Revision as of 11:36, 26 May 2014

1 Requirements
2 Installation
3 PHP 5
4 Apache 2 configuration # Multi-threading
- 4.1 MPM prefork
- 4.2 MPM worker
5 Apache 2 configuration # Virtual host
- 5.1 Preparation
- 5.2 Configuration
6 Apache 2 configuration # SSL Virtual host
7 Apache 2 configuration # Redirect HTTP to HTTPS
8 Apache 2 # redirections using mod_proxy
9 Apache 2 configuration # LDAP authentication
10 Apache 2 configuration # Advanced configuration
11 Apache 2 and PHP5: Secure your installation!
- 11.1 PHP Security Info
- 11.2 Improve security
12 Apache2 configuration # Improve server performances
- 12.1 Mod deflate: improved the bandwidth
- 12.2 Mod expires: use the cache of your clients

Requirements

Before going through this tutorial, I recommend you to setup:

MySQL server
SSL infrastructure and create a server certificate - see SSL server
LDAP server

Installation

Apache 2

This will install web server + PHP + Perl + all required libraries.

Apache2 core

apt-get install apache2 apache2-mpm-prefork apache2-utils ssl-cert

Additional libraries

apt-get install libapache2-mod-fcgid libruby

Doc

apt-get install apache2-doc

Perl

apt-get install libapache2-mod-perl2 libapache2-mod-perl2-doc

PHP 5

Core

apt-get install libapache2-mod-php5 php5 php5-common

Module PHP5

apt-get install php5-curl php5-dev php5-gd php-pear php5-imagick php5-imap php5-mcrypt 
apt-get install php5-memcache php5-mhash php5-mysql php5-snmp php5-xmlrpc php5-xcache php5-curl php5-xsl

Additional libs

apt-get install php5-cli php5-cgi php-pear php-auth php5-mcrypt mcrypt

Image Magick

apt-get install php5-imagick imagemagick

Firewall

You have to open the following ports:

Port 80 = HTTP
Port 443 = HTTPS

$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT

Restart the firewall

/etc/init.d/firewall restart

PHP 5

Edit config file:

vim /etc/php5/apache2/php.ini

Add / uncomment the following lines in Dynamic extensions area (~ line 865)

extension=mysql.so
extension=gd.so

Apache 2 configuration # Multi-threading

MPM prefork

This manage processes

Max clients = nb of max simultaneous requests that the server can handle
Server limit = max nb of process that the server can handle
Start servers = nb of process to create on server start
Min / Max spare servers = nb of min / max process listening for incoming request
Max request per child = nb of requests that each process can execute

vim /etc/apache2/apache2.conf

Let default values; put a limit to MaxRequestsPerChild at 100 000

MPM worker

This manage threads. Threads are executed within a specific process. All process’ threads share the same context and global variables.

vim /etc/apache2/apache2.conf

Let default values; put a limit to MaxRequestsPerChild at 10 000

Apache 2 configuration # Virtual host

Preparation

Initialize configuration

cd /etc/apache2/sites-available/

Create target directory

mkdir -p /var/www/myServer

Prepare the log files

mkdir -p /var/log/apache2/myServer
touch /var/log/apache2/myServer/access.log
touch /var/log/apache2/myServer/error.log
chmod -R 660 /var/log/apache2/myServer/*
chown -R www-data:www-data /var/log/apache2/myServer/*

Configuration

Init configuration

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/myServer.conf

Edit configuration

vim /etc/apache2/sites-available/myServer

To begin the virtual host, write the following lines:

Adjust the settings to your own configuration

<VirtualHost 192.168.0.100:80>		  → Choose the best options for your needs
<VirtualHost *:80>

	ServerName		myServer
	ServerAlias		www.myServer *.myServer
	ServerAdmin		webmaster@domain
	
	# Logs settings
	LogLevel		Warn
	CustomLog		{APACHE_LOG_DIR}/myServer/access.log combined
	ErrorLog		{APACHE_LOG_DIR}/myServer/error.log

	# Root folder properties
	DocumentRoot	/var/www/myServer
	<Directory />
		Options FollowSymLinks 
		AllowOverride None
	</Directory>
        <Directory /var/www/myServer />
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	# Scripts CGI
	# [ required for PHP 5 ]
	ScriptAlias /cgi-bin/ /var/www/cgi-bin
	<Directory "/var/www/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

