Ubuntu/apache2

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
(Hardening)
 
(10 intermediate revisions by one user not shown)
Line 1: Line 1:
 +
==Basic Info==
 
;apache2 is the most popular web hosting application on the market today
 
;apache2 is the most popular web hosting application on the market today
 
<br\>
 
<br\>
Line 28: Line 29:
 
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html<br>
 
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html<br>
 
http://httpd.apache.org/docs/current/rewrite/remapping.html<br>
 
http://httpd.apache.org/docs/current/rewrite/remapping.html<br>
 +
 
====enabling====
 
====enabling====
 
was not enabled by default for my ubuntu 14.04 vm.
 
was not enabled by default for my ubuntu 14.04 vm.
Line 56: Line 58:
  
  
''Disable SSLv2/3''<br>
+
==mod_authz_host==
Add the following to your apache configI added mine right below the other SSL Entries specifying the engine, cert file and key file.
+
Great tool for restricting access to a virtual site, easy to read and understandAdd options to the <Directory> settings in the site conf file.
  #Disable SSLv3
+
  <nowiki>ie.
SSLProtocol All -SSLv2 -SSLv3
+
<Directory /var/www/mysite.com/>
 
+
          Order Deny,Allow
 +
          Deny from all
 +
          Allow from 10.1.1.50
 +
</Directory></nowiki>
 
==listen on non-standard port==
 
==listen on non-standard port==
 
On ubuntu 14.04, it is done by adding this:
 
On ubuntu 14.04, it is done by adding this:
Line 67: Line 72:
 
Listen 80
 
Listen 80
 
Listen 8080</nowiki>
 
Listen 8080</nowiki>
 +
 +
 +
==Troubleshooting==
 +
====AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message====
 +
;Ubuntu 14.04
 +
<nowiki>~$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf
 +
~$ sudo a2enconf fqdn</nowiki>
 +
 +
==SSL Error: Invalid method in request \x16\x03\x01==
 +
I only started having SSL issues after moving to CloudFlare as a proxy so that they would provide me with a free SSL cert.  I found that this issue appeared to be due to the fact my Virtual Host site conf was setup as such:
 +
<nowiki>(snippet)
 +
  <VirtualHost https://wiki.r00tedvw.com:443>
 +
        Servername https://wiki.r00tedvw.com</nowiki>
 +
I changed it to this:
 +
<nowiki>  <VirtualHost *:443>
 +
        Servername https://wiki.r00tedvw.com</nowiki>
 +
Apparently, it is redundant and will cause issues if you list the hostname in the VirtualHost.  In this instance, I only have (1) site live on the server, so this may not be the correct solution for a multi-tenant setup.
 +
 +
 +
 +
==Hardening==
 +
Hardening is a must.<br>
 +
 +
====Disable options through virtual site conf====
 +
All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:
 +
*Directory browsing
 +
*Server side Includes
 +
*CGI execution
 +
*Symbolic links
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                Options -Indexes -Includes -ExecCGI -FollowSymLinks
 +
</Directory></nowiki>
 +
*Or disable ALL options:
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                Options None
 +
</Directory></nowiki>
 +
 +
====Disable SSLv2/3====
 +
Add the following to your apache virtual site config.  I added mine right below the other SSL Entries specifying the engine, cert file and key file.
 +
<nowiki>#Disable SSLv3
 +
SSLProtocol All -SSLv2 -SSLv3</nowiki>
 +
 +
====Hide Apache Version Number====
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                ServerSignature Off
 +
</Directory></nowiki>
 +
 +
====Prevent directive inheritance====
 +
Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site.
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                AllowOverride None
 +
</Directory></nowiki>
 +
 +
====Limit Body request size====
 +
Good primarily for limiting upload size requests, but you can also use it when there is no option to upload and help mitigate some DOS attacks.<br>
 +
Really not sure how to calculate what size to put if you're not allowing uploading, so I tried setting the size to the largest file size served to clients and it seems to load everything in the site fine.
 +
<nowiki>i.e.
 +
<Directory /var/www/mysite.com/>
 +
                LimitRequestBody 1021933
 +
</Directory></nowiki>

