WebServer. Webserver. http http $: # - ;1< = '# 6 > 4? $, " 6789:

Transcription

1 WebServer Webserver - %,* +)(' & ' &!"$% webserver /% " %1 23 TCP/IP./) %% '0&$./) $: - ;1< = ' 6 > 4? $, " 1 " %& 6 -A = ' http %& http $%./% )('7 %B* + & D '&)(' $ 5 /CB %- % % 5$& '$ H'<G%%FE)$% ':B * + $ & D 5KJ/$, $ :I % & > 4? M$L5KG$%@L & 5 %6 > 4? 6789: //:http6 C7N5BL 'E7GB 5B %GJ'%45J$P 6 789" %& http./)-o %GJ/ % %

2 N5"L& &F%&$./)-/F%, )789M$6 + Q NST R: telnet J!V K% %5/CB& '& GB* + http remote 6 + %45J'% S$N-: U D& '&)(' ; W) ' 6 + GI> D% &$ & 5 % ' 6789,1 6789&/ http./) I % NG/1 BY P, & X-% & ' % %' ".B &$ -" > 4? 5 %3&$ - GGGNginx:Litespeed :Apache LightHttpd % B, * +X- '[1)% 5 Z '" %wget 5% -I %- P NZ 1H 9

3 wget J %L%,"-Z tar -xvf httpd tar.gz 5% B & 6 ;).K\ Z [Gconfigure ^%'.(']Z make make install * + 6 E7SB Nginx * +X- GB, ' SSH% Z J/1<"Q :E< Z service httpd stop J/" % nginx Z wget %'_ % %,"-Z tar -zxf nginx tar.gz %Bnginx R"% Z

4 cd nginx ^J/% - 5%]J/-Q * + Z./configure without-select_module without-poll_module withouthttp_charset_module without-http_gzip_module withouthttp_ssi_module without-http_userid_module withouthttp_access_module without-http_auth_basic_module withouthttp_autoindex_module without-http_geo_module withouthttp_map_module without-http_referer_module withouthttp_rewrite_module without-http_fastcgi_module withouthttp_memcached_module without-http_limit_zone_module withouthttp_limit_req_module without-http_empty_gif_module withouthttp_browser_module without-http_upstream_ip_hash_module withoutmail_pop3_module without-mail_imap_module withoutmail_smtp_module without-pcre with-openssl=/usr/lib/openssl withipv6 make make install J/% -6 5%( (0* + wget tar -xvfz lsws std-i386-linux.tar.gz cd lsws /install.sh % * + -/E `) N& * +.K2)$N5CR H'6? NQ %GJ'.('(0 3) %\ php(0. MysqlGGG5" '-$1a N %Load PHP 7'B87$ * EQ % `B'c5<52 b =$`-)O %d (0 D(0 -.

5 (052

6 GBC/etc/httpd NB % % conf.d conf & 5'%%BN %' % % runlogs modulessymbolic link %7 symbolic link- = `N%I %GI %&< J$linkN%&< 'Symbolic /usr/lib/httpd/modules& 5'% symbolic link: modules." % % magichttpd.conf&$."%confb %[ % -&$."conf.d B %[ G% % man command&$ '@-' =$."Nmanual.conf NGGG$X- e$$ -5http://ip/manual%- B' G'%45 I %N-

7 ` % \' %5$ html" '$."N!I K /var/www/manuali % % 3."N6 5> phpp U.so JF 52 :/N<) php Sphp.conf.%6 E"DJ5:.7N 87/Load '% 9."N& 5'%D % -]GJ' P 5;% &$& 5'% ^%B GBJ;)DirectoryIndex index.phpc'& =$."N6 5>

8 G$ perl&$."(/&3-3perl.conf."n6 5>

9

10 :tomcat1ang/load mod_proxy_ajp.so."proxy_ajp.conf G/? 6 % %AJP/1.3 backend server proxyinge."n6 5> -7pythonG/Load python1a."npython.conf G."N6 5>

11

12 G$ B* + P % %> T )README GG'<R=."NJ/%2, '."N6 5> G cache server&- &! Dsquidsquid.conf."N6 5> G'<3."N SSL-C5, & J;)23ssl.conf."N6 5> cat /etc/httpd/conf.d/ssl.conf less GGG'<3."N LX =&$fj;)23welcome.conf

13 I %&=f & '$,."N65>L1H 9 G%% /var/www/error/noindex.html."n6 5> G%, 5- $."Nwebalizer.conf N& % %.")$X!L'G L!RDwenalizer GGG5B%%- > 4? N:%%."N6 5> % % /etc/httpd/confb %$." Httpd.conf, magic D' 'g + P &$'Jh87&D.B %'magic."."n B%% gif" /7D %58H:/ G % D'23"? GGG$ Y P,)."N 5S)!

