Oracle Linux/Apache httpd
From r00tedvw.com wiki
(Difference between revisions)
(→Setup Virtual Hosts) |
|||
| (15 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
=Installing Apache HTTPD from source= | =Installing Apache HTTPD from source= | ||
More recently CVEs have been discovered in the latest versions of httpd available from the repos, which presents a problem for administrators since they cannot easily upgrade to a patched version. For such cases, sometimes manually compiling httpd from source is the only temporary solution until the repositories are updated or backported. | More recently CVEs have been discovered in the latest versions of httpd available from the repos, which presents a problem for administrators since they cannot easily upgrade to a patched version. For such cases, sometimes manually compiling httpd from source is the only temporary solution until the repositories are updated or backported. | ||
| + | <br/><br/> | ||
| + | '''Reference: [https://blacksaildivision.com/how-to-install-apache-httpd-on-centos https://blacksaildivision.com/how-to-install-apache-httpd-on-centos]''' | ||
==Remove if already installed== | ==Remove if already installed== | ||
| Line 136: | Line 138: | ||
exit $RETVAL</nowiki> | exit $RETVAL</nowiki> | ||
| − | ==Add to startup== | + | ==Add to startup and check iptables== |
<nowiki>~$ sudo chkconfig --level 345 httpd on</nowiki> | <nowiki>~$ sudo chkconfig --level 345 httpd on</nowiki> | ||
| + | So in my case, the default state for the INPUT chain was ACCEPT, but because a REJECT existed at the end of the chain, iptables blocked port 80 access. I opted to remove it since I was running httpd from a local vm on virtual box, but you'll have to figure out what works best for you and your environment. | ||
| + | <nowiki>~$ sudo iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited | ||
| + | ~$ sudo iptables -L -n -v</nowiki> | ||
| + | |||
| + | ==Add groups and users== | ||
| + | apache needs certain groups and users to operate correctly. You can opt to rename these, but you'll need to keep this in mind when working with your apache config. | ||
| + | <nowiki>~$ sudo groupadd www | ||
| + | ~$ sudo useradd httpd -g www --no-create-home --shell /sbin/nologin</nowiki> | ||
| + | |||
| + | ==Basic httpd.conf configuration== | ||
| + | Your needs will dictate how you configure your <code>httpd.conf</code> file, however, below is a good starting point. | ||
| + | <nowiki>~$ sudo vim /usr/local/apache2/conf/httpd.conf | ||
| + | ... | ||
| + | # Make sure that ServerRoot is set to the same value as --prefix during ./configure | ||
| + | ServerRoot /usr/local/apache2 | ||
| + | |||
| + | # Set ServerName to prevent warning on Apache start | ||
| + | ServerName localhost | ||
| + | |||
| + | # Default port set to 80 - HTTP protocol | ||
| + | Listen 80 | ||
| + | |||
| + | # Set user and group | ||
| + | User httpd | ||
| + | Group www | ||
| + | |||
| + | # Configure entry file for your application. If you plan to use PHP make sure that it's as first possible file | ||
| + | DirectoryIndex index.php index.html | ||
| + | |||
| + | # Hide Apache version from header and from error files | ||
| + | ServerTokens prod | ||
| + | ServerSignature off | ||
| + | |||
| + | # Disable ETag to prevent disposing sensitive values like iNode | ||
| + | FileETag none</nowiki> | ||
| + | |||
| + | ==Load Modules== | ||
| + | There are a lot of modules that come with Apache httpd, too many to list here or explain their individual purposes. However, below is where to to enable/disable them and a quick description of the most common. | ||
| + | <nowiki>~$ sudo vim /usr/local/apache2/conf/httpd.conf</nowiki> | ||
| + | To enable/disable it is as easy as commenting or uncommenting the appropriate line.<br/> | ||
