Apache 2

Revision as of 21:52, 25 May 2014 by WikiFreak (talk | contribs) (Apache 2 # redirections using mod_proxy)

Contents

Requirements

Before going through this tutorial, I recommend you to setup:


Installation

Apache 2

This will install web server + PHP + Perl + all required libraries.

Apache2 core

apt-get install apache2 apache2-mpm-prefork apache2-utils ssl-cert

Additional libraries

apt-get install libapache2-mod-fcgid libruby

Doc

apt-get install apache2-doc

Perl

apt-get install libapache2-mod-perl2 libapache2-mod-perl2-doc

PHP 5

Core

apt-get install libapache2-mod-php5 php5 php5-common

Module PHP5

apt-get install php5-curl php5-dev php5-gd php-pear php5-imagick php5-imap php5-mcrypt 
apt-get install php5-memcache php5-mhash php5-mysql php5-snmp php5-xmlrpc php5-xcache php5-curl php5-xsl

Additional libs

apt-get install php5-cli php5-cgi php-pear php-auth php5-mcrypt mcrypt

Image Magick

apt-get install php5-imagick imagemagick


Firewall

You have to open the following ports:

  • Port 80 = HTTP
  • Port 443 = HTTPS
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT

Restart the firewall

/etc/init.d/firewall restart


PHP 5

Edit config file:

vim /etc/php5/apache2/php.ini

Add / uncomment the following lines in Dynamic extensions area (~ line 865)

  • extension=mysql.so
  • extension=gd.so


Apache 2 configuration # Multi-threading

MPM prefork

This manage processes

  • Max clients = nb of max simultaneous requests that the server can handle
  • Server limit = max nb of process that the server can handle
  • Start servers = nb of process to create on server start
  • Min / Max spare servers = nb of min / max process listening for incoming request
  • Max request per child = nb of requests that each process can execute
vim /etc/apache2/apache2.conf

Let default values; put a limit to MaxRequestsPerChild at 100 000


MPM worker

This manage threads. Threads are executed within a specific process. All process’ threads share the same context and global variables.

vim /etc/apache2/apache2.conf

Let default values; put a limit to MaxRequestsPerChild at 10 000


Apache 2 configuration # Virtual host

Preparation

Initialize configuration

cd /etc/apache2/sites-available/

Create target directory

mkdir -p /var/www/myServer

Prepare the log files

mkdir -p /var/log/apache2/myServer
touch /var/log/apache2/myServer/access.log
touch /var/log/apache2/myServer/error.log
chmod -R 660 /var/log/apache2/myServer/*
chown -R www-data:www-data /var/log/apache2/myServer/*


Configuration

Init configuration

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/myServer.conf


Edit configuration

vim /etc/apache2/sites-available/myServer


To begin the virtual host, write the following lines: → Adjust the settings to your own configuration

<VirtualHost 192.168.0.100:80>		  → Choose the best options for your needs
<VirtualHost *:80>

	ServerName		myServer
	ServerAlias		www.myServer *.myServer
	ServerAdmin		webmaster@domain
	
	# Logs settings
	LogLevel		Warn
	CustomLog		{APACHE_LOG_DIR}/myServer/access.log combined
	ErrorLog		{APACHE_LOG_DIR}/myServer/error.log

	# Root folder properties
	DocumentRoot	/var/www/myServer
	<Directory />
		Options FollowSymLinks 
		AllowOverride None
	</Directory>
        <Directory /var/www/myServer />
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	# Scripts CGI
	# [ required for PHP 5 ]
	ScriptAlias /cgi-bin/ /var/www/cgi-bin
	<Directory "/var/www/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

</VirtualHost>


Activation of a Virtual Host

To activate a Virtual Host, just type

a2ensite  myServer

Then, restart your web server

/etc/init.d/apache2 restart

Apache 2 configuration # SSL Virtual host

Create SSL certificate

First of all, you need to create a server certificate. Cf. SSL dedicated document → Create a new server certificate

>> see SSL server


Enable SSL module

Create symlinks for server certificate

ln -s /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
ln -s /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key


Activate the SSL module

a2enmod ssl


Prepare virtual host (optional)

Create virtual host folder

mkdir -p /var/www/myServer-ssl
cp /var/www/index.html /var/www/myServer-ssl
chown -R www-data:www-data /var/www/myServer-ssl


