Difference between revisions of "Apache 2"

(V.Host proxy declaration)
 
(22 intermediate revisions by the same user not shown)
Line 23: Line 23:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install apache2 apache2-mpm-prefork apache2-utils ssl-cert
+
apt install apache2 apache2-utils  
</syntaxhighlight>
+
apt install ssl-cert
 
 
 
 
===Additional libraries===
 
 
 
<syntaxhighlight lang="bash">
 
apt-get install libapache2-mod-fcgid libruby
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
Since Ubuntu 16.04 <code>apache2-mpm-prefork</code> is not required
  
 
===Doc===  
 
===Doc===  
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install apache2-doc
+
apt install apache2-doc
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 63: Line 58:
  
  
 +
==PHP 8==
 +
2021-11: PHP 8 is not included in Ubuntu 20.04 LTS.
  
==PHP 5==
+
Source article: http://www.daxiongmao.eu/wiki/index.php?title=Apache_2&action=edit
 
 
  
===Core===
+
===Add PHP 8.0 repository===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install libapache2-mod-php5 php5 php5-common
+
apt install software-properties-common
 +
add-apt-repository ppa:ondrej/php
 +
apt update
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
===Install core packages===
  
===Modules PHP5===
+
To install the latest version of PHP:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install php5-cli php5-cgi
+
# PHP core
apt-get install php5-curl php5-xmlrpc php5-xsl php5-dev php-pear
+
apt-get install php
apt-get install php5-mysql
+
apt-get install php-cli
apt-get install php5-memcache php5-xcache
+
# Apache2 support
apt-get install php5-mhash php-auth php5-mcrypt mcrypt
+
apt install libapache2-mod-php
apt-get install php5-imap
 
apt-get install php5-snmp
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
===Image Magick===
+
===Modules PHP===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
apt-get install php5-gd php5-imagick imagemagick
+
apt-get install php-cgi
 +
#apt-get install php-opcache
 +
apt-get install php-gd  
 +
apt-get install php-bz2
 +
apt-get install php-curl
 +
apt-get install php-xmlrpc
 +
apt-get install php-json
 +
apt-get install php-mysql
 +
apt-get install php-imap
 +
apt-get install php-mbstring
 +
# Performances
 +
apt install php-fpm libapache2-mod-fcgid
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
+
Enable modules
===Configuration===
 
 
 
Edit PHP config file:
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/php5/apache2/php.ini
+
sudo a2enmod proxy_fcgi setenvif
 +
sudo a2enconf php8.0-fpm
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Add / uncomment the following lines in Dynamic extensions area (~ line 865)
+
===Utility===
* extension=mysql.so
 
* extension=gd.so
 
 
 
 
 
!! Note this is NOT required on Ubuntu 14.04 because these modules are enabled by default !!
 
 
 
 
 
 
 
==Firewall==
 
 
 
You have to open the following ports:
 
* Port 80 = HTTP
 
* Port 443 = HTTPS
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 80 -j ACCEPT
+
apt install php-pear
$IPTABLES -A INPUT -p tcp -m state -i eth0 --dport 443 -j ACCEPT
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Restart the firewall
+
===Configuration===
 
 
<syntaxhighlight lang="bash">
 
/etc/init.d/firewall restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Test your installation==
 
  
 
+
Edit '''PHP config''' file:
Restart the Apache2 server
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
service apache2 restart
+
vim /etc/php/8.0/cli/php.ini
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
* Let CGI behaves like before: set <code>cgi.fix_pathinfo=1</code>
 +
* Adjust file upload size <code>upload_max_filesize = 32M</code>
 +
* Adjust post size <code>post_max_size = 32M</code>
 +
* Adjust time zone <code>date.timezone = Europe/Paris</code>
 +
* Save path: <code>session.save_path = "/tmp"</code>
  
 +
===Check PHP version and configuration===
  
You can now test your installation by going to 'http://localhost' or 'http://myServer'. You should see the default page.
+
To ensure PHP 8.0 is well-installed just type:  
 
 
 
 
 
 
 
 
 
 
 
 
=HTTP Virtual host=
 
 
 
 
 
==Preparation==
 
 
 
Initialize configuration
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
cd /etc/apache2/sites-available/
+
php -v
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Create target directory
+
===Image Magick===
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
mkdir -p /var/www/myServer
+
apt install php-gd php-imagick imagemagick
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
===Configuration===
  