| + | |||
| + | Modules | ||
| + | <nowiki> | ||
| + | # These modules must be enabled if you want Apache to start | ||
| + | LoadModule authz_core_module modules/mod_authz_core.so | ||
| + | LoadModule mime_module modules/mod_mime.so | ||
| + | LoadModule log_config_module modules/mod_log_config.so | ||
| + | LoadModule unixd_module modules/mod_unixd.so | ||
| + | LoadModule dir_module modules/mod_dir.so | ||
| + | |||
| + | # If you are using PHP with PHP-FPM which I highly suggest enable proxy modules | ||
| + | LoadModule proxy_module modules/mod_proxy.so | ||
| + | LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so | ||
| + | |||
| + | # Enable pretty links and mod_rewrite that is highly used in all frameworks and CMSes | ||
| + | LoadModule rewrite_module modules/mod_rewrite.so | ||
| + | |||
| + | # Useful for WordPress sites - enables Require for setting up access to given resources. | ||
| + | LoadModule access_compat_module modules/mod_access_compat.so | ||
| + | |||
| + | # One more useful thing for WordPress and Let's Encrypt - enables Alias. If you are using composer and wpackagist it's a must, otherwise if you don't plan to use aliases, leave that disabled | ||
| + | LoadModule alias_module modules/mod_alias.so | ||
| + | |||
| + | # Enable gzip extension for compressing static files | ||
| + | LoadModule deflate_module modules/mod_deflate.so | ||
| + | LoadModule filter_module modules/mod_filter.so | ||
| + | |||
| + | # Enable expires header for caching assets on browser side | ||
| + | LoadModule expires_module modules/mod_expires.so | ||
| + | |||
| + | # Enable SSL | ||
| + | LoadModule http2_module modules/mod_http2.so | ||
| + | LoadModule socache_shmcb_module modules/mod_socache_shmcb.so | ||
| + | LoadModule ssl_module modules/mod_ssl.so | ||
| + | |||
| + | # Enable status module for monitoring Apache. If you don't plan to use that, leave that commented out | ||
| + | LoadModule authz_host_module modules/mod_authz_host.so | ||
| + | LoadModule status_module modules/mod_status.so</nowiki> | ||
| + | |||
| + | ==Multi-Processing Modules== | ||
| + | enable multi-processing modules | ||
| + | <nowiki>~$ sudo vim /usr/local/apache2/conf/httpd.conf | ||
| + | ... | ||
| + | Include conf/extra/httpd-mpm.conf ##<<<< Uncomment</nowiki> | ||
| + | Edit the enabled file and adjust as needed. Since we specified events in the configuration, you would probably want to start there. I won't give you any suggestions or in-depth info as this pertains to apache performance tweaking. | ||
| + | <nowiki>~$ sudo vim /usr/local/apache2/conf/extra/httpd-mpm.conf | ||
| + | ... | ||
| + | <IfModule mpm_event_module> | ||
| + | StartServers 3 | ||
| + | MinSpareThreads 75 | ||
| + | MaxSpareThreads 250 | ||
| + | ThreadsPerChild 25 | ||
| + | MaxRequestWorkers 400 | ||
| + | MaxConnectionsPerChild 0 | ||
| + | </IfModule> | ||
| + | </nowiki> | ||
| + | |||
| + | ==Setup Virtual Hosts== | ||
| + | This is just a quick example on how to setup a basic virtual host with SSL.<br/> | ||
| + | simple setup to include all configuration files within a certain directory. Add the following to the end of your <code>httpd.conf</code> file. | ||
| + | <nowiki>sudo vim /usr/local/apache2/conf/httpd.conf | ||
| + | ... | ||
| + | # | ||
| + | #Include all configuration files within the specified directory | ||
| + | Include /usr/local/apache2/conf.d/*.conf | ||
| + | # | ||
| + | # Setup Apache to listen on 443 if mod_ssl is enabled. | ||
| + | <IfModule mod_ssl.c> | ||
| + | # SSL name based virtual hosts are not yet supported, therefore no | ||
| + | # NameVirtualHost statement here | ||
| + | Listen 443 | ||
| + | </IfModule></nowiki> | ||
| + | |||
| + | Create the folder structure and permissions | ||
| + | <nowiki>~$ sudo mkdir /var/www | ||
