directory, Files and Location................... 49 3.5 Redirect.............................. 50 3.6 Virtual Hosts............................ 50 3.6.1 Single IP, two websites................... 53 3.6.2 Two IPs, two websites................... 57 3.6.3 Other scenarios...................... 60 3.7 Modules.............................. 63 3.7.1 Module types........................ 63 3.7.2 View installed modules................... 64 3.7.3 LoadModule........................ 65 4 .htaccess 69 4.1 Create .htaccess file........................ 71 4.2 Create .htpasswd file........................ 71 4.3 Copy .htaccess to restricted directory............... 73 4.4 Configure httpd.conf to allow authentication via .htaccess.... 73 4.5 Test setup............................. 74 4.6 Other configurations........................ 77 4.6.1 Inheritance & performance loss.............. 77 4.6.2 Disable web access to .htaccess.............. 78 5 Secure Web server 80 5.1 Encrypted session......................... 80 5.2 Requirements............................ 81 5.3 Limitations............................. 82 3 www.dedoimedo.com all rights reserved 5.4 Main configuration file(s)..................... 83 5.5 Edit the ssl.conf configuration file - part 1............ 84 5.5.1 LoadModule........................ 84 5.5.2 Listen........................... 85 5.5.3 VirtualHost......................... 85 5.6 Create SSL certificate....................... 87 5.6.1 Create Certificate Authority (CA)............. 87 5.6.2 Create server key...................... 91 5.6.3 Create Certificate Signing Request (CSR)......... 92 5.6.4 Sign Certificate Signing Request (CSR) with Certificate Authority (CA).............. 94 5.6.5 Verify certificates..................... 95 5.7 Edit ssl.conf configuration file - part 2............... 99 5.7.1 Server Certificate..................... 100 5.7.2 Server Private Key..................... 100 5.7.3 Certificate Authority.................... 101 5.8 Test setup............................. 102 5.9 Mini-summary........................... 106 5.9.1 Names........................... 106 5.9.2 Commands......................... 107 5.9.3 Difference between self-signed and CA-signed certificates................... 108 5.9.4 Verification......................... 109 5.9.5 File names and locations.................. 110 5.10 Extras............................... 110 5.10.1 Do not use password-protected server keys........ 110 5.10.2 Create server key without password............ 110 5.11 Submission of CSR to CA..................... 112 4 www.dedoimedo.com all rights reserved 5.11.1 Create CSR........................ 112 5.11.2 Send CSR to CA...................... 113 5.11.3 Verify certificate...................... 113 5.12 General considerations....................... 114 5.12.1 Use secure server only................... 114 5.12.2 Use only IP-based virtual hosts.............. 114 5.12.3 Use server.key as file name for the server key....... 114 6 Other configurations 115 6.1 Firewall rules............................ 115 6.1.1 Advanced firewall rules................... 116 6.1.2 Port forwarding...................... 116 6.1.3 Destination NAT...................... 117 6.1.4 Static NAT......................... 118 6.2 Enable Web server on startup................... 119 7 Security 120 7.1 Updates.............................. 120 7.2 Hide your server version...................... 120 7.3 Logs................................ 122 7.4 Permissions............................. 122 7.4.1 Access to root (/)..................... 123 7.5 AllowOverride........................... 124 7.6 Disable public access to .ht files.................. 124 7.7 Dynamic content.......................... 125 7.7.1 Disable CGI........................ 125 7.8 Disable Server Side Includes (SSI)................. 125 7.9 Disable unnecessary modules................... 125 5 www.dedoimedo.com all rights reserved 7.10 Use ModSecurity (mod_security) module............. 126 7.11 Chroot Jail............................. 126 7.12 Secure web server only....................... 126 7.12.1 Different DocumentRoot.................. 127 7.12.2 Permissions......................... 127 7.12.3 Duration of certificates.................. 127 7.13 Word of caution!.......................... 127 8 References 128 8.1 Additional references........................ 129 6 www.dedoimedo.com all rights reserved List of Figures 1 Editing httpd.conf main configuration file............. 19 2 ServerRoot directive........................ 20 3 ServerName directive........................ 21 4 External web site loaded...................... 22 5 Editing /etc/hosts file....................... 23 6 Unable to connect to site..................... 24 7 DocumentRoot directive...................... 25 8 ErrorLog directive......................... 26 9 Listen directive........................... 27 10 Creating sample HTML document................. 28 11 Contents of /var/www/html directory............... 29 12 Starting httpd service....................... 30 13 httpd service status........................ 31 14 Process listing for httpd...................... 32 15 Local access to website...................... 33 16 Local access via localhost..................... 34 17 Internal access to website..................... 35 18 Internal access from a Windows machine............. 36 19 Directory tags example....................... 39 20 Allow and Deny directives..................... 41 21 Accessing Web server from denied host.............. 42 22 Accessing Web server from allowed host.............. 43 23 Indexes directive.......................... 44 24 index_allow example........................ 45 25 index_deny example........................ 46 26 Files tags example......................... 47 7 www.dedoimedo.com all rights reserved 27 Location tags example....................... 48 28 Apache Server Status Location tags example........... 49 29 Redirect directive.......................... 50 30 Virtual Hosts example....................... 51 31 Single IP, two websites example.................. 53 32 Hosts file change matching Virtual Hosts............. 54 33 Wrong use of Hosts file entries.................. 55 34 www.ninja-father.com....................... 56 35 www.ninja-son.com........................ 57 36 Virtual network adapter...................... 58 37 Two IPs, two websites example.................. 59 38 Hosts file change.......................... 60 39 Listing compiled modules..................... 64 40 Listing static and shared modules................. 65 41 LoadModule directive....................... 66 42 Contents of /usr/lib/httpd/modules................ 67 43 Creating .htaccess file....................... 71 44 Creating .htpasswd file....................... 72 45 Contents of .htpasswd file..................... 73 46 AllowOverride directive...................... 74 47 Testing .htaccess, no file in place................. 75 48 Testing .htaccess, file in place................... 76 49 Authorization required....................... 77 50 Disabling web access to .htaccess................. 78 51 Forbidden message on access to .htaccess............. 79 52 mod_ssl module under /etc/httpd/modules........... 82 53 ssl.conf configuration file...................... 83 8 www.dedoimedo.com all rights reserved 54 Loading SSL module........................ 85 55 VirtualHost block for secure site.................. 86 56 Creating Certificate Authority key................. 88 57 Creating new certificate...................... 89 58 Creating new certificate, continued................ 90 59 Creating server key......................... 91 60 Creating Certificate Signing Request............... 93 61 Creating Certificate Signing Request, continued.......... 94 62 Signing CSR with CA....................... 95 63 Verify myca.key.......................... 96 64 Verify myca.crt........................... 97 65 Verify server.key.......................... 98 66 Verify server.csr.......................... 99 67 Server Certificate location..................... 100 68 Certificate Authority location................... 101 69 Restart server with password.................... 102 70 Unknown certificate website warning............... 103 71 Certificate