Prepare the log files
+
Edit PHP config file:
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
mkdir -p /var/log/apache2/myServer
+
vim /etc/php/8.0/apache2/php.ini
touch /var/log/apache2/myServer/access.log
 
touch /var/log/apache2/myServer/error.log
 
chmod -R 660 /var/log/apache2/myServer/*
 
chown -R www-data:www-data /var/log/apache2/myServer/*
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
+
Add / uncomment the following lines in Dynamic extensions area
Copy default index file
+
<syntaxhighlight lang="php">
 
+
// PHP 8  (~ line 904)
<syntaxhighlight lang="bash">
+
extension=bz2
cp /var/www/html/index.html /var/www/myServer
+
extension=curl
chown -R www-data:www-data /var/log/apache2/myServer/*
+
extension=gd
 +
extension=imap
 +
extension=mysqli
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
 +
!! Note this is NOT required on Ubuntu 20.04 because these modules are enabled by default !!
  
==Configuration==
+
==Firewall==
  
Init configuration
+
see [[Firewall INPUT filters#Web server]]
  
<syntaxhighlight lang="bash">
+
Restart the firewall
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/myServer.conf
 
</syntaxhighlight>
 
 
 
 
 
'''Edit configuration'''
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/apache2/sites-available/myServer
+
/etc/init.d/firewall restart
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
To begin the virtual host, write the following lines:
 
* Adjust the settings to your own configuration
 
  
<syntaxhighlight lang="bash">
+
==Test your installation==
<VirtualHost 192.168.0.100:80>   → Choose the best options for your needs
 
<VirtualHost *:80>
 
  
#############################
 
        # Server main properties
 
#############################
 
 
ServerName myServer
 
ServerAlias www.myServer *.myServer
 
ServerAdmin webmaster@domain
 
 
# Logs settings
 
LogLevel Warn
 
CustomLog ${APACHE_LOG_DIR}/myServer/access.log combined
 
ErrorLog ${APACHE_LOG_DIR}/myServer/error.log
 
 
 
#############################
 
        # Root folder properties
 
#############################
 
DocumentRoot /var/www/myServer
 
 
        # SECURITY: forbid access to .htaccess so no outsider can ever change it
 
        <Files ~ "^\.ht">
 
                ## Old Apache2 (before 2.4) syntax
 
                Order allow,deny
 
                deny from all
 
 
                ## Apache 2.4 syntax
 
                Require all denied
 
        </Files>
 
        # Restrict access to server root
 
        <Directory />
 
                Options FollowSymLinks
 
                AllowOverride None
 
                Require all denied
 
        </Directory>
 
 
 
        # Virtual host root directory
 
<Directory /var/www/myServer>
 
Options Indexes FollowSymLinks MultiViews
 
AllowOverride None
 
 
                ## Old Apache2 (before 2.4) syntax
 
Order allow,deny
 
allow from all
 
               
 
                ## Apache 2.4
 
                Require all granted 
 
</Directory>
 
 
 
#############################
 
        # Other configuration
 
        # Alias, proxy redirections, CGI scripts, Directory, etc.
 
#############################
 
 
 
 
</VirtualHost>
 
</syntaxhighlight>
 
  
 
+
Restart the Apache2 server
 
 
==Enable / disable virtual host(s)==
 
 
 
 
 
'''Virtual Host desactivation'''
 
 
 
If you're listening on '''*:80''' then you should probably disable the default virtual host before enabling yours!
 
 
 
<syntaxhighlight lang="bash">
 
a2dissite 000-default
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
'''Virtual Host activation'''
 
 
 
To activate a Virtual Host, just type
 
 
 
<syntaxhighlight lang="bash">
 
a2ensite  myServer
 
</syntaxhighlight>
 
 
 
Then, restart your web server
 
 
 
<syntaxhighlight lang="bash">
 
/etc/init.d/apache2 restart
 
</syntaxhighlight>
 
 
 
 
 
Check your server! You should see your "index.html" page.
 
 
 
 
 
 
 
=HTTPS (SSL) Virtual host=
 
 
 
 
 
==Create SSL certificate==
 
 
 
First of all, you need to create a server certificate.
 