| + | ~$ sudo chmod 755 /var/www | ||
| + | ~$ sudo chown root:root /var/www | ||
| + | ~$ sudo mkdir -p /var/www/website.com/htdocs | ||
| + | ~$ sudo mkdir -p /var/www/website.com/logs | ||
| + | ~$ sudo chown root:root /var/www/website.com/ | ||
| + | ~$ sudo chown admin:www /var/www/website.com/htdocs/ | ||
| + | ~$ sudo chown admin:www /var/www/website.com/logs/ | ||
| + | ~$ sudo chmod 755 /var/www/website.com/ | ||
| + | ~$ sudo chmod 2775 /var/www/website.com/htdocs/ | ||
| + | ~$ sudo chmod 2775 /var/www/website.com/logs/ | ||
| + | </nowiki> | ||
| + | Create the SSL key and certificate | ||
| + | <nowiki>~$ sudo openssl genrsa -out /etc/pki/tls/private/website.com.key 4096 | ||
| + | ~$ sudo openssl req -new -x509 -key /etc/pki/tls/private/website.com.key -out /etc/pki/tls/certs/website.com.crt</nowiki> | ||
| + | |||
| + | Then moving onto the conf file(s) | ||
| + | <nowiki>~$ sudo vim /usr/local/apache2/conf.d/httpd-vhost-website.com.conf | ||
| + | ... | ||
| + | <VirtualHost *:443> | ||
| + | |||
| + | ServerName website.com | ||
| + | ServerAlias www.website.com | ||
| + | |||
| + | # Redirect www to non-www | ||
| + | # RedirectMatch permanent "^www\.(.*)$" "https://website.com/" | ||
| + | |||
| + | # Directory settings | ||
| + | DocumentRoot /var/www/website.com/htdocs | ||
| + | <Directory /var/www/website.com/htdocs> | ||
| + | AllowOverride All | ||
| + | Require all granted | ||
| + | Options +FollowSymLinks -Indexes -Includes | ||
| + | </Directory> | ||
| + | |||
| + | # Logging | ||
| + | ErrorLog "/var/www/website.com/logs/httpd-error.log" | ||
| + | CustomLog "/var/www/website.com/logs/httpd-access.log" common | ||
| + | |||
| + | # SSL configuration | ||
| + | SSLEngine on | ||
| + | SSLCertificateFile "/etc/pki/tls/certs/website.com.crt" | ||
| + | SSLCertificateKeyFile "/etc/pki/tls/private/website.com.key" | ||
| + | |||
| + | </VirtualHost> | ||
| + | </nowiki> | ||
| + | Because i'm lazy, i opted to reuse the default test page | ||
| + | <nowiki>~$ sudo ln -s /usr/local/apache2/htdocs/index.html /var/www/website.com/htdocs/index.html</nowiki> | ||
| + | |||
| + | ==Restart Apache== | ||
| + | With all the changes we made, you will want to restart apache and verify that it starts. | ||
| + | <nowiki>~$ sudo service httpd restart</nowiki> | ||
Latest revision as of 09:10, 9 October 2018
[edit] Installing Apache HTTPD from source
More recently CVEs have been discovered in the latest versions of httpd available from the repos, which presents a problem for administrators since they cannot easily upgrade to a patched version. For such cases, sometimes manually compiling httpd from source is the only temporary solution until the repositories are updated or backported.
Reference: https://blacksaildivision.com/how-to-install-apache-httpd-on-centos
[edit] Remove if already installed
If you already have httpd installed, remove it.
~$ sudo yum remove httpd -y
[edit] Install dependencies, download and unpack source
Install the epel repo, then grab some needed packages.
~$ sudo yum install epel-release -y ~$ sudo yum install autoconf expat-devel libtool libnghttp2-devel pcre-devel -y
Next we need to download apache httpd and (2) of apache's runtime libraries.
~$ curl -L https://github.com/apache/httpd/archive/2.4.35.tar.gz -o /tmp/apache/2.4.35.tar.gz --create-dirs ~$ curl -L https://github.com/apache/apr/archive/1.6.5.tar.gz -o /tmp/apache/1.6.5.tar.gz --create-dirs ~$ curl -L https://github.com/apache/apr-util/archive/1.6.1.tar.gz -o /tmp/apache/1.6.1.tar.gz --create-dirs
untar them
~$ tar -zxvf 2.4.35.tar.gz -C /tmp/apache/ ~$ tar -zxvf 1.6.5.tar.gz -C /tmp/apache/ ~$ tar -zxvf 1.6.1.tar.gz -C /tmp/apache/
Move APR libraries into place. Make sure the new directory names do not have a version number.
~$ cp -r /tmp/apache/apr-1.6.5 /tmp/apache/httpd-2.4.35/srclib/apr ~$ cp -r /tmp/apache/apr-util-1.6.1 /tmp/apache/httpd-2.4.35/srclib/apr-util
[edit] Compile time
It's easiest just to be within the directory.
~$ cd /tmp/apache/httpd-2.4.35
Now lets build the conf and then compile including SSL support (mod-ssl)
~$ ./buildconf ~$ ./configure --enable-ssl --enable-so --enable-http2 --with-mpm=event --with-included-apr --with-ssl=/usr/local/openssl --prefix=/usr/local/apache2 ~$ make ~$ sudo make install
[edit] Add to /usr/bin
So that we can execute httpd, we need to add a symlink to /usr/bin:
~$ sudo ln -s /usr/local/apache2/bin/httpd /usr/bin/httpd
[edit] Verify version
~$ httpd -v Server version: Apache/2.4.35 (Unix) Server built: Oct 8 2018 15:11:53
[edit] Add init.d script
Pulled from this github source.
~$ sudo vim /etc/init.d/httpd
#!/bin/bash
#
# Startup script for the Apache Web Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# pidfile: /usr/local/apache2/logs/httpd.pid
# config: /usr/local/apache2/conf/httpd.conf
# Source function library.
. /etc/rc.d/init.d/functions
if [ -f /etc/sysconfig/httpd ]; then
. /etc/sysconfig/httpd
fi
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/usr/local/apache2/bin/apachectl
httpd=/usr/local/apache2/bin/httpd
pid=$httpd/logs/httpd.pid
prog=httpd
RETVAL=0
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch /var/lock/subsys/httpd
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/httpd $pid
}
reload() {
echo -n $"Reloading $prog: "
killproc $httpd -HUP
RETVAL=$?
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f $pid ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status"
echo $"|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
[edit] Add to startup and check iptables
~$ sudo chkconfig --level 345 httpd on
So in my case, the default state for the INPUT chain was ACCEPT, but because a REJECT existed at the end of the chain, iptables blocked port 80 access. I opted to remove it since I was running httpd from a local vm on virtual box, but you'll have to figure out what works best for you and your environment.
~$ sudo iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited ~$ sudo iptables -L -n -v
[edit] Add groups and users
apache needs certain groups and users to operate correctly. You can opt to rename these, but you'll need to keep this in mind when working with your apache config.
~$ sudo groupadd www ~$ sudo useradd httpd -g www --no-create-home --shell /sbin/nologin
[edit] Basic httpd.conf configuration
Your needs will dictate how you configure your httpd.conf file, however, below is a good starting point.
~$ sudo vim /usr/local/apache2/conf/httpd.conf ... # Make sure that ServerRoot is set to the same value as --prefix during ./configure ServerRoot /usr/local/apache2 # Set ServerName to prevent warning on Apache start ServerName localhost # Default port set to 80 - HTTP protocol Listen 80 # Set user and group User httpd Group www # Configure entry file for your application. If you plan to use PHP make sure that it's as first possible file DirectoryIndex index.php index.html # Hide Apache version from header and from error files ServerTokens prod ServerSignature off # Disable ETag to prevent disposing sensitive values like iNode FileETag none
[edit] Load Modules
There are a lot of modules that come with Apache httpd, too many to list here or explain their individual purposes. However, below is where to to enable/disable them and a quick description of the most common.
~$ sudo vim /usr/local/apache2/conf/httpd.conf
To enable/disable it is as easy as commenting or uncommenting the appropriate line.
