Ubuntu/apache2
(→Hardening) |
(→Hardening) |
||
Line 115: | Line 115: | ||
<Directory /var/www/mysite.com/> | <Directory /var/www/mysite.com/> | ||
ServerSignature Off | ServerSignature Off | ||
+ | </Directory></nowiki> | ||
+ | |||
+ | ====Prevent directive inheritance==== | ||
+ | Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site. | ||
+ | <nowiki>i.e. | ||
+ | <Directory /var/www/mysite.com/> | ||
+ | AllowOverride None | ||
</Directory></nowiki> | </Directory></nowiki> |
Revision as of 22:50, 20 January 2016
Contents |
Basic Info
- apache2 is the most popular web hosting application on the market today
start|stop|restart apache2
sudo /etc/init.d/apache2 start|stop|restart
OR
sudo service apache2 start|stop|restart
apache2 enable site
a2ensite [site config file name] i.e. a2ensite default-ssl
apache2 disable site
a2dissite [site config file name] i.e. a2dissite default-ssl
apache2 enable module
a2enmod [module] i.e. a2enmod mod_ssl
apache2 disable module
a2dismod [module] i.e. a2dismod mod_ssl
disable indexing
~$ sudo a2dismod autoindex Module autoindex disabled. To activate the new configuration, you need to run: service apache2 restart
mod_rewrite
very power, very confusing tool.
http://httpd.apache.org/docs/2.0/misc/rewriteguide.html
http://httpd.apache.org/docs/2.0/mod/mod_rewrite.html
http://httpd.apache.org/docs/current/rewrite/remapping.html
enabling
was not enabled by default for my ubuntu 14.04 vm.
sudo a2enmod rewrite
redirect
Request: redirect all traffic from a domain, including any subpage, to the landing/index page of another domain
Condition: mod_rewrite is enabled. virtual hosts are used
Resolution:
<VirtualHost *:80> RewriteEngine on RewriteCond %{REQUEST_URI} !^/index.html$ RewriteRule .* http://newdomain.com/? [R=302,L] ServerName olddomain1.com ServerAlias olddomain2.com Redirect permanent / http://newdomain.com/ </VirtualHost> <VirtualHost *:80> ServerName newdomain.com ServerAdmin [email protected] DocumentRoot /var/www/newdomain.com TransferLog /var/log/apache2/newdomain.com-access_log ErrorLog /var/log/apache2/newdomaincom-error_log </VirtualHost>
mod_authz_host
Great tool for restricting access to a virtual site, easy to read and understand. Add options to the <Directory> settings in the site conf file.
ie. <Directory /var/www/mysite.com/> Order Deny,Allow Deny from all Allow from 10.1.1.50 </Directory>
listen on non-standard port
On ubuntu 14.04, it is done by adding this:
~$ sudo vi /etc/apache2/ports.conf Listen 80 Listen 8080
Troubleshooting
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
- Ubuntu 14.04
~$ echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/fqdn.conf ~$ sudo a2enconf fqdn
SSL Error: Invalid method in request \x16\x03\x01
I only started having SSL issues after moving to CloudFlare as a proxy so that they would provide me with a free SSL cert. I found that this issue appeared to be due to the fact my Virtual Host site conf was setup as such:
(snippet) <VirtualHost https://wiki.r00tedvw.com:443> Servername https://wiki.r00tedvw.com
I changed it to this:
<VirtualHost *:443> Servername https://wiki.r00tedvw.com
Apparently, it is redundant and will cause issues if you list the hostname in the VirtualHost. In this instance, I only have (1) site live on the server, so this may not be the correct solution for a multi-tenant setup.
Hardening
Hardening is a must.
Disable options through virtual site conf
All of the following can be added to a virtual site conf file to harden it by disabling options that have been commonly used as attack vectors:
- Directory browsing
- Server side Includes
- CGI execution
- Symbolic links
i.e. <Directory /var/www/mysite.com/> Options -Indexes -Includes -ExecCGI -FollowSymLinks </Directory>
Disable SSLv2/3
Add the following to your apache virtual site config. I added mine right below the other SSL Entries specifying the engine, cert file and key file.
#Disable SSLv3 SSLProtocol All -SSLv2 -SSLv3
Hide Apache Version Number
i.e. <Directory /var/www/mysite.com/> ServerSignature Off </Directory>
Prevent directive inheritance
Primarily used to prevent inheritance of directives defined in .htaccess, this can prevent unwanted directives from being loaded on the site.
i.e. <Directory /var/www/mysite.com/> AllowOverride None </Directory>