14 N& J%'<5, 'GG N& /."'Httpd.conf GJ$%." '- nano&f, D /etc/httpd/conf/httpd.conf." nano /etc/httpd/conf/httpd.conf nanof, -% > T ) '%45ctrl + w&$'%-%&\53& `, 4 EnterY( ctrl + x '%%6f)&-c& & /." %&!$O %]$subcomponents$% % )789ServerTokens.H GB 1<"Q %45i? -&LE323G^/X "B%% &$."'G BN)0 ServerRoot /etc/httpd ^GGG:6 ;):$1a]`B' %logconf :J5$$, 1K %%'- ) % B> 4? N8HTimeout 120 G$time outn %45 % % % %D-5, ConnectionDLKeepAlive Off GConnectionN5B%F-X 4jKeepAliveO %G$ )$-3connection$ '&%<)N5, MaxKeepAliveRequests 100 G%- request ' k& ;5H'KKeepAliveTimeout 15 CoreJF 52.? %`5$* +& default 9 $1a-l< <IfModule 1a.c>.. </IfModule> prefork1a.h`5$, % & /." %F$1a prefork1a

15 -Q& $ %<)StartServers % 2Fm 9 5'$%<).KMinSpareServers % %Fm 9 5'$%<)H'KMaxSpareServers '1C '$MaxClient%<)N5, ServerLimit B 5B%5Client$'$%<)N5, MaxClients ^] $n & %%<)N5, MaxRequestsPerChild L % /R)X%-n D:5 %@2 5'R ^ Dn ]G' `5$$k$ thread7\-^$ ]$n multi-threaded D& Multi-Processing1a&3worker1a multi-process -Q& $ %<)StartServers simultaneous client connection%<)n5, MaxClient & %Fm& '^$k]$st &$L '%<)N5'MinSpareThreads G, Fm& '^$k]$st &$L '%<)N5, MaxSpareThreads G, & % $ %^$k]$st &$L ' o%<)threadsperchild G/.7 $& %%<)N5, MaxRequestsPerChild

16 ^n ] DX%-prefork'Nworkerprefork1aN p"o % Listen :80 Listen 80 ` =worker$h $ % k& 6 Dynamic Shared Object (DSO) `5, suphp`j 0 suphp DSOI % phpj5 G%'Load'$.so&DGGG%."N-@P N&? > T ) cern_meta asis1a WC)@P LoadModule cern_meta_module modules/mod_cern_meta.so LoadModule asis_module modules/mod_asis.so HTTP headers &K."1 X4jmod_asis Mod_cern_meta : Emulate the CERN HTTPD Meta file semantics. Meta files are HTTP headers that can be output in addition to the normal range of headers for each file accessed. They appear rather like the Apache.asis files, and are able to provide a crude way of influencing the Expires: header, as well as providing other curiosities. There are many ways to manage meta information, this one was chosen because there is already a large number of CERN users who can exploit this moduleg CERN httpd metafile semantics?8 `5$1<"Q1< 9 :p"1a%5cr Include conf.d/*.conf@p %& /&$.")'<N ^Include conf.d/*.conf]5 N Include conf.d/*.conf ^'Load]`'3P etc/httpd/conf.d[i % ExtendedStatus On@P ExtendedStatus On J5^J %J$'-5CR]:J$% ON NL LB'<W1 %5GJ'$, <T User apache J/$, -f J server status The default is Off L^ '] -N<)@P