</VirtualHost>

Activation of a Virtual Host

To activate a Virtual Host, just type

a2ensite  myServer

Then, restart your web server

/etc/init.d/apache2 restart

Apache 2 configuration # SSL Virtual host

Create SSL certificate

First of all, you need to create a server certificate. Cf. SSL dedicated document → Create a new server certificate

>> see SSL server

Enable SSL module

Create symlinks for server certificate

ln -s /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
ln -s /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key

Activate the SSL module

a2enmod ssl

Prepare virtual host (optional)

Create virtual host folder

mkdir -p /var/www/myServer-ssl
cp /var/www/index.html /var/www/myServer-ssl
chown -R www-data:www-data /var/www/myServer-ssl

Prepare the log files (optional)

mkdir -p /var/log/apache2/myServer-ssl
touch /var/log/apache2/myServer-ssl/error.log
touch /var/log/apache2/myServer-ssl/access.log
chmod 660 /var/log/apache2/*
chown root:www-data /var/log/apache2/*

Virtual host declaration

You have 2 possibilities:

Update your current virtual host
Create a new one, only for the SSL virtual host

New virtual host: Init configuration

cp /etc/apache2/sites-available/default-ssl /etc/apache2/sites-available/myServer-ssl

Edit V.Host configuration

vim /etc/apache2/sites-available/myServer-ssl

Then, you will need to edit the Virtual Host configuration file:

vim /etc/apache2/sites-availables/virtualHostName

!! Adjust the settings to your own configuration

# Secure web server
<VirtualHost _default_:443>
<VirtualHost 192.168.0.100:443>		   → Choose the best options for your needs
<VirtualHost *:443>

	ServerName		myServer
	ServerAlias		www.myServer *.myServer
	ServerAdmin		webmaster@domain
	
	# Logs settings
	LogLevel		Warn
	CustomLog		{APACHE_LOG_DIR}/myServer-ssl/access.log combined
	ErrorLog		{APACHE_LOG_DIR}/myServer-ssl/error.log

	# Root folder properties
	DocumentRoot	/var/www/myServer-ssl

        # Enable SSL
        SSLEngine               	On
        SSLCertificateFile      	/etc/apache2/webServer.pem
        SSLCertificateKeyFile   	/etc/apache2/webServer.key

        # Root directory properties
        <Directory /var/www/ssl />
            Options Indexes FollowSymLinks MultiViews
            AllowOverride None
            Order allow,deny
            allow from all
        </Directory>

        ##########################
        # ALIAS AND REDIRECTIONS #
        ##########################

</VirtualHost>

Enable site

a2ensite myServer-ssl

Restart the web server

/etc/init.d/apache2 restart

Accept auto-signed certificate

Go to https://myServer/certs/ Cf SSL document to get installation details

Apache 2 configuration # Redirect HTTP to HTTPS

The safer way to redirect HTTP to HTTPS is use to adjust the virtual host configuration.

Edit configuration

vim /etc/apache2/sites-available/myServer

Make it looks like:

<VirtualHost *:80>
	ServerAdmin guillaume@qin-diaz.com

	ServerName dev.daxiongmao.eu
	ServerAlias *.dev.daxiongmao.eu dev.qin-diaz.com www.dev.qin-diaz.com

	### LOG ###
	ErrorLog ${APACHE_LOG_DIR}/daxiongmao/error.log
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/daxiongmao/access.log combined
	
	## Redirect all traffic to HTTPS website
	redirect permanent / https://myServer/
	
	## No need of a document root anymore as everything is redirect
	
</VirtualHost>

You can remove:

Document root
CGI url
All the alias

Restart your server

service apache2 restart

Apache 2 # redirections using mod_proxy

Thanks to Julien Rialland for his insight regarding this part!

Principle

The proxy module allow you to redirect remote user to a specific server that can be host on a different machine or port through a clear URL.

Current limits

Some application are not available from outside…

For security reasons [default URL is not allowed]

Due to network issues

Proxy module role

The proxy module allow you to provide access through transparent redirection.

It relies on:

Already open port (80 or 443)
Redirection rule
Each service URL must be unique
The target service must be reachable by the web server

As you can see on the following example, the previous services will be accessible using some dedicated URL. Remote “http://myServer/myService” will redirect to “http://localhost:8081”

→ The mod_proxy is none intrusive. You don’t have to change anything is the orginal service configuration. Apache2 will handle all the transformations.