Cf. SSL dedicated document → Create a new server certificate
 
 
 
>> see [[SSL server]]
 
 
 
 
 
 
 
==Enable SSL module==
 
 
 
You have to either copy or create symlinks for server certificate.
 
 
 
To avoid rights collision I'm using a ''copy'' operation. However I know from past experience that ''symLinks'' work very well if you set the correct rights.
 
 
 
 
 
-Note-
 
 
 
You MUST use the NON-ENCRYPTED private key if you want to start Apache2 automatically on each reboot.
 
 
 
 
 
 
 
'''Copy certificates'''
 
 
 
<syntaxhighlight lang="bash">
 
cp /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
 
cp /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key
 
</syntaxhighlight>
 
 
 
 
 
 
 
Alternative: '''Symlinks to /srv/ssl/'''
 
 
 
<syntaxhighlight lang="bash">
 
ln -s /srv/ssl/certs/myServer.cert.pem /etc/apache2/webServer.pem
 
ln -s /srv/ssl/private/myServer.nopass.key /etc/apache2/webServer.key
 
</syntaxhighlight>
 
 
 
 
 
 
 
'''Activate the SSL module'''
 
 
 
<syntaxhighlight lang="bash">
 
a2enmod ssl
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Prepare virtual host (optional)==
 
 
 
Create virtual host folder
 
 
 
<syntaxhighlight lang="bash">
 
mkdir -p /var/www/myServer-ssl
 
cp /var/www/index.html /var/www/myServer-ssl
 
chown -R www-data:www-data /var/www/myServer-ssl
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Prepare the log files (optional)==
 
 
 
<syntaxhighlight lang="bash">
 
# That should already exists from before
 
mkdir -p /var/log/apache2/myServer
 
 
 
# Create *-ssl.log
 
touch /var/log/apache2/myServer/error-ssl.log
 
touch /var/log/apache2/myServer/access-ssl.log
 
chmod -R 660 /var/log/apache2/myServer/*
 
chown -R www-data:www-data /var/log/apache2/myServer/*
 
</syntaxhighlight>
 
 
 
 
 
 
 
Create a default "/var/www/myServer-ssl/index.html" to check your virtual host.
 
 
 
If you'd like you can use this ultra-simple file [http://daxiongmao.eu/wiki_upload_files/apache2/index.html]
 
 
 
<syntaxhighlight lang="bash">
 
cd /var/www/myServer-ssl/
 
wget http://daxiongmao.eu/wiki_upload_files/apache2/index.html
 
chown www-data:www-data index.html
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
==Virtual host declaration==
 
 
 
You have 2 possibilities:
 
* Update your current virtual host (recommended)
 
* Create a new one, only for the SSL virtual host
 
 
 
 
 
'''Update non-ssl V.Host configuration'''
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/apache2/sites-available/myServer
 
</syntaxhighlight>
 
 
 
 
 
!! Adjust the settings to your own configuration !!
 
 
 
<syntaxhighlight lang="bash">
 
# Secure web server
 
<VirtualHost _default_:443>
 
<VirtualHost 192.168.0.100:443>   → Choose the best options for your needs
 
<VirtualHost *:443>
 
 
 
#############################
 
        # Server main properties
 
#############################
 
 
 
ServerName myServer
 
ServerAlias www.myServer *.myServer
 
ServerAdmin webmaster@domain
 
 
# Logs settings
 
LogLevel Warn
 
CustomLog ${APACHE_LOG_DIR}/myServer/access-ssl.log combined
 
ErrorLog ${APACHE_LOG_DIR}/myServer/error-ssl.log
 
 
 
        # Enable SSL
 
        SSLEngine              On
 
        SSLCertificateFile      /etc/apache2/webServer.pem
 
        SSLCertificateKeyFile  /etc/apache2/webServer.key
 
 
 
#############################
 
        # Root folder properties
 
#############################
 
DocumentRoot /var/www/myServer-ssl
 
 
 
 
 
        # SECURITY: forbid access to .htaccess so no outsider can ever change it
 
        <Files ~ "^\.ht">
 
                ## Old Apache2 (before 2.4) syntax
 
                Order allow,deny
 
                deny from all
 
 
 
                ## Apache 2.4 syntax
 
                Require all denied
 
        </Files>
 
 
 
        # Restrict access to server root
 
        <Directory />
 
                Options FollowSymLinks
 
                AllowOverride None
 
                Require all denied
 
        </Directory>
 
 
 