17 Group apache &-$:B run '5:$default 9 %N %- 3) $JNJ51KGGG$, p"&$ : J$%f) Main' server configuration%@p All of these directives may appear inside <VirtualHost> containersq in which case these default settings will be overridden for the virtual host being definedg VirtualHost-& VirtualHost :80 ServerName resellers.ghorbani.us ServerAlias DocumentRoot /home/ghorbani/public_html/resellers ServerAdmin [email protected] UseCanonicalName On Options -ExecCGI -Includes RemoveHandler cgi-script.cgi.pl.plx.ppl.perl CustomLog /usr/local/apache/domlogs/resellers.ghorbani.us combined CustomLog /usr/local/apache/domlogs/resellers.ghorbani.us-bytes_log G"%{%s}t %I.\n%{%s}t %O User ghorbani Needed for Cpanel::ApacheConf IfModule mod_suphp.c suphp_usergroup ghorbani ghorbani IfModule[ IfModule!mod_disable_suexec.c SuexecUserGroup ghorbani ghorbani IfModule[ [ScriptAlias /cgi-bin/ /home/ghorbani/public_html/resellers/cgi-bin To customize this VirtualHost use an include file at the following location Include "/usr/local/apache/conf/userdata/std/2/ghorbani/resellers.ghorbani.us/*.conf

18 VirtualHost[ '%, %\ & /." %J$VirtualHostDJ/%\ '^ -]$$ $& 6 /$1a J5 )$ 5%N GJ'1<"Q[1<" & resellers.ghorbani.us 'Cp"% %' 9$ServerName G% %% :806 I % B % 'N&$.")DocumentRoot GF /home/ghorbani/public_html/resellers &=f ')> 4? %' 'N Y 5P.NServerAdmin./, 5=> 4? N B.+ 5 '%, %%@0 G% rf %[email protected] %. % G%Bc\' %5" 'N&$% '$, CustomLog GBC1<" '& J$suphp1a VirtualHost ServerName site1.domain.com DocumentRoot /var/httpd/www/site1 ServerPath /site1 VirtualHost[ VirtualHost ServerName site2.domain.com DocumentRoot /var/httpd/www/site2 ServerPath /site2 VirtualHost[ J$%@I %&D %J5FN) $% & /." % -%"'.@P ServerAdmin: Your address, where problems with the server should be ed. This address appears on some server-generated pages, such as error documents. e.g. [email protected] ServerAdmin root@localhost

19 GGG$X!LB.N./, L$- 6? % ServerName@P DNS L'%:$ ) 5 5$M$BL J/%2,N GGG/ 'B %/%\%$& &C5< name GGGF &3 UseCanonicalName&$$ $, % I %& % 5B: * + -] N-'%45C5<N%D-I %&N&\ $P L1K:' ^FD' ServerName gives the name and port that the server uses to identify itself. This can often be determined automatically, but we recommend you specify it explicitly to prevent problems during startup. If this is not set to valid DNS name for your host, server-generated redirections will not work. See also the UseCanonicalName directive. If your host doesn't have a registered DNS name, enter its IP address here. You will have to access it by its address anyway, and this will make redirections work in a sensible way. ServerName 1/'-%45@P UseCanonicalName: Determines how Apache constructs self-referencing URLs and the SERVER_NAME and SERVER_PORT variables. When set "Off", Apache will use the Hostname and Port supplied by the client. When set "On", Apache will use the value of the ServerName directive. UseCanonicalName Off On UseCanonicalName5ServerName7 N%-%456? % G' DocumentRoot@P %@23%&$."%% & & 5'%I % var/www/html[

20 DocumentRoot: The directory out of which you will serve your documents. By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other locations. DocumentRoot "/var/www/html" & 5'%B 5B%5%$B' 'J;)5 5B[B 5B%5% $ Each directory to which Apache has access can be configured with respect to which services and features are allowed and/or disabled in that directory (and its subdirectories). First, we configure the "default" to be a very restrictive set of features. <Directory /> Options FollowSymLinks AllowOverride None </Directory> 5% 5%'M$^root][& 5'%C'& =$:p" % G'^\ 53]X%L % Directory "/var/www/html@p G'f) BDocumentRoot 3) N This should be changed to whatever you set DocumentRoot to. <Directory "/var/www/html"> Options Indexes FollowSymLinks@P Possible values for the Options directive are "None", "All", or any combination of: Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews Note that "MultiViews" must be named *explicitly* --- "Options All" doesn't give it to you. The Options directive is both complicated and important. Please see

21 for more information. Options Indexes FollowSymLinks W)$symbolic link%'1c%&< Options Indexes FollowSymLinks G AllowOverride@P All", J$%G%F htaccessg %$.7 5%J$ -3J5 Options FileInfo GB 5&E'6E'-C')$"None AuthConfig Limit AllowOverride controls what directives may be placed in.htaccess files. It can be "All", "None", or any combination of the keywords: Options FileInfo AuthConfig Limit AllowOverride None G%, 17htaccessG." %p"j;) E7 5%M$ Controls who can get stuff from this server. Order allow,deny Allow from all </Directory> UserDir@P I % 'F& 5'%5`" %& user %6? % GB ~userid/public_html 'B 5B%3) B 5%&-\ & % userid B 5%-\ & % J$userid/public_html GB W" '&$.") UserDir: The name of the directory that is appended onto a user's home directory if a ~user request is received. The path to the end user account 'public_html' directory must be accessible to the webserver userid. This usually means that ~userid must have permissions of 711, ~userid/public_html must have permissions of 755, and documents contained therein must be world-readable.

22 Otherwise, the client will only receive a "403 Forbidden" message. See also: <IfModule mod_userdir.c> UserDir is disabled by default since it can confirm the presence of a username on the system (depending on home directory permissions). UserDir disable To enable requests to /~user/ to serve the user's public_html directory, remove the "UserDir disable" line above, and uncomment the following line instead: UserDir public_html </IfModule> UserDir&$& 5' % 5%15'@P $D %1H& :5$ '&$& 5' % $5%15' %B B W""L X )E" Control access to UserDir directories. The following is an example for a site where these directories are restricted to read-only. <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS> Order deny,allow Deny from all </LimitExcept> </Directory>

23 DirectoryIndex& 5'%D6? N'$:- ~userid/public_html/linuxtalk & 5'% D N8H Default 9 %B%%@@2 > 4? :C ' % DirectoryIndex: sets the file that Apache will serve if a directory is requested. The index.html.var file (a type-map) is used to deliver content- negotiated documents. The MultiViews Option can be used for the same purpose, but it is much slower. DirectoryIndex index.html index.html.var AccessFileName@P G%,%45$& 5'%& 23.htaccess AccessFileName: The name of the file to look for in each directory for additional configuration directives. See also the AllowOverride directive. AccessFileName.htaccess `%, %8'W).htpasswd^$U=]htaccess G&$." The following lines prevent.htaccess and.htpasswd files from being viewed by Web clients. <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> 46>T) order allow,deny allow from deny from all deny from peyman.com $ -3%%&< Allow from all $ -3%&< Deny from all B 5B%5%&W" ^B S]B 5B5%Peyman.comN%

24 IndexOptions option [Option] Description Width=[ns ] $IndexOption./BN 2&L > $OptionN52- :B s LG%BY P,5' '* K tt)519'$-3 FancyIndexing IconHeight GB$tT )N)09-5-F $6 789&-* )>)& &5, 15'-3 ' /N<) HTML&$DE/BA 719 mime1a 5%]6 789^"]S.? %:J rfm5b '$."$) /etc/mime.types."&5> -, P G/N<) ^ /Y P, mime.types."i %-% % TypesConfig describes where the mime.types file (or equivalent) is to be found. TypesConfig /etc/mime.types

25 DefaultType is the default MIME type the server will use for a document if it cannot otherwise determine one, such as from filename extensions. If your server contains mostly text or HTML documents, "text/plain" is a good value. If most of your content is binary, such as applications or images, you may want to use "application/octet-stream" instead to keep browsers from trying to display binary files as though they are text. DefaultType text/plain The mod_mime_magic module allows the server to use various hints from the contents of the file itself to determine its type. The MIMEMagicFile directive tells the module where the hint definitions are located. <IfModule mod_mime_magic.c> MIMEMagicFile /usr/share/magic.mime MIMEMagicFile conf/magic </IfModule> HostnameLookups@P B OffLGC C5<DNS N%D5$&% B on NL Q N5, '9P 'GC I %& 5 ' G/1<" HostnameLookups: Log the names of clients or just their IP addresses e.g., (on) or (off). The default is off because it'd be overall better for the net if people had to knowingly turn this feature on, since enabling it means that each client request will result in AT LEAST one lookup request to the nameserver. HostnameLookups Off EnableMMAP@P G% %451K %memory-mapping'3$15' memory-mapping52 :%, &$ '% 0 u 7 6$L -GGB 1<"Q

26 5 memory-mapping : multiprocessor&$ J5 - l< & G$%@$' performance N/')? %GGG."D%'m%')' G'crash J$ - NFSBmount&$."%'1<"Q& <Directory "/path-to-nfs-files"> EnableMMAP Off </Directory> EnableMMAP: Control whether memory-mapping is used to deliver files (assuming that the underlying OS supports it). The default is on; turn this off if you serve from NFS-mounted filesystems. On some systems, turning it off (regardless of filesystem) can improve performance; for details, please see EnableMMAP off EnableSendfile@P EnableSendfile: Control whether the sendfile kernel support is used to deliver files (assuming that the OS supports itg^ The default is on; turn this off if you serve from NFS-mounted filesystems. Please see EnableSendfile off ErrorLog@P <VirtualHost> 5%^$% ]&$v 0=&$f& /DN<) ErrorLog: The location of the error log file. If you do not specify an ErrorLog directive within a <VirtualHost> container, error messages relating to that virtual host will be logged here. If you *do* define an error logfile for a <VirtualHost> container, that host's errors will be logged there and not here. ErrorLog logs/error_log LogLevel@P Z error_log. B% &$f$t=%<)15' debug, info, notice, warn, error, crit,n/%n' Z

27 Child cannot alert, emerg. B 6>T) emerg 1H & G%,_ %45. Q :a getpwuid: couldn't determine user name open lock file, exiting alert 1H & G-0 & from uid crit socketl Failed to get a socket, exiting child1h& G> WB error Premature end of script headers1& G%FC ' warn child process H& G %3) -5J2%-'Eh did not exit, sending another SIGHUP notice httpd: 1H & GB 5B% - N/ ' R< &$% GGGcaught SIGBUS, attempting to dump core in info server seems busy, (you may need to increase 1H& G GG^StartServers, or Min/MaxSpareServers debug G%, %45%-1/B23 LogLevel: Control the number of messages logged to the error_log. Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn BcF'$% " WC)'F%@P % The following directives define some format nicknames for use with a CustomLog directive (see below).

28 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent "combinedio" includes actual counts of actual bytes received (%I) and sent (%O); this requires the mod_logio module to be loaded. LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- Agent}i\" %I %O" combinedio The location and format of the access logfile (Common Logfile Format). If you do not define any access logfiles within a <VirtualHost> container, they will be logged here. Contrariwise, if you *do* define per-<virtualhost> access logfiles, transactions will be logged therein and *not* in this file. CustomLog logs/access_log common If you would like to have separate agent and referer logfiles, uncomment the following directives. CustomLog logs/referer_log referer CustomLog logs/agent_log agent For a single logfile with access, agent, and referer information (Combined Logfile Format), use the following directive: CustomLog logs/access_log combined l@p Optionally add a line containing the server version and virtual host name to server-generated pages (internal error documents, FTP directory

29 listings, mod_status and mod_info output etc., but not CGI generated documents or custom error documents). Set to " " to also include a mailto: link to the ServerAdmin. Set to one of: On Off ServerSignature On %%@:B 1<" NL:B B* + & '$1a) G%, Alias@P > 4? %J5 & 5'%D N/'R `J$%, % GGGJ/%45Alias- 'N& B% %N & /." %' Aliases: Add here as many aliases as you need (with no limit). The format is Alias fakename realname Note that if you include a trailing / on fakename then the server will require it to be present in the URL. So "/icons" isn't aliased in this example, only "/icons/". If the fakename is slash-terminated, then the realname must also be slash terminated, and if the fakename omits the trailing slash, the realname must also omit itg We include the /icons/ alias for FancyIndexed directory listings. If you do not use FancyIndexing, you may comment this outg Alias /icons/ "/var/www/icons [ Directory "/var/www/icons Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all Directory[