Proxy / redirect / rewrite

When Apache2 receive a request it will be process in the following order:

So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy.

Enable proxy module

a2enmod proxy proxy_http proxy_ajp

Configure proxy redirections

You can configure the redirections in 2 ways:

Through your virtual host configuration
Through the module configuration file

Module configuration file

You have to edit / create the configuration file.

vim /etc/apache2/mods-enabled/proxy.conf

Virtual host

Just edit again your previous V.Host:

vim /etc/apache2/sites-available/myServer.conf

Proxy declaration

Adjust the file to:

<VirtualHost *:80>
...
	## Proxy
	ProxyVia On
        ProxyPreserveHost On
        <Proxy *>
             AddDefaultCharset off
             Order deny,allow
             Allow from all
	</Proxy>

        #### To allow some URLs to go through without being proxy ####
	# Active MQ REST web-service, required for hawt.io management
	ProxyPass /activemq-api http://localhost:8161/activemq-api
	ProxyPassReverse /activemq-api http://localhost:8161/activemq-api 	
</VirtualHost>

<VirtualHost *:443>
...
	## Proxy
	ProxyVia On
        ProxyPreserveHost On
        <Proxy *>
             AddDefaultCharset off
             Order deny,allow
             Allow from all
             Satisfy Any
        </Proxy>

	RewriteEngine On

	########################
	# Allow some URLs to go through without being proxy
	########################
        # URL to discard => Classic HTTP services
	ProxyPass /menu !
	ProxyPass /maintenance !

	# PhpMyAdmin
	<Location /phpmyadmin>
		Order allow,deny
		Allow from 127.0.0.1 192.168.1.0/24
		Require all granted 
		ProxyPass !
	</Location>

	########################
	# Proxy redirections
	########################

	# Proxy to a Java application running over Tomcat
	ProxyPass /webdav/ ajp://localhost:8009/webdav/
	ProxyPassReverse /webdav/ ajp://localhost:8009/webdav 	

	# Proxy to a Java application running over Tomcat, with IP filter
	<Location /manager>
		Order allow,deny
		Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
		ProxyPass ajp://localhost:8009/manager/
		ProxyPassReverse ajp://localhost:8009/manager/
	</Location>

        # Proxy to another server
        ProxyPass /jira http://192.168.1.12:8080/jira
        ProxyPassReverse /jira http://192.168.1.12:8080/jira
</VirtualHost>


#
# Instead of "VirtualHost" you can use "IfModule" if you're editing the "proxy.conf" file
#
<IfModule mod_proxy.c>

</IfModule>

Some notes:

Do NOT put a / after the target URL
Do NOT use / as ProxyPass source, use the previous redirect permanent instead

Apply changes and test result

service apache2 restart

For example, Navigate to http://myServer/jira

Apache 2 configuration # LDAP authentication

Enable LDAP module

a2enmod authnz_ldap
service apache2 restart

Configuration

You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:

Edit configuration

vim /etc/apache2/sites-available/myServer

Adjust your virtual-host like that:

# LDAP protected directory
<Directory /var/www/ssl/secure>
   Options Indexes FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   allow from all

   AuthType basic
   AuthName "Secure area"
   ###########################
   # Choose a LDAP provider
   ###########################
   # If "localhost" then use LDAP. 
   AuthBasicProvider ldap
   AuthLDAPUrl "ldap://localhost:389/{LDAP ou=,dc=}?uid"
   # If remote URL then use LDAP over SSL 
   #AuthBasicProvider ldaps
   #AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=,dc=}?uid"
   
   Require valid-user

   # example
   # AuthLDAPBindDN "cn=admin,dc=dev,dc=daxiongmao,dc=eu"
   # AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
   # AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"

</Directory>

Secure all the website

You have to adjust you document root like that:

<VirtualHost _default_:443>

	# Restrict access to document root
	DocumentRoot /var/www/daxiongmao-ssl
	<Directory />
		Options FollowSymLinks
		AllowOverride None
		Order allow,deny
		deny from all
	</Directory>
	<Directory /var/www/daxiongmao-ssl>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
		
		AuthType basic
		AuthName "Secure area"	
		AuthBasicProvider ldap
		AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
		Require valid-user
	</Directory>
[…]

Apache 2 configuration # Advanced configuration

Enable redirections

Mod rewrite allows you to redirect source URL to another one.