Latest revision as of 23:03, 20 January 2016

Contents

 [hide

[edit] Basic Info

apache2 is the most popular web hosting application on the market today


start|stop|restart apache2

sudo /etc/init.d/apache2 start|stop|restart

OR

sudo service apache2 start|stop|restart

apache2 enable site

a2ensite [site config file name]
i.e. a2ensite default-ssl

apache2 disable site

a2dissite [site config file name]
i.e. a2dissite default-ssl

apache2 enable module

a2enmod [module]
i.e. a2enmod mod_ssl

apache2 disable module

a2dismod [module]
i.e. a2dismod mod_ssl

disable indexing

~$ sudo a2dismod autoindex
Module autoindex disabled.
To activate the new configuration, you need to run:
  service apache2 restart

[edit] mod_rewrite

very power, very confusing tool.
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
http://httpd.apache.org/docs/current/rewrite/remapping.html

[edit] enabling

was not enabled by default for my ubuntu 14.04 vm.

sudo a2enmod rewrite

[edit] redirect

Request: redirect all traffic from a domain, including any subpage, to the landing/index page of another domain
Condition: mod_rewrite is enabled. virtual hosts are used
Resolution:

 <VirtualHost *:80>
         RewriteEngine on
         RewriteCond %{REQUEST_URI} !^/index.html$
         RewriteRule .* http://newdomain.com/? [R=302,L]
         ServerName olddomain1.com
         ServerAlias olddomain2.com
         Redirect permanent / http://newdomain.com/
 </VirtualHost>
 
 <VirtualHost *:80>
         ServerName newdomain.com
         ServerAdmin admin@newdomain.com
         DocumentRoot /var/www/newdomain.com
         TransferLog /var/log/apache2/newdomain.com-access_log
         ErrorLog /var/log/apache2/newdomaincom-error_log
 </VirtualHost>
 


[edit] mod_authz_host

Great tool for restricting access to a virtual site, easy to read and understand. Add options to the <Directory> settings in the site conf file.

ie.
<Directory /var/www/mysite.com/>
          Order Deny,Allow
          Deny from all
          Allow from 10.1.1.50
</Directory>

[edit] listen on non-standard port

On ubuntu 14.04, it is done by adding this:

~$ sudo vi /etc/apache2/ports.conf

Listen 80
Listen 8080


[edit] Troubleshooting

[edit] AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

Ubuntu 14.04
~$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf
~$ sudo a2enconf fqdn

[edit] SSL Error: Invalid method in request \x16\x03\x01

I only started having SSL issues after moving to CloudFlare as a proxy so that they would provide me with a free SSL cert. I found that this issue appeared to be due to the fact my Virtual Host site conf was setup as such:

(snippet)
   <VirtualHost https://wiki.r00tedvw.com:443>
        Servername https://wiki.r00tedvw.com

I changed it to this:

   <VirtualHost *:443>
        Servername https://wiki.r00tedvw.com

Apparently, it is redundant and will cause issues if you list the hostname in the VirtualHost. In this instance, I only have (1) site live on the server, so this may not be the correct solution for a multi-tenant setup.


[edit] Hardening

Hardening is a must.

[edit] Disable options through virtual site conf

All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:

  • Directory browsing
  • Server side Includes
  • CGI execution
  • Symbolic links
i.e.
<Directory /var/www/mysite.com/>
                Options -Indexes -Includes -ExecCGI -FollowSymLinks
</Directory>
  • Or disable ALL options:
i.e.
<Directory /var/www/mysite.com/>
                Options None
</Directory>

[edit] Disable SSLv2/3

Add the following to your apache virtual site config. I added mine right below the other SSL Entries specifying the engine, cert file and key file.

#Disable SSLv3
SSLProtocol All -SSLv2 -SSLv3

[edit] Hide Apache Version Number

i.e.
<Directory /var/www/mysite.com/>
                ServerSignature Off
</Directory>

[edit] Prevent directive inheritance

Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site.

i.e.
<Directory /var/www/mysite.com/>
                AllowOverride None
</Directory>

[edit] Limit Body request size

Good primarily for limiting upload size requests, but you can also use it when there is no option to upload and help mitigate some DOS attacks.
Really not sure how to calculate what size to put if you're not allowing uploading, so I tried setting the size to the largest file size served to clients and it seems to load everything in the site fine.

i.e.
<Directory /var/www/mysite.com/>
                LimitRequestBody 1021933
</Directory>
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki