Apache Web Server

From Free Knowledge Base- The DUCK Project: information for everyone
Revision as of 18:37, 27 February 2019 by Admin (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
   _______________________________________________________________
  /                                                               \
 |                A P A C H E   W E B   S E R V E R                |
  \                                                               /
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

   www.apache.org - The Apache Software Foundation - provides some
   of the best documentation in the software community.  There's no
   need to explain everything here.  This document is only a quick
   reference to some specific aspects of the Apache web server.


The .htaccess File and the <Directory> section .o.o.

Any .htaccess configuration may also be placed in the <Directory> section of the Apache server configuration file. It is recommended using <Directory> rather than .htaccess.

Password Protect directories:

Configure for password file, create a password file, and optional creation of a group file.

   AuthName "Message that appears in password prompt box"
   AuthType Basic
   AuthUserFile /filesystem/path/to/.webauth 
   require valid-user

Make sure that .webauth (or whatever you call the file) is user 'nobody'. Leading dot + proper Apache conf hides .webauth if present in a web shared directory. Place code in <Directory> or .htaccess

To create the password file, use Apache's htpasswd utility.

   htpasswd -c .webauth username
   htpasswd .webauth username2

Second line addes another user (no -c create flag). A group file is optional and is text. Group name on first line, semicolon, then a members list:

   mygroup: lazygirl, ractive, jim

!!!!! .htaccess troubleshooting / common problems !!!!!

  • check to ensure AllowOverride AuthConfig is set for the file system path to the protected directory. .htaccess MAY NOT BE ENABLED on a virtual domain basis, so check the Directory path. note: dir.conf

 

Server Version Identification

For security, privacy, or paranoia you may want to hide the version of Apache you are using from visitors to your server.

  • Locate in httpd.h the version number and change it.
 #define SERVER_BASEREVISION "9.9.99"

(This will disguise the version that appears in error messages with some versions of Apache web server)

  • Edit httpd.conf and add the following line:
 ServerTokens ProductOnly

(Limits the output identifiecation to only 'Apache' rather than the name, version, and operating system)

  • Edit httpd.conf and add or modify the following:
 ServerSignature Off 

(Apache reports absolutely no name or version data to clients)

 

Directory Browsing on a directory

Forbidden
You don't have permission to access /logo/ on this server.

If you would like to enable Directory Browsing for a specific directory you can do one of two things :

1. Add to your .htaccess file this line : Options Indexes

2. Add in your httpd.conf these lines :

<Directory /usr/your/directory/here>
   Options Indexes
</Directory>

 

Access Control by IP Address using the Apache Rewrite Engine

You need to enable the rewrite engine, mod_rewrite. You can do this within a virtual host. RewriteEngine on

In this example the banned IP addresses are stored in a text file called bannedips.txt. When said IP user visits the site, he/she is redirected to an alternative page.

   RewriteEngine on
   Rewritemap ipmap txt:/etc/apache/conf/bannedips.txt
   RewriteCond ${ipmap:%{REMOTE_ADDR}} ^b$ [NC]
   RewriteCond %{request_uri} !^/getlost.html$ [NC]
   RewriteRule .* /getlost.html [R,L]

There's a condition to prevent looping by exemption of the getlost.html page where upon the redirect destination message is. The format of the text file is IP address followed by the letter 'B', which could be anything, and must match the RewriteCond rule ^b$

   X.X.X.X b

The apache mod_rewrite module is very powerful allowing for complex URL manipulation. The apache.org web site has many details and examples.

Here is another way to ban an IP or range:

   RewriteCond %{REMOTE_ADDR} "^63\.148\.99\.2(2[4-9]|[3-4][0-9]|5[0-5])$"
   RewriteRule .* - [F,L]

The above example bans Cyveillance, a copyright bot used by the RIAA.

 

Using mod_ssl in Apache2 - configuration

Put the following in your ssl.conf file:

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
<IfDefine SSL>
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/var/run/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/var/run/ssl_mutex
</IfDefine>

Put the following in the virtual_host.conf file:

NameVirtualHost 192.168.0.2 
<IfDefine SSL>
<VirtualHost 192.168.0.2:443>
DocumentRoot "/home/httpd/secure-html-directory"
ServerName secure.yourcompany.com:443
ServerAdmin webmaster@yourcompany.com
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/conf/certs/test.cert.cert
SSLCertificateKeyFile /etc/httpd/conf/certs/test.cert.key
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/home/httpd/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>                                  
</IfDefine>

 

Creating Self Signed "Test" SSL Certificates

Step one - create the key and request:

 openssl req -new > new.cert.csr

Step two - remove the passphrase from the key (optional):

 openssl rsa -in privkey.pem -out new.cert.key

Step three - convert request into signed cert:

  openssl x509 -in new.cert.csr -out new.cert.cert -req -signkey new.cert.key -days 365

The Apache-SSL directives that you need to use the resulting cert are:

 SSLCertificateFile /path/to/certs/new.cert.cert
 SSLCertificateKeyFile /path/to/certs/new.cert.key

When prompted for "Common Name (eg, YOUR name) []:" enter the website url to the secure address, example: secure.domain.com

source: http://www.apache-ssl.org/

Wed Aug 25 17:54:18 CDT 2004

Some Updated Information for Apache2

httpd.conf is now apache2.conf

Looking at the Apache2.conf File. The main configuration details for your Apache server are held in the "/etc/apache2/apache2.conf" file.

  1. apache2.conf: the main Apache2 configuration file. Contains settings that are global to Apache2.
  2. httpd.conf: historically the main Apache2 configuration file, named after the httpd daemon. Now the file does not exist. In older versions of Ubuntu the file might be present, but empty, as all configuration options have been moved to the below referenced directories.
  3. conf-available: this directory contains available configuration files. All files that were previously in /etc/apache2/conf.d should be moved to /etc/apache2/conf-available.
  4. conf-enabled: holds symlinks to the files in /etc/apache2/conf-available. When a configuration file is symlinked, it will be enabled the next time apache2 is restarted.
  5. envvars: file where Apache2 environment variables are set.
  6. mods-available: this directory contains configuration files to both load modules and configure them. Not all modules will have specific configuration files, however.
  7. mods-enabled: holds symlinks to the files in /etc/apache2/mods-available. When a module configuration file is symlinked it will be enabled the next time apache2 is restarted.
  8. ports.conf: houses the directives that determine which TCP ports Apache2 is listening on.
  9. sites-available: this directory has configuration files for Apache2 Virtual Hosts. Virtual Hosts allow Apache2 to be configured for multiple sites that have separate configurations.
  10. sites-enabled: like mods-enabled, sites-enabled contains symlinks to the /etc/apache2/sites-available directory. Similarly when a configuration file in sites-available is symlinked, the site configured by it will be active once Apache2 is restarted.
  11. magic: instructions for determining MIME type based on the first few bytes of a file.