Enable module

a2enmod rewrite

Alias redirection

Edit configuration

vim /etc/apache2/sites-available/myServer

HTTP virtual host = redirect to HTTPS

<VirtualHost *:80>
	RewriteRule ^/myAlias(/.*|$)    https://%{HTTP_HOST}/myAlias$1 [L,R]
	<Location /myAlias >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
                allow from all
	</Location>
</VirtualHost>

HTTPS virtual host = service declaration

<VirtualHost _default_:443>
	# PHPSecInfo
	Alias 	/myAlias   /var/www/myAlias
	<Location /myAlias >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
                allow from all
        </Location>
</VirtualHost>

Reload your configuration

/etc/init.d/apache2 reload

Redirect HTTP to HTTPS

This is not the recommended method. You should use the previous method instead.

<VirtualHost *:80>
	ServerAdmin guillaume@qin-diaz.com
	ServerName dev.daxiongmao.eu
	ServerAlias *.dev.daxiongmao.eu dev.qin-diaz.com www.dev.qin-diaz.com

	### LOG ###
	ErrorLog ${APACHE_LOG_DIR}/daxiongmao/error.log
	LogLevel warn
	CustomLog ${APACHE_LOG_DIR}/daxiongmao/access.log combined
	
	## Redirect all traffic to HTTPS website
        RewriteEngine On

        # This checks to make sure the connection is not already HTTPS
        RewriteCond %{HTTPS} !=on

        # This rule will redirect users from their original location, 
        # to the same location but using HTTPS.
        RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
	
	## No need of a document root anymore as everything is redirect
	
</VirtualHost>

Module configuration

Create the module configuration file

vim /etc/apache2/conf.d/rewrite.conf

Copy / paste this configuration (adjust to your own settings!)

   RewriteEngine On
   # --------------------- SECURITY RULES (JOOMLA) ------------------------ #
   ## End of deny access to extension xml files
   RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
   # Block out any script trying to base64_encode crap to send via URL
   RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
   # Block out any script that includes a <script> tag in URL
   RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
   # Block out any script trying to set a PHP GLOBALS variable via URL
   RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
   # Block out any script trying to modify a _REQUEST variable via URL
   RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
   # Send all blocked request to homepage with 403 Forbidden error!
   RewriteRule ^(.*)$ index.php [F,L]
   # --------------------- SECURITY RULES (PERSONAL) ------------------------ #
   ## DENY REQUEST BASED ON REQUEST METHOD ###
   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
   RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
   RewriteRule ^.*$ - [F]
   # Eviter les failles de securite
   RewriteCond %{QUERY_STRING} ^(.*)http(\:|\%3A)(.*)$
   RewriteCond %{QUERY_STRING} mosConfig_ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
   RewriteCond %{QUERY_STRING} ^(.*)(SELECT|INSERT|DELETE|CHAR\(|UPDATE|REPLACE|LIMIT)(.*)$
   # Eviter les erreurs basiques
   RewriteCond %{QUERY_STRING} \.\.\/    [NC,OR]
   RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
   RewriteCond %{QUERY_STRING} tag\=     [NC,OR]
   RewriteCond %{QUERY_STRING} ftp\:     [NC,OR]
   RewriteCond %{QUERY_STRING} http\:    [NC,OR]
   RewriteCond %{QUERY_STRING} https\:   [NC,OR]
   RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|'|"|\?|\*).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3D|%3E|%7B|%7C).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%F|127\.0).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
   RewriteCond %{QUERY_STRING} ^.*(select|insert|union|declare|drop).* [NC]
   RewriteRule ^(.*)$ - [F,L]

   # Ban Typical Vulnerability Scanners and others
   # Kick out Script Kiddies
   RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|wkito|pikto|scan|acunetix).* [NC,OR]
   RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
   # Eviter les programmes de Zombies
   RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
   RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
   RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
   RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
   RewriteCond %{HTTP_USER_AGENT} ^Zeus
   RewriteRule ^.* - [F,L]

   # Allow the robots to reference our website
   RewriteCond %{HTTP_USER_AGENT} !^Googlebot [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Image [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Mobile [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Msnbot [NC]
   RewriteCond %{HTTP_USER_AGENT} !^Mediapartners-Google [NC]

   # Keep request without referer
   RewriteCond %{HTTP_REFERER} !^$

   # To allow your pictures to be displayed on Google
   RewriteCond %{HTTP_REFERER} !^http://.*google\.(comŠ(co\.)?[a-z]{2})/
   # To forbid the copy of your pictures to anyone else : display an other image !
   RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/hotlinkis.jpg [L]

Take changes into account

You have to restart the server to use this settings

service apache2 restart

Ports number

You can change the Apache2 server ports

vim /etc/apache2/ports.conf

Edit

# HTTP
Listen 80
# HTTPS 
Listen 443

Restricted access

Edit configuration

vim /etc/apache2/sites-available/myServer

If your server is directly accessible on Internet: you should protect it!

# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
<Directory />
        AllowOverride None
        Order Deny,Allow
        Deny from all
</Directory>

# Protect .htacess files
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

Be discreet!

Check the current server status using a simple PHP info file

Do not gives details about your configuration to outsiders.

vim /etc/apache2/conf.d/security

Set the following settings

#### Ask your server to be more discret!
# ServerTokens
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
ServerTokens Prod

ServerSignature Off
TraceEnable Off

Restart Apache2

service apache2 restart

Re-run PHP info, you should have less information.

Apache 2 and PHP5: Secure your installation!

PHP Security Info

If you want to test your PHP security, you can use the PHPSecInfo tool, available at: http://phpsec.org/projects/phpsecinfo/index.html

Installation

cd /tmp
wget http://phpsec.org/projects/phpsecinfo/phpsecinfo.zip
unzip phpsecinfo.zip
mv phpsecinfo-Version phpsecinfo
mv phpsecinfo/ /var/www
cd /var/www
chown -R www-data:www-data phpsecinfo

Virtual host configuration

Edit configuration

vim /etc/apache2/sites-available/myServer

!! For security reason: DO NOT use 'phpsecinfo' as alias. It's too easy to guess.

<VirtualHost *:80>
	# Advanced redirection – Only allow specific IP @
	RewriteRule ^/phpsec(/.*|$)    https://%{HTTP_HOST}/phpsec$1 [L,R]
	<Location /phpsec >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
                allow from all
	</Location>
</VirtualHost>

<VirtualHost _default_:443>
	# PHPSecInfo
	Alias 	/phpsec   /var/www/phpsecinfo
	<Location /phpsec >
		order deny,allow
		deny from all
                # Only allow specific IP@
                # allow from 127.0.0.1 192.168.0.0/255.255.255.0	
               allow from all
         </Location>
</VirtualHost>

Reload your configuration

/etc/init.d/apache2 reload

Run the test

To asset your current installation you can run the test: https:// myServer/phpsec

Improve security

PHP5 sessions and temp files

Create specific directory to store the sessions and temp files:

mkdir -p /etc/php5/temp
mkdir -p /etc/php5/session
chown -R www-data:root /etc/php5/temp
chown -R www-data:root /etc/php5/session
chmod -R 770 /etc/php5/session
chmod -R 770 /etc/php5/temp

Edit the configuration file

vim /etc/php5/apache2/php.ini

line 798 → upload_tmp_dir = /etc/php5/temp line 1409 → session.save_path = "/etc/php5/session"

PHP5 tweak

vim /etc/php5/apache2/php.ini

line 261 → expose_php = Off line 480 → display_errors=Off line 675 → post_max_size=256K line 814 → allow_url_fopen=Off

DO NOT enable the open_basedir (even if the test say so! It’s a troublesome setting)

Restart your server to load the changes:

service apache2 restart

Re-run the test. Then:

Ignore the open_basedir and upload_tmp_dir alerts, if any.
You can enable some specific options with a .htaccess file

Change Apache 2 UID

Do not change the UID if you already have install web programs such as phpldapadmin or phpmyadmin, cacti, ...

Change the Apache UID

vim /etc/group

Change www-data UID

    www-data:x:10033:

Change the Apache GID

 
vim /etc/passwd

Change the group settings

	www-data:x:10033:10033:www-data:/var/www:/bin/false

Apply modifications

chown -R www-data:www-data /var/www/*
chown -R www-data:root /etc/php5/*

To take on the modifications you have to reboot your server.

Avoid DOS attacks

Source: Linux mag’ – Hors serie Apache2

You can protect your server from Denial Of Service (DOS) attacks through mod_evasive

apt-get install libapache2-mod-evasive

Prepare log directory

mkdir /var/log/apache2/mod_evasive
chown -R www-data:www-data  /var/log/apache2/mod_evasive

Enable module

a2enmod mod-evasive

Configuration

Create the configuration file

vim /etc/apache2/conf.d/mod_evasive.conf

Put:

# Mod evasive configuration
# Based upon Linux Mag 
<IfModule mod_evasive20.c>
	DOSHashTableSize 3097 

	# Limit user to 5 pages per 2 seconds
	DOSPageCount 5
	DOSPageInterval 2 

	# No more than 100 HTTP request per second (HTML, CSS, images, …) 
	DOSSiteCount 100
	DOSSiteInterval 1

	# Block client for 300 seconds
	DOSBlockingPeriod 300 
	# Send alert email
	#DOSEmailNotify "admin@myDomain" 

	# Log directory
	DOSLogDir "/var/log/apache2/mod_evasive" 

	# Command to execute on ban
	#DOSSystemCommand "/sbin/iptables -I INPUT -s %s -j DROP"

	# Ignore following IP and networks
	DOSWhiteList 127.0.0.1 
	#DOSWhitelist 66.249.65.*
<IfModule mod_evasive20.c>

DosHashTableSize = Size of the hash table.

The greater, the more memory is required but the faster it is! The value must be a prime number

Apply changes

service apache2 restart

Apache2 configuration # Improve server performances

Mod deflate: improved the bandwidth

To improve the bandwidth, you can compress pages and type of content.

=> You can improved your bandwidth from 20 to 30%.

To do so, you need a specific module for Apache: mod_deflate

a2enmod deflate
touch /var/log/apache2/deflate.log
chown www-data:www-data /var/log/apache2/deflate.log
chmod 740 /var/log/apache2/deflate.log

Edit your web server configuration file:

vim /etc/apache2/conf.d/deflate.conf

Add the following lines:

### Bandwidth optimization
<IfModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/javascript text/css application/x-javascript
	DeflateFilterNote deflate_ratio
	LogFormat "%v %h %l %u %t \"%r\" %>s %b"
	CustomLog /var/log/apache2/deflate.log vhost_with_deflate_info
</IfModule>

Restart your web server:

/etc/init.d/apache2 restart

Mod expires: use the cache of your clients

Another way to improve performances and bandwidth: use the client's cache.

To do so, you need a specific module for Apache: mod_expires

a2enmod expires

Edit your web server configuration file:

vim /etc/apache2/expires.conf

Add the following lines

#### Client's cache settings
<IfModule mod_expires.c>
	ExpiresActive on
	# set the default to 24 hours
	ExpiresDefault "access plus 24 hours"
	# cache shockwave-flash for 2 weeks (days | weeks | mounths | years)
	ExpiresByType application/x-shockwave-flash "access plus 2 weeks"
	ExpiresByType flv-application/octet-stream "access plus 3 days"
	# cache common graphics for 3 days
	ExpiresByType image/jpg "access plus 2 weeks"
	ExpiresByType image/gif "access plus 2 weeks"
	ExpiresByType image/jpeg "access plus 2 weeks"
	ExpiresByType image/png "access plus 2 weeks"
	# cache CSS for 24 hours
	ExpiresByType text/css "access plus 24 hours"
</IfModule>

Restart your web server:

/etc/init.d/apache2 restart

@@ Line 4: / Line 4: @@
 * SSL infrastructure and create a server certificate - see [[SSL server]]
 * [[LDAP server]]
@@ Line 11: / Line 12: @@
 ==Apache 2==
 This will install web server + PHP + Perl + all required libraries.
 Apache2 core
 <syntaxhighlight lang="bash">
 apt-get install apache2 apache2-mpm-prefork apache2-utils ssl-cert
@@ Line 19: / Line 22: @@
 Additional libraries
 <syntaxhighlight lang="bash">
 apt-get install libapache2-mod-fcgid libruby
@@ Line 24: / Line 28: @@
 Doc
 <syntaxhighlight lang="bash">
 apt-get install apache2-doc
@@ Line 29: / Line 34: @@
 Perl
 <syntaxhighlight lang="bash">
 apt-get install libapache2-mod-perl2 libapache2-mod-perl2-doc
 </syntaxhighlight>
 ==PHP 5==
 Core
 <syntaxhighlight lang="bash">
 apt-get install libapache2-mod-php5 php5 php5-common
@@ Line 40: / Line 49: @@
 Module PHP5
 <syntaxhighlight lang="bash">
 apt-get install php5-curl php5-dev php5-gd php-pear php5-imagick php5-imap php5-mcrypt
@@ Line 46: / Line 56: @@
 Additional libs
 <syntaxhighlight lang="bash">
 apt-get install php5-cli php5-cgi php-pear php-auth php5-mcrypt mcrypt
@@ Line 51: / Line 62: @@
 Image Magick
 <syntaxhighlight lang="bash">
 apt-get install php5-imagick imagemagick
@@ Line 57: / Line 69: @@
 ==Firewall==
 You have to open the following ports:
 * Port 80 = HTTP
@@ Line 67: / Line 80: @@
 Restart the firewall
 <syntaxhighlight lang="bash">
 /etc/init.d/firewall restart
 </syntaxhighlight>
 =PHP 5=
 Edit config file:
 <syntaxhighlight lang="bash">
 vim /etc/php5/apache2/php.ini
@@ Line 83: / Line 100: @@
 * extension=mysql.so
 * extension=gd.so
@@ Line 90: / Line 108: @@
 ==MPM prefork==
 This manage processes
 * Max clients = nb of max simultaneous requests that the server can handle
@@ Line 100: / Line 119: @@
 vim /etc/apache2/apache2.conf
 </syntaxhighlight>
 Let default values; put a limit to MaxRequestsPerChild at 100 000
 ==MPM worker==
-This manage threads.
-Threads are executed within a specific process.
+This manage threads. Threads are executed within a specific process. All process’ threads share the same context and global variables.
-All process’ threads share the same context and global variables.
 <syntaxhighlight lang="bash">
@@ Line 113: / Line 132: @@
 Let default values; put a limit to MaxRequestsPerChild at 10 000
@@ Line 120: / Line 140: @@
 ==Preparation==
 Initialize configuration
 <syntaxhighlight lang="bash">
 cd /etc/apache2/sites-available/
@@ Line 126: / Line 148: @@
 Create target directory
 <syntaxhighlight lang="bash">
 mkdir -p /var/www/myServer
@@ Line 131: / Line 154: @@
 Prepare the log files
 <syntaxhighlight lang="bash">
 mkdir -p /var/log/apache2/myServer
@@ Line 141: / Line 165: @@
 ==Configuration==
 Init configuration
 <syntaxhighlight lang="bash">
 cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/myServer.conf
@@ Line 148: / Line 174: @@
 '''Edit configuration'''
 <syntaxhighlight lang="bash">
 vim /etc/apache2/sites-available/myServer
@@ Line 154: / Line 181: @@
 To begin the virtual host, write the following lines:
-→ Adjust the settings to your own configuration
+* Adjust the settings to your own configuration
 <syntaxhighlight lang="bash">
 <VirtualHost 192.168.0.100:80>		  → Choose the best options for your needs
@@ Line 198: / Line 226: @@
 To activate a Virtual Host, just type
 <syntaxhighlight lang="bash">
 a2ensite  myServer
@@ Line 203: / Line 232: @@
 Then, restart your web server
 <syntaxhighlight lang="bash">
 /etc/init.d/apache2 restart
 </syntaxhighlight>
 =Apache 2 configuration # SSL Virtual host=
@@ Line 325: / Line 358: @@
 Enable site
 <syntaxhighlight lang="bash">
 a2ensite myServer-ssl
@@ Line 330: / Line 364: @@
 Restart the web server
 <syntaxhighlight lang="bash">
 /etc/init.d/apache2 restart
 </syntaxhighlight>
 ==Accept auto-signed certificate==
 Go to https://myServer/certs/
 Cf SSL document to get installation details
 =Apache 2 configuration # Redirect HTTP to HTTPS=
 The safer way to redirect HTTP to HTTPS is use to adjust the virtual host configuration.
 Edit configuration
 <syntaxhighlight lang="bash">
 vim /etc/apache2/sites-available/myServer
 </syntaxhighlight>
 Make it looks like:
 <syntaxhighlight lang="bash">
 <VirtualHost *:80>
@@ Line 371: / Line 416: @@
 * CGI url
 * All the alias
 Restart your server
 <syntaxhighlight lang="bash">
 service apache2 restart
 </syntaxhighlight>
 =Apache 2 # redirections using mod_proxy=
 Thanks to Julien Rialland for his insight regarding this part!
 ==Principle==
 The proxy module allow you to redirect remote user to a specific server that can be host on a different machine or port through a clear URL.
 ===Current limits===
 Some application are not available from outside…
@@ Line 401: / Line 453: @@
 ===Proxy module role===
 The proxy module allow you to provide access through transparent redirection.
@@ Line 420: / Line 473: @@
 ==Proxy / redirect / rewrite==
 When Apache2 receive a request it will be process in the following order:
@@ Line 429: / Line 483: @@
 ==Enable proxy module==
 <syntaxhighlight lang="bash">
 a2enmod proxy proxy_http proxy_ajp
@@ Line 464: / Line 519: @@
 <syntaxhighlight lang="bash">
 <VirtualHost *:80>
 ...
@@ Line 545: / Line 598: @@
 * Do NOT put a / after the target URL
 * Do NOT use / as ProxyPass source, use the previous redirect permanent instead
 Apply changes and test result
 <syntaxhighlight lang="bash">
 service apache2 restart
 </syntaxhighlight>
-Navigate to http://myServer/artifactory
+For example, Navigate to http://myServer/jira
 =Apache 2 configuration # LDAP authentication=
@@ Line 557: / Line 616: @@
 ==Enable LDAP module==
 <syntaxhighlight lang="bash">
 a2enmod authnz_ldap
@@ Line 564: / Line 624: @@
 ==Configuration==
 You can use the following settings inside a “.htaccess” or “VirtualHost” configuration:
 Edit configuration
 <syntaxhighlight lang="bash">
 vim /etc/apache2/sites-available/myServer
 </syntaxhighlight>
 Adjust your virtual-host like that:
 <syntaxhighlight lang="bash">
 # LDAP protected directory
@@ Line 581: / Line 645: @@
     AuthType basic
     AuthName "Secure area"
+   ###########################
+   # Choose a LDAP provider
+   ###########################
+   # If "localhost" then use LDAP.
     AuthBasicProvider ldap
     AuthLDAPUrl "ldap://localhost:389/{LDAP ou=,dc=}?uid"
+   # If remote URL then use LDAP over SSL
+   #AuthBasicProvider ldaps
+   #AuthLDAPUrl "ldaps://myServer:636/{LDAP ou=,dc=}?uid"
     Require valid-user
@@ Line 589: / Line 661: @@
     # AuthLDAPBindDN "cn=admin,dc=dev,dc=daxiongmao,dc=eu"
     # AuthLDAPUrl "ldap://localhost:389/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
+   # AuthLDAPUrl "ldaps://myServer:636/ou=people,dc=dev,dc=daxiongmao,dc=eu?uid"
 </Directory>
@@ Line 595: / Line 668: @@
 ==Secure all the website==
 You have to adjust you document root like that:
 <syntaxhighlight lang="bash">
 <VirtualHost _default_:443>