        # Virtual host root directory
 
<Directory /var/www/myServer-ssl>
 
                Require all granted
 
Options Indexes FollowSymLinks MultiViews
 
AllowOverride None
 
 
                ## Old Apache2 (before 2.4) syntax
 
Order allow,deny
 
allow from all
 
               
 
                ## Apache 2.4
 
                Require all granted 
 
</Directory>
 
 
 
 
 
#############################
 
        # Other configuration
 
        # Alias, proxy redirections, CGI scripts, Directory, etc.
 
#############################
 
 
 
Alias /phpsec  /var/somewhere/phpsecinfo
 
<Location /phpsec >
 
                ## Old apache 2 (before 2.4)
 
order deny,allow
 
allow from all
 
Allow from 127.0.0.1 192.168.1.0/24
 
 
 
                ## Apache 2.4
 
require local
 
require ip 192.168.1           
 
        </Location>
 
</VirtualHost>
 
</syntaxhighlight>
 
 
 
 
 
Restart the web server
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 501: Line 186:
  
  
Now you can test your server ''https://myServer''
+
Create a simple PHP script
 
 
 
 
If you've use a self-signed certificate you might see some alert. Just discarded it and process anyway!
 
 
 
 
 
 
 
 
 
 
 
 
 
=Redirections=
 
 
 
 
 
==Principle==
 
 
 
Just a little reminder...
 
 
 
[[File:Apache2_mod_rewrite.png|none|Apache2 mod_rewrite principle]]
 
 
 
 
 
* Redirections are '''not transparent'''
 
* Redirections are '''performed by the client'''. The server only serves the new URL to use
 
* Redirections can also be used as a security tool to filter HTTP requests and only allow some of them.
 
 
 
 
 
As you can see on the previous picture, redirection can be declared:
 
* As Apache 2 module configuration. This will apply to all virtual hosts and web-sites
 
* In a Virtual Host configuration
 
** Default setting - ex: HTTP to HTTPS
 
** For a specific alias |or| directory
 
* In a web page
 
* In a .htaccess to protect a specific directory
 
 
 
 
 
 
 
 
 
==Enable redirections==
 
 
 
Module "rewrite" allows you to redirect source URL to another one.
 
 
 
<syntaxhighlight lang="bash">
 
a2enmod rewrite
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Virtual host: redirect all HTTP to HTTPS==
 
 
 
The safer way to redirect HTTP to HTTPS is use to adjust the virtual host configuration.
 
 
 
<syntaxhighlight lang="bash">
 
<VirtualHost *:80>
 
ServerName dev.daxiongmao.eu
 
ServerAlias www.dev.daxiongmao.eu *.dev.daxiongmao.eu
 
ServerAdmin guillaume@qin-diaz.com
 
 
 
### LOG ###
 
LogLevel warn
 
ErrorLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/error.log
 
CustomLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/access.log combined
 
 
 
 
############################################
 
## Redirect all traffic to HTTPS website
 
        ############################################
 
        RewriteEngine On
 
        # This checks to make sure the connection is not already HTTPS
 
        RewriteCond %{HTTPS} off       
 
        # This rule will redirect users from their original location, to the same location but using HTTPS.
 
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
# Alternate (fail-over) solution
 
redirect permanent / https://myServer/
 
 
 
 
 
        ########
 
# No need of a document root anymore as everything is redirect to HTTPS
 
        ########
 
 
</VirtualHost>
 
</syntaxhighlight>
 
 
 
 
 
 
 
-Note-
 
 
 
As you can see you don't need a DocumentRoot anymore for the *:80 virtual host.
 
 
 
 
 
 
 
 
 
'''Take changes into account'''
 
 
 
You have to restart the server to use this settings
 
 
 
<syntaxhighlight lang="bash">
 
service apache2 restart
 
</syntaxhighlight>
 
 
 
Test your configuration
 
 
 
 
 
 
 
==Virtual host: Alias redirection==
 
 
 
The following example will redirect a "/phpsecinfo" from HTTP to HTTPS.
 
 
 
 
 
Edit your virtual-host configuration and use that example to redirect to another server too by adjusting the rewrite rule.
 
 
 
<syntaxhighlight lang="bash">
 
<VirtualHost *:80>
 
...
 