Modules
# These modules must be enabled if you want Apache to start LoadModule authz_core_module modules/mod_authz_core.so LoadModule mime_module modules/mod_mime.so LoadModule log_config_module modules/mod_log_config.so LoadModule unixd_module modules/mod_unixd.so LoadModule dir_module modules/mod_dir.so # If you are using PHP with PHP-FPM which I highly suggest enable proxy modules LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so # Enable pretty links and mod_rewrite that is highly used in all frameworks and CMSes LoadModule rewrite_module modules/mod_rewrite.so # Useful for WordPress sites - enables Require for setting up access to given resources. LoadModule access_compat_module modules/mod_access_compat.so # One more useful thing for WordPress and Let's Encrypt - enables Alias. If you are using composer and wpackagist it's a must, otherwise if you don't plan to use aliases, leave that disabled LoadModule alias_module modules/mod_alias.so # Enable gzip extension for compressing static files LoadModule deflate_module modules/mod_deflate.so LoadModule filter_module modules/mod_filter.so # Enable expires header for caching assets on browser side LoadModule expires_module modules/mod_expires.so # Enable SSL LoadModule http2_module modules/mod_http2.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so LoadModule ssl_module modules/mod_ssl.so # Enable status module for monitoring Apache. If you don't plan to use that, leave that commented out LoadModule authz_host_module modules/mod_authz_host.so LoadModule status_module modules/mod_status.so
[edit] Multi-Processing Modules
enable multi-processing modules
~$ sudo vim /usr/local/apache2/conf/httpd.conf ... Include conf/extra/httpd-mpm.conf ##<<<< Uncomment
Edit the enabled file and adjust as needed. Since we specified events in the configuration, you would probably want to start there. I won't give you any suggestions or in-depth info as this pertains to apache performance tweaking.
~$ sudo vim /usr/local/apache2/conf/extra/httpd-mpm.conf
...
<IfModule mpm_event_module>
StartServers 3
MinSpareThreads 75
MaxSpareThreads 250
ThreadsPerChild 25
MaxRequestWorkers 400
MaxConnectionsPerChild 0
</IfModule>
[edit] Setup Virtual Hosts
This is just a quick example on how to setup a basic virtual host with SSL.
simple setup to include all configuration files within a certain directory. Add the following to the end of your httpd.conf file.
sudo vim /usr/local/apache2/conf/httpd.conf
...
#
#Include all configuration files within the specified directory
Include /usr/local/apache2/conf.d/*.conf
#
# Setup Apache to listen on 443 if mod_ssl is enabled.
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
Listen 443
</IfModule>
Create the folder structure and permissions
~$ sudo mkdir /var/www ~$ sudo chmod 755 /var/www ~$ sudo chown root:root /var/www ~$ sudo mkdir -p /var/www/website.com/htdocs ~$ sudo mkdir -p /var/www/website.com/logs ~$ sudo chown root:root /var/www/website.com/ ~$ sudo chown admin:www /var/www/website.com/htdocs/ ~$ sudo chown admin:www /var/www/website.com/logs/ ~$ sudo chmod 755 /var/www/website.com/ ~$ sudo chmod 2775 /var/www/website.com/htdocs/ ~$ sudo chmod 2775 /var/www/website.com/logs/
Create the SSL key and certificate
~$ sudo openssl genrsa -out /etc/pki/tls/private/website.com.key 4096 ~$ sudo openssl req -new -x509 -key /etc/pki/tls/private/website.com.key -out /etc/pki/tls/certs/website.com.crt
Then moving onto the conf file(s)
~$ sudo vim /usr/local/apache2/conf.d/httpd-vhost-website.com.conf
...
<VirtualHost *:443>
ServerName website.com
ServerAlias www.website.com
# Redirect www to non-www
# RedirectMatch permanent "^www\.(.*)$" "https://website.com/"
# Directory settings
DocumentRoot /var/www/website.com/htdocs
<Directory /var/www/website.com/htdocs>
AllowOverride All
Require all granted
Options +FollowSymLinks -Indexes -Includes
</Directory>
# Logging
ErrorLog "/var/www/website.com/logs/httpd-error.log"
CustomLog "/var/www/website.com/logs/httpd-access.log" common
# SSL configuration
SSLEngine on
SSLCertificateFile "/etc/pki/tls/certs/website.com.crt"
SSLCertificateKeyFile "/etc/pki/tls/private/website.com.key"
</VirtualHost>
Because i'm lazy, i opted to reuse the default test page
~$ sudo ln -s /usr/local/apache2/htdocs/index.html /var/www/website.com/htdocs/index.html
[edit] Restart Apache
With all the changes we made, you will want to restart apache and verify that it starts.
~$ sudo service httpd restart