Anonymous

Search

Navigation

Wiki tools

Page tools

Categories

Difference between revisions of "Apache 2"

Revision as of 11:36, 26 May 2014

Contents

Requirements

Installation

Apache 2

PHP 5

Firewall

PHP 5

Apache 2 configuration # Multi-threading

MPM prefork

MPM worker

Apache 2 configuration # Virtual host

Preparation

Configuration

Apache 2 configuration # SSL Virtual host

Create SSL certificate

Enable SSL module

Prepare virtual host (optional)

Prepare the log files (optional)

Virtual host declaration

Accept auto-signed certificate

Apache 2 configuration # Redirect HTTP to HTTPS

Apache 2 # redirections using mod_proxy

Principle

Current limits

Proxy module role

Proxy / redirect / rewrite

Enable proxy module

Configure proxy redirections

Module configuration file

Virtual host

Proxy declaration

Apache 2 configuration # LDAP authentication

Enable LDAP module

Configuration

Secure all the website

Apache 2 configuration # Advanced configuration

Enable redirections

Enable module

Alias redirection

Redirect HTTP to HTTPS

Module configuration

Take changes into account

Ports number

Restricted access

Be discreet!

Apache 2 and PHP5: Secure your installation!

PHP Security Info

Installation

Virtual host configuration

Run the test

Improve security

PHP5 sessions and temp files

PHP5 tweak

Change Apache 2 UID

Change the Apache UID

Change the Apache GID

Avoid DOS attacks

Configuration

Apache2 configuration # Improve server performances

Mod deflate: improved the bandwidth

Mod expires: use the cache of your clients