Prepare the log files (optional)

mkdir -p /var/log/apache2/myServer-ssl
touch /var/log/apache2/myServer-ssl/error.log
touch /var/log/apache2/myServer-ssl/access.log
chmod 660 /var/log/apache2/*
chown root:www-data /var/log/apache2/*


Virtual host declaration

You have 2 possibilities:

  • Update your current virtual host
  • Create a new one, only for the SSL virtual host


New virtual host: Init configuration

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/myServer-ssl


Edit V.Host configuration

vim /etc/apache2/sites-available/myServer-ssl


Then, you will need to edit the Virtual Host configuration file:

vim /etc/apache2/sites-availables/virtualHostName

!! Adjust the settings to your own configuration

# Secure web server
<VirtualHost _default_:443>
<VirtualHost 192.168.0.100:443>		   → Choose the best options for your needs
<VirtualHost *:443>

	ServerName		myServer
	ServerAlias		www.myServer *.myServer
	ServerAdmin		webmaster@domain
	
	# Logs settings
	LogLevel		Warn
	CustomLog		{APACHE_LOG_DIR}/myServer-ssl/access.log combined
	ErrorLog		{APACHE_LOG_DIR}/myServer-ssl/error.log

	# Root folder properties
	DocumentRoot	/var/www/myServer-ssl

        # Enable SSL
        SSLEngine               	On
        SSLCertificateFile      	/etc/apache2/webServer.pem
        SSLCertificateKeyFile   	/etc/apache2/webServer.key

        # Root directory properties
        <Directory /var/www/ssl />
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
        </Directory>

        ##########################
        # ALIAS AND REDIRECTIONS #
        ##########################

</VirtualHost>

Enable site

a2ensite myServer-ssl

Restart the web server

/etc/init.d/apache2 restart

Accept auto-signed certificate

Go to https://myServer/certs/ Cf SSL document to get installation details

Apache 2 configuration # Redirect HTTP to HTTPS

The safer way to redirect HTTP to HTTPS is use to adjust the virtual host configuration.

Edit configuration

vim /etc/apache2/sites-available/myServer

Make it looks like:

<VirtualHost *:80>
	ServerAdmin guillaume@qin-diaz.com

	ServerName dev.daxiongmao.eu
	ServerAlias *.dev.daxiongmao.eu dev.qin-diaz.com www.dev.qin-diaz.com

	### LOG ###
	ErrorLog ${APACHE_LOG_DIR}/daxiongmao/error.log
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/daxiongmao/access.log combined
	
	## Redirect all traffic to HTTPS website
	redirect permanent / https://myServer/
	
	## No need of a document root anymore as everything is redirect
	
</VirtualHost>

You can remove:

  • Document root
  • CGI url
  • All the alias

Restart your server

service apache2 restart


Apache 2 # redirections using mod_proxy

Thanks to Julien Rialland for his insight regarding this part!


Principle

The proxy module allow you to redirect remote user to a specific server that can be host on a different machine or port through a clear URL.


Current limits

Some application are not available from outside…

  • For security reasons [default URL is not allowed]
Proxy for security


  • Due to network issues
Proxy to improve network


Proxy module role

The proxy module allow you to provide access through transparent redirection.

It relies on:

  • Already open port (80 or 443)
  • Redirection rule
  • Each service URL must be unique
  • The target service must be reachable by the web server
Proxy role


As you can see on the following example, the previous services will be accessible using some dedicated URL. Remote “http://myServer/myService” will redirect to “http://localhost:8081”

→ The mod_proxy is none intrusive. You don’t have to change anything is the orginal service configuration. Apache2 will handle all the transformations.


Proxy / redirect / rewrite

When Apache2 receive a request it will be process in the following order:

Proxy rewrite


So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy.


Enable proxy module

a2enmod proxy proxy_http proxy_ajp


Configure proxy redirections

You can configure the redirections in 2 ways:

  • Through your virtual host configuration
  • Through the module configuration file


Module configuration file

You have to edit / create the configuration file.

vim /etc/apache2/mods-enabled/proxy.conf


Virtual host

Just edit again your previous V.Host:

vim /etc/apache2/sites-available/myServer.conf


Proxy declaration

Adjust the file to:

<VirtualHost *:80>
...
	## Proxy
	ProxyVia On
        ProxyPreserveHost On
        <Proxy *>
             AddDefaultCharset off
             Order deny,allow
             Allow from all
	</Proxy>

        #### To allow some URLs to go through without being proxy ####
	# Active MQ REST web-service, required for hawt.io management
	ProxyPass /activemq-api http://localhost:8161/activemq-api
	ProxyPassReverse /activemq-api http://localhost:8161/activemq-api 	
</VirtualHost>

<VirtualHost *:443>
...
	## Proxy
	ProxyVia On
        ProxyPreserveHost On
        <Proxy *>
             AddDefaultCharset off
             Order deny,allow
             Allow from all
             Satisfy Any
        </Proxy>

	RewriteEngine On

	########################
	# Allow some URLs to go through without being proxy
	########################
        # URL to discard => Classic HTTP services
	ProxyPass /menu !
	ProxyPass /maintenance !

	# PhpMyAdmin
	<Location /phpmyadmin>
		Order allow,deny
		Allow from 127.0.0.1 192.168.1.0/24 193.12.118.194 90.83.80.64/27 90.83.80.123 77.68.140.115 91.121.17.114 193.12.118.196
		Require all granted 
		ProxyPass !
	</Location>

	########################
	# Proxy redirections
	########################

	# Proxy to a Java application running over Tomcat
	ProxyPass /webdav/ ajp://localhost:8009/webdav/
	ProxyPassReverse /webdav/ ajp://localhost:8009/webdav 	

	# Proxy to a Java application running over Tomcat, with IP filter
	<Location /manager>
		Order allow,deny
		Allow from 127.0.0.1 192.168.1.0/24 193.12.118.194 90.83.80.64/27 90.83.80.123 77.68.140.115 91.121.17.114 193.12.118.196
		ProxyPass ajp://localhost:8009/manager/
		ProxyPassReverse ajp://localhost:8009/manager/
	</Location>

        # Proxy to another server
        ProxyPass /jira http://192.168.1.12:8080/jira
        ProxyPassReverse /jira http://192.168.1.12:8080/jira
</VirtualHost>


#
# Instead of "VirtualHost" you can use "IfModule" if you're editing the "proxy.conf" file
#
<IfModule mod_proxy.c>

</IfModule>

Some notes:

  • Do NOT put a / after the target URL
  • Do NOT use / as ProxyPass source, use the previous redirect permanent instead

Apply changes and test result

service apache2 restart

Navigate to http://myServer/artifactory

Apache 2 configuration # LDAP authentication

Enable LDAP module

a2enmod authnz_ldap
service apache2 restart


Configuration

You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:

Edit configuration

vim /etc/apache2/sites-available/myServer

Adjust your virtual-host like that:

# LDAP protected directory
<Directory /var/www/ssl/secure>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

   AuthType basic
   AuthName "Secure area"	
   AuthBasicProvider ldap
   AuthLDAPUrl "ldap://localhost:389/{LDAP ou=,dc=}?uid"
   Require valid-user

   # example
   # AuthLDAPBindDN "cn=admin,dc=dev,dc=daxiongmao,dc=eu"
   # AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"

</Directory>


Secure all the website

You have to adjust you document root like that:

<VirtualHost _default_:443>

	# Restrict access to document root
	DocumentRoot /var/www/daxiongmao-ssl
	<Directory />
		Options FollowSymLinks
		AllowOverride None
		Order allow,deny
		deny from all
	</Directory>
	<Directory /var/www/daxiongmao-ssl>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
		
		AuthType basic
		AuthName "Secure area"	
		AuthBasicProvider ldap
		AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
		Require valid-user
	</Directory>
[…]


Apache 2 configuration # Advanced configuration

Enable redirections

Mod rewrite allows you to redirect source URL to another one.


Enable module

a2enmod rewrite


Alias redirection

Edit configuration

vim /etc/apache2/sites-available/myServer

HTTP virtual host = redirect to HTTPS

<VirtualHost *:80>
	RewriteRule ^/myAlias(/.*|$)    https://%{HTTP_HOST}/myAlias$1 [L,R]
	<Location /myAlias >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
                allow from all
	</Location>
</VirtualHost>

HTTPS virtual host = service declaration

<VirtualHost _default_:443>
	# PHPSecInfo
	Alias 	/myAlias   /var/www/myAlias
	<Location /myAlias >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
                allow from all
        </Location>
</VirtualHost>

Reload your configuration

/etc/init.d/apache2 reload


Redirect HTTP to HTTPS

This is not the recommended method. You should use the previous method instead.