        # PHPSecInfo
 
RewriteRule ^/phpsecinfo(/.*|$)    https://%{HTTP_HOST}/phpsecinfo$1 [L,R]
 
<Location /phpsecinfo>
 
order deny,allow
 
deny from all
 
                # Only allow specific IP@
 
                # allow from 127.0.0.1 192.168.1.0/24
 
                allow from all
 
</Location>
 
...
 
</VirtualHost>
 
<VirtualHost *:443>
 
...
 
# PHPSecInfo
 
Alias /phpsecinfo /var/www/phpsecinfo
 
<Location /phpsecinfo>
 
order deny,allow
 
deny from all
 
                # Only allow specific IP@
 
                # allow from 127.0.0.1 192.168.1.0/24
 
                allow from all
 
        </Location>
 
...
 
</VirtualHost>
 
</syntaxhighlight>
 
 
 
 
 
Reload your configuration
 
 
 
<syntaxhighlight lang="bash">
 
/etc/init.d/apache2 reload
 
</syntaxhighlight>
 
 
 
 
 
 
 
==Apache 2 Module configuration==
 
 
 
This configuration will apply to all virtual-hosts.
 
 
 
 
 
Create the module configuration file
 
 
 
<syntaxhighlight lang="bash">
 
vim /etc/apache2/mods-available/rewrite.conf
 
</syntaxhighlight>
 
 
 
 
 
Copy / paste this configuration (adjust to your own settings!)
 
 
 
<syntaxhighlight lang="bash">
 
  RewriteEngine On
 
  # --------------------- SECURITY RULES (JOOMLA) ------------------------ #
 
  ## End of deny access to extension xml files
 
  RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
 
  # Block out any script trying to base64_encode crap to send via URL
 
  RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
 
  # Block out any script that includes a <script> tag in URL
 
  RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
 
  # Block out any script trying to set a PHP GLOBALS variable via URL
 
  RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
 
  # Block out any script trying to modify a _REQUEST variable via URL
 
  RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
 
  # Send all blocked request to homepage with 403 Forbidden error!
 
  RewriteRule ^(.*)$ index.php [F,L]
 
 
 
  # --------------------- SECURITY RULES (PERSONAL) ------------------------ #
 
  ## DENY REQUEST BASED ON REQUEST METHOD ###
 
  RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS|HEAD)$ [NC]
 
  RewriteCond %{REQUEST_METHOD} (GET|POST) [NC]
 
  RewriteRule ^.*$ - [F]
 
  # Avoid common security flows
 
  RewriteCond %{QUERY_STRING} ^(.*)http(\:|\%3A)(.*)$
 
  RewriteCond %{QUERY_STRING} mosConfig_ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)(%3C|<)/?script(.*)$ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)(%3D|=)?javascript(%3A|:)(.*)$ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)document\.location\.href(.*)$ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)base64_encode(.*)$ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)GLOBALS(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)_REQUEST(=|[|%[0-9A-Z]{0,2})(.*)$ [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^(.*)(SELECT|INSERT|DELETE|CHAR\(|UPDATE|REPLACE|LIMIT)(.*)$
 
  # Avoid common security mistakes
 
  RewriteCond %{QUERY_STRING} \.\.\/    [NC,OR]
 
  RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
 
  RewriteCond %{QUERY_STRING} tag\=    [NC,OR]
 
  RewriteCond %{QUERY_STRING} ftp\:    [NC,OR]
 
  RewriteCond %{QUERY_STRING} http\:    [NC,OR]
 
  RewriteCond %{QUERY_STRING} https\:  [NC,OR]
 
  RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^.*(\(|\)|<|>|'|"|\?|\*).* [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3D|%3E|%7B|%7C).* [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%F|127\.0).* [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
 
  RewriteCond %{QUERY_STRING} ^.*(select|insert|union|declare|drop).* [NC]
 
  RewriteRule ^(.*)$ - [F,L]
 
 
 
  # Ban Typical Vulnerability Scanners and others
 
  # Kick out Script Kiddies
 
  RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget).* [NC,OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^.*(libwww-perl|curl|wget|python|nikto|wkito|pikto|scan|acunetix).* [NC,OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner).* [NC,OR]
 
  # Avoid zombies software
 
  RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
 
  RewriteCond %{HTTP_USER_AGENT} ^Zeus
 
  RewriteRule ^.* - [F,L]
 
 
 
  # Allow the robots to reference our website
 
  RewriteCond %{HTTP_USER_AGENT} !^Googlebot [NC]
 
  RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Image [NC]
 
  RewriteCond %{HTTP_USER_AGENT} !^Googlebot-Mobile [NC]
 
  RewriteCond %{HTTP_USER_AGENT} !^Msnbot [NC]
 
  RewriteCond %{HTTP_USER_AGENT} !^Mediapartners-Google [NC]
 
 
 
  # Keep request without referer
 
  RewriteCond %{HTTP_REFERER} !^$
 
 
 
  # To allow your pictures to be displayed on Google
 
  RewriteCond %{HTTP_REFERER} !^http://.*google\.(comŠ(co\.)?[a-z]{2})/
 
  # To forbid the copy of your pictures to anyone else : display an other image !
 
  RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/hotlinkis.jpg [L]
 
 
 
</syntaxhighlight>
 
 
 
 
 
 
 
Update your Apache2 configuration:
 
 
 
<syntaxhighlight lang="bash">
 
a2enmod rewrite
 
</syntaxhighlight>
 
 
 
 
 
 
 
Restart your server:
 
 
 
<syntaxhighlight lang="bash">
 
service apache2 restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
 
 
 
 
 
 
=Proxy=
 
 
 
 
 
Special thanks to Julien Rialland for his insight regarding this part!
 
 
 
 
 
 
 
==Principle==
 
 
 
The proxy module allow you to expose a resource that is not directly accessible.
 
 
 
For instance it can redirect remote user to a specific server that can be host on a different machine or port through a simple URL.
 
 
 
 
 
 
 
===Proxy VS redirection===
 
 
 
{| class="wikitable"
 
|-
 
! Header text !! Proxy !! Redirection
 
|-
 
| Main usage ||
 
* Expose a resource that is not directly accessible
 
* Provide a nicer URL through standard HTTP port instead of http://server:port/service
 
|| Signal a change or redirect to the HTTPS web-site
 
|-
 
| Action
 
|| '''Hidden''' to the user.
 
* From user point of view this is just a standard URL / service
 
* It's the ''server'' that performs the proxy actin
 
|| '''Explicit'''
 
* The server just serve the new URL
 
* It's the ''client'' that will create a new connection - See [[Apache_2#Principle]]
 
|}
 
 
 
 
 
 
 
===Internet limits: why do we need a proxy?===
 
 
 
Some application are not available from outside…
 
 
 
* For security reasons [default URL is not allowed]
 
 
 
[[File:Apache2 proxy security limit.png|none|Proxy for security]]
 
 
 
 
 
* Due to network issues
 
 
 
[[File:Apache2 proxy network issues.png|none|Proxy to improve network]]
 
 
 
 
 
 
 
===How does Apache2 mod_proxy work?===
 
 
 
The Apache2 proxy module allow you to provide access through transparent redirection.
 
 
 
It relies on:
 
* Already open port (80 or 443)
 
* Redirection rule
 
* Each service URL must be unique
 
* The target service must be reachable by the web server
 
 
 
[[File:Apache2 proxy role.png|none|Proxy role]]
 
 
 
 
 
As you can see on the previous example, the services will be accessible using some dedicated URL.
 
Remote “http://myServer/myService” will redirect to “http://localhost:8081”
 
 
 
 
 
→ The ''mod_proxy'' is none intrusive.
 
You don’t have to change anything in the original service configuration. Apache2 will handle all the transformations.
 
 
 
 
 
 
 
===Proxy / redirect / rewrite - HTTP request processing===
 
 
 
When Apache2 receive a request it will be process in the following order:
 
 
 
[[File:Apache2 proxy rewrite.png|none|Proxy rewrite]]
 
 
 
 
 
The evaluation order is:
 
# Mod_proxy
 
# Mod_rewrite
 
# Other modules
 
# Serve requested resources if no rule should apply
 
 
 
 
 
So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy (because mod_proxy is the 1st to be evaluate).
 