<VirtualHost *:80>
	ServerAdmin guillaume@qin-diaz.com
	ServerName dev.daxiongmao.eu
	ServerAlias *.dev.daxiongmao.eu dev.qin-diaz.com www.dev.qin-diaz.com

	### LOG ###
	ErrorLog ${APACHE_LOG_DIR}/daxiongmao/error.log
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/daxiongmao/access.log combined
	
	## Redirect all traffic to HTTPS website
        RewriteEngine On

        # This checks to make sure the connection is not already HTTPS
        RewriteCond %{HTTPS} !=on

        # This rule will redirect users from their original location, 
        # to the same location but using HTTPS.
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
	
	## No need of a document root anymore as everything is redirect
	
</VirtualHost>


Module configuration

Create the module configuration file

vim /etc/apache2/conf.d/rewrite.conf

Copy / paste this configuration (adjust to your own settings!)

   RewriteEngine On
   # --------------------- SECURITY RULES (JOOMLA) ------------------------ #
   ## End of deny access to extension xml files
   RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
   # Block out any script trying to base64_encode crap to send via URL
   RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
   # Block out any script that includes a <script> tag in URL
   RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
   # Block out any script trying to set a PHP GLOBALS variable via URL
   RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
   # Block out any script trying to modify a _REQUEST variable via URL
   RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
   # Send all blocked request to homepage with 403 Forbidden error!
   RewriteRule ^(.*)$ index.php [F,L]
   # --------------------- SECURITY RULES (PERSONAL) ------------------------ #
   ## DENY REQUEST BASED ON REQUEST METHOD ###
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
   RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
   RewriteRule ^.*$ - [F]
   # Eviter les failles de securite
   RewriteCond %{QUERY_STRING} ^(.*)http(\:|\%3A)(.*)$
   RewriteCond %{QUERY_STRING} mosConfig_ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(SELECT|INSERT|DELETE|CHAR\(|UPDATE|REPLACE|LIMIT)(.*)$
   # Eviter les erreurs basiques
   RewriteCond %{QUERY_STRING} \.\.\/    [NC,OR]
   RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
   RewriteCond %{QUERY_STRING} tag\=     [NC,OR]
   RewriteCond %{QUERY_STRING} ftp\:     [NC,OR]
   RewriteCond %{QUERY_STRING} http\:    [NC,OR]
   RewriteCond %{QUERY_STRING} https\:   [NC,OR]
   RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|'|"|\?|\*).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3D|%3E|%7B|%7C).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%F|127\.0).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(select|insert|union|declare|drop).* [NC]
   RewriteRule ^(.*)$ - [F,L]

   # Ban Typical Vulnerability Scanners and others
   # Kick out Script Kiddies
   RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|wkito|pikto|scan|acunetix).* [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
   # Eviter les programmes de Zombies
   RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
   RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
   RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
   RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Zeus
   RewriteRule ^.* - [F,L]

   # Allow the robots to reference our website
   RewriteCond %{HTTP_USER_AGENT} !^Googlebot [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Image [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Mobile [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Msnbot [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Mediapartners-Google [NC]

   # Keep request without referer
   RewriteCond %{HTTP_REFERER} !^$

   # To allow your pictures to be displayed on Google
   RewriteCond %{HTTP_REFERER} !^http://.*google\.(comŠ(co\.)?[a-z]{2})/
   # To forbid the copy of your pictures to anyone else : display an other image !
   RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/hotlinkis.jpg [L]


Take changes into account

You have to restart the server to use this settings

service apache2 restart


Ports number

You can change the Apache2 server ports

vim /etc/apache2/ports.conf

Edit

# HTTP
Listen 80
# HTTPS 
Listen 443


Restricted access

Edit configuration

vim /etc/apache2/sites-available/myServer

If your server is directly accessible on Internet: you should protect it!

# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
<Directory />
        AllowOverride None
        Order Deny,Allow
        Deny from all
</Directory>

# Protect .htacess files
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>


Be discreet!

Check the current server status using a simple PHP info file

Do not gives details about your configuration to outsiders.

vim /etc/apache2/conf.d/security

Set the following settings

#### Ask your server to be more discret!
# ServerTokens
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod

ServerSignature Off
TraceEnable Off

Restart Apache2

service apache2 restart

Re-run PHP info, you should have less information.


Apache 2 and PHP5: Secure your installation!

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html


Installation

cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo


Virtual host configuration

Edit configuration

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.

<VirtualHost *:80>
	# Advanced redirection – Only allow specific IP @
	RewriteRule ^/phpsec(/.*|$)    https://%{HTTP_HOST}/phpsec$1 [L,R]
	<Location /phpsec >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
                allow from all
	</Location>
</VirtualHost>

<VirtualHost _default_:443>
	# PHPSecInfo
	Alias 	/phpsec   /var/www/phpsecinfo
	<Location /phpsec >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
               allow from all
         </Location>
</VirtualHost>

Reload your configuration

/etc/init.d/apache2 reload


Run the test

To asset your current installation you can run the test: https:// myServer/phpsec


Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files:

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp

Edit the configuration file

vim /etc/php5/apache2/php.ini

line 798 → upload_tmp_dir = /etc/php5/temp line 1409 → session.save_path = "/etc/php5/session"

PHP5 tweak

vim /etc/php5/apache2/php.ini

line 261 → expose_php = Off line 480 → display_errors=Off line 675 → post_max_size=256K line 814 → allow_url_fopen=Off

DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)

Restart your server to load the changes:

service apache2 restart

Re-run the test. Then:

  • Ignore the open_basedir and upload_tmp_dir alerts, if any.
  • You can enable some specific options with a .htaccess file


Change Apache 2 UID

Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...

Change the Apache UID

vim /etc/group

Change www-data UID

    www-data:x:10033:

Change the Apache GID

 
vim /etc/passwd

Change the group settings

	www-data:x:10033:10033:www-data:/var/www:/bin/false

Apply modifications

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*

To take on the modifications you have to reboot your server.


Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2

You can protect your server from Denial Of Service (DOS) attacks through mod_evasive

apt-get install libapache2-mod-evasive

Prepare log directory

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive

Enable module

a2enmod mod-evasive


Configuration

Create the configuration file

vim /etc/apache2/conf.d/mod_evasive.conf

Put:

# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
	DOSHashTableSize 3097 

	# Limit user to 5 pages per 2 seconds
	DOSPageCount 5
	DOSPageInterval 2 

	# No more than 100 HTTP request per second (HTML, CSS, images, …) 
	DOSSiteCount 100
	DOSSiteInterval 1

	# Block client for 300 seconds
	DOSBlockingPeriod 300 
	# Send alert email
	#DOSEmailNotify "admin@myDomain" 

	# Log directory
	DOSLogDir "/var/log/apache2/mod_evasive" 

	# Command to execute on ban
	#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

	# Ignore following IP and networks
	DOSWhiteList 127.0.0.1 
	#DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>

DosHashTableSize = Size of the hash table.

  • The greater, the more memory is required but the faster it is! The value must be a prime number


Apply changes

service apache2 restart


Apache2 configuration # Improve server performances

Mod deflate: improved the bandwidth

To improve the bandwidth, you can compress pages and type of content.

=> You can improved your bandwidth from 20 to 30%.


To do so, you need a specific module for Apache: mod_deflate

a2enmod deflate
touch /var/log/apache2/deflate.log
chown www-data:www-data /var/log/apache2/deflate.log
chmod 740 /var/log/apache2/deflate.log

Edit your web server configuration file:

vim /etc/apache2/conf.d/deflate.conf

Add the following lines:

### Bandwidth optimization
<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css application/x-javascript
	DeflateFilterNote deflate_ratio
	LogFormat "%v %h %l %u %t \"%r\" %>s %b"
	CustomLog /var/log/apache2/deflate.log vhost_with_deflate_info
</IfModule>

Restart your web server:

/etc/init.d/apache2 restart


Mod expires: use the cache of your clients

Another way to improve performances and bandwidth: use the client's cache.

To do so, you need a specific module for Apache: mod_expires

a2enmod expires

Edit your web server configuration file:

vim /etc/apache2/expires.conf

Add the following lines

#### Client's cache settings
<IfModule mod_expires.c>
	ExpiresActive on
	# set the default to 24 hours
	ExpiresDefault "access plus 24 hours"
	# cache shockwave-flash for 2 weeks (days | weeks | mounths | years)
	ExpiresByType application/x-shockwave-flash "access plus 2 weeks"
	ExpiresByType flv-application/octet-stream "access plus 3 days"
	# cache common graphics for 3 days
	ExpiresByType image/jpg "access plus 2 weeks"
	ExpiresByType image/gif "access plus 2 weeks"
	ExpiresByType image/jpeg "access plus 2 weeks"
	ExpiresByType image/png "access plus 2 weeks"
	# cache CSS for 24 hours
	ExpiresByType text/css "access plus 24 hours"
</IfModule>

Restart your web server:

/etc/init.d/apache2 restart