 
 
 
 
 
 
 
 
==Installation==
 
 
 
 
 
==Enable proxy module==
 
 
 
<syntaxhighlight lang="bash">
 
a2enmod proxy proxy_http proxy_ajp
 
a2enmod proxy_html xml2enc
 
</syntaxhighlight>
 
 
 
 
 
==Configure proxy redirections==
 
 
 
You can configure the redirections in 2 ways:
 
* Through your virtual host configuration
 
* Through the module configuration file
 
 
 
 
 
===Module configuration file===
 
 
 
You have to edit / create the configuration file.
 
 
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /etc/apache2/mods-enabled/proxy.conf
+
vim /var/www/html/phpinfo.php
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
+
Put the following:
===Virtual host===
+
<syntaxhighlight lang="php">
 
+
<?php
Just edit again your previous V.Host:
+
phpinfo();
 
+
?>
<syntaxhighlight lang="bash">
 
vim /etc/apache2/sites-available/myServer.conf
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
+
Adjust rights
===V.Host proxy declaration===
 
 
 
Adjust your V.Host configuration to:
 
 
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
<VirtualHost *:80>
+
chown www-data:www-data /var/www/html/phpinfo.php
ServerName dev.daxiongmao.eu
+
chmod 755 /var/www/html/phpinfo.php
ServerAlias www.dev.daxiongmao.eu *.dev.daxiongmao.eu
 
ServerAdmin guillaume@qin-diaz.com
 
 
 
### LOG
 
LogLevel warn
 
ErrorLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/error.log
 
CustomLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/access.log combined
 
 
        ### Redirect all traffic to HTTPS website
 
        RewriteEngine On
 
        RewriteCond %{HTTPS} off       
 
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
 
redirect permanent / https://myServer/
 
 
 
### No proxy here because I only want to use HTTPS
 
</VirtualHost>
 
 
 
<VirtualHost *:443>
 
...
 
 
 
        #############################
 
        # Proxy configuration
 
        #############################
 
        # Enable proxy
 
        ProxyVia On
 
        ProxyPreserveHost On
 
        ProxyRequests Off
 
        ProxyErrorOverride Off
 
 
 
        ## SSL support (allow to redirect to other SSL sites)
 
        SSLProxyEngine On
 
        SSLProxyVerify none
 
        SSLProxyCheckPeerCN off
 
        SSLProxyCheckPeerName off
 
 
 
        <Proxy *>
 
            AddDefaultCharset off
 
            Order deny,allow
 
            Allow from all
 
            Satisfy Any
 
        </Proxy>
 
 
 
########################
 
# Standard Web application - No proxy required
 
########################
 
 
 
        #### Direct access without further configuration
 
ProxyPass /maintenance !
 
ProxyPass /menu !
 
ProxyPass /ssl !
 
 
 
        #### Standard URL filters
 
# PhpMyAdmin
 
<Location /phpmyadmin>
 
                Require all granted
 
                ProxyPass !
 
Order allow,deny
 
Allow from 127.0.0.1 192.168.1.0/24
 
</Location>
 
 
 
        #### Alias
 
        # PHPSecInfo
 
        Alias  /phpsec  /var/www/phpsecinfo
 
        <Location /phpsec >
 
                Require all granted
 
                ProxyPass !
 
                order deny,allow
 
                # allow from 127.0.0.1 192.168.1.0/24
 
                allow from all
 
        </Location>
 
 
 
 
 
########################
 
# Proxy redirections
 
########################
 
 
 
# Proxy to a Java application running over Tomcat
 
ProxyPass /webdav ajp://localhost:8009/webdav/
 
ProxyPassReverse /webdav ajp://localhost:8009/webdav
 
 
 
# Proxy to a Java application running over Tomcat, with IP filter
 
<Location /manager>
 
Order allow,deny
 
Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
 
ProxyPass ajp://localhost:8009/manager/
 
ProxyPassReverse ajp://localhost:8009/manager/
 
</Location>
 
 
 
        # Proxy to another server
 
        ProxyPass /jira http://192.168.1.12:8080/jira
 
        ProxyPassReverse /jira http://192.168.1.12:8080/jira
 
 
 
 
 
        ## Proxy to webmin
 
        <Location /webmin/>
 
          ProxyPass http://localhost:10000/
 
          ProxyPassReverse http://localhost:10000/
 
          Order deny,allow
 
          Deny from all
 
          Allow from 127.0.0.1 172.16.50.0/24 192.168.1.0/24
 
      </Location>
 
 
 
      ## Proxy to RabbitMQ
 
      <Location /rabbitmq/>
 
        ProxyPass http://smartcard-mq:15672/
 
        ProxyPassReverse http://smartcard-mq:15672/
 
        Order deny,allow
 
        Deny from all
 
        Allow from 127.0.0.1 172.16.50.0/24 192.168.1.0/24
 
      </Location>
 
 
 
</VirtualHost>
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
Some notes:
+
You can now test your installation by going to 'http://localhost/phpinfo.php' or 'http://myServer/phpinfo.php'. You should see the default page.
* Do NOT put a / after the target URL
 
* Do NOT use / as ProxyPass source, use the previous redirect permanent instead
 
 
 
 
 
 
 
Apply changes and test result
 
 
 
<syntaxhighlight lang="bash">
 
service apache2 restart
 
</syntaxhighlight>
 
 
 
 
 
 
 
For example, Navigate to http://myServer/jira
 
 
 
=Related topics=
 
 
 
 
 
==Distribute and install the certificates==
 
 
 
Some guides to setup specific application and features:
 
 
 
* [[Apache 2 - Security]]
 
 
 
* [[Apache 2 - Performances]]
 
 
 
* [[Apache 2 - SSL certificates page]]
 
 
 
* [[Apache 2 - LDAP access]]
 

Latest revision as of 16:38, 3 November 2021



Requirements

Before going through this tutorial, I recommend you to setup:



Installation

Apache 2

This will install web server + PHP + Perl + all required libraries.

Apache2 core

apt install apache2 apache2-utils 
apt install ssl-cert

Since Ubuntu 16.04 apache2-mpm-prefork is not required

Doc

apt install apache2-doc


Perl

apt-get install libapache2-mod-perl2 libapache2-mod-perl2-doc


SNMP

Sometimes you might encounter some SNMP errors on latest Debian based distributions.

In that case you have to install a new package and run it.

apt-get install snmp-mibs-downloader
download-mibs


source: http://www.podciborski.co.uk/miscellaneous/snmp-cannot-find-module/


PHP 8

2021-11: PHP 8 is not included in Ubuntu 20.04 LTS.

Source article: http://www.daxiongmao.eu/wiki/index.php?title=Apache_2&action=edit

Add PHP 8.0 repository

apt install software-properties-common
add-apt-repository ppa:ondrej/php
apt update

Install core packages

To install the latest version of PHP:

# PHP core
apt-get install php
apt-get install php-cli
# Apache2 support
apt install libapache2-mod-php


Modules PHP

apt-get install php-cgi 
#apt-get install php-opcache
apt-get install php-gd 
apt-get install php-bz2 
apt-get install php-curl 
apt-get install php-xmlrpc
apt-get install php-json 
apt-get install php-mysql 
apt-get install php-imap 
apt-get install php-mbstring
# Performances
apt install php-fpm libapache2-mod-fcgid

Enable modules

sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php8.0-fpm

Utility

apt install php-pear

Configuration

Edit PHP config file:

vim /etc/php/8.0/cli/php.ini
  • Let CGI behaves like before: set cgi.fix_pathinfo=1
  • Adjust file upload size upload_max_filesize = 32M
  • Adjust post size post_max_size = 32M
  • Adjust time zone date.timezone = Europe/Paris
  • Save path: session.save_path = "/tmp"

Check PHP version and configuration

To ensure PHP 8.0 is well-installed just type:

php -v


Image Magick

apt install php-gd php-imagick imagemagick

Configuration

Edit PHP config file:

vim /etc/php/8.0/apache2/php.ini

Add / uncomment the following lines in Dynamic extensions area

// PHP 8  (~ line 904)
extension=bz2
extension=curl
extension=gd
extension=imap
extension=mysqli


!! Note this is NOT required on Ubuntu 20.04 because these modules are enabled by default !!

Firewall

see Firewall INPUT filters#Web server

Restart the firewall

/etc/init.d/firewall restart


Test your installation

Restart the Apache2 server

service apache2 restart


Create a simple PHP script

vim /var/www/html/phpinfo.php

Put the following:

<?php
phpinfo();
?>

Adjust rights

chown www-data:www-data /var/www/html/phpinfo.php
chmod 755 /var/www/html/phpinfo.php


You can now test your installation by going to 'http://localhost/phpinfo.php' or 'http://myServer/phpinfo.php'. You should see the default page.