30 &D %' icons& 5'% Default 9 :p"% % G% %@ & GG% % % :J/ %\ /var/www/b %'& 5'%$< ` D BN %& 5'%$%\ --` 3O %k GJ'"T & /." %alias % /var/www/b %Peyman& 5/%J %+:1H 9 cd /var/www mkdir peyman cd peyman nano index.html salam ctrl + x > Y : 1H 9 :J$ J %%&!$ J/c( ` ' `%, X "4=Ralias%'"T nano /etc/httpd/conf/httpd.conf J$ -%iconsscriptalias@p % Alias /peyman/ "/var/www/peyman/" <Directory "/var/www/peyman"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> `5$%L %& 5/%N$, %N1K:'&-c J20 %[''% WebDAV1a6;)@P

31 w R) &$O-)& HTTP^6 "T ]$T &DWebDAV1a 1H.hN) DR WebDAV module configuration section. <IfModule mod_dav_fs.c> Location of the WebDAV lock database. DAVLockDB /var/lib/dav/lockdb </IfModule> G%- /BB& `N27 &$(/& 5'%15' '$documents!3(alias) <5&$$& ScriptAlias 3 W)'$ \<J& %$&$& 5/% G/1client& &documents%b %'O$, J/%\' $& 5'%J54L,:N& 1H `J$ N % ^ Peyman& 5'%], &-%N &$(/:)% 9 ScriptAlias /cgi-sys /usr/local/cpanel/cgi-sys[ ScriptAlias /mailman /usr/local/cpanel/3rdparty/mailman/cgi-bin[ JB %' B % N' "/var/www/cgi-bin" should be changed to whatever your ScriptAliased CGI directory exists, if you have that configured. <Directory "/var/www/cgi-bin"> AllowOverride None Options None Order allow,deny Allow from all </Directory> ReDirect-3 Redirect allows you to tell clients about documents which used to exist in your server's namespace, but do not anymore. This allows you to tell

32 clients where to look for the relocated documentg Example Redirect permanent /foo `'V rk :p" %'1<"& GB%%15 /foob /15' /%\ '$& N IndexOptions: Controls the appearance of server-generated directory listings. IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable P,) `"D& %:J/%E% & '$.") /etc/httpd/confi % %magic." /S3 ' G5"& %;%."N-:, R& 5/% %'$." '&$/ e6>t) J$ f)j5 & / AddIcon* directives tell the server which icon to show for different files or filename extensions. These are only displayed for FancyIndexed directories. AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* %, %%@icons/binary.gif/.bin" E"8H AddIcon /icons/binary.gif.bin.exe AddIcon /icons/binhex.gif.hqx AddIcon /icons/tar.gif.tar AddIcon /icons/world2.gif.wrl.wrl.gz.vrml.vrm.iv AddIcon /icons/compressed.gif.z.z.tgz.gz.zip AddIcon /icons/a.gif.ps.ai.eps AddIcon /icons/layout.gif.html.shtml.htm.pdf

33 AddIcon /icons/text.gif.txt AddIcon /icons/c.gif.c AddIcon /icons/p.gif.pl.py AddIcon /icons/f.gif.for AddIcon /icons/dvi.gif.dvi AddIcon /icons/uuencoded.gif.uu AddIcon /icons/script.gif.conf.sh.shar.csh.ksh.tcl AddIcon /icons/tex.gif.tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif.. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon is which icon to show for files which do not have an icon explicitly set. DefaultIcon /icons/unknown.gif AddDescription allows you to place a short description after a file in server-generated indexes. These are only displayed for FancyIndexed directories. Format: AddDescription "description" filename AddDescription "GZIP compressed document".gz AddDescription "tar archive".tar AddDescription "GZIP compressed tar archive".tgz IndexIgnore@P F $& 5'% %C'$."J& %, IndexIgnore GBR IndexIgnore is a set of filenames which directory indexing should ignore and not include in the listing. Shell-style wildcarding is permitted. IndexIgnore.??* *~ * HEADER* README* RCS CVS *,v *,t -@P

34 GGG'C5, J$F% --2:J-'$J5 DefaultLanguage and AddLanguage allows you to specify the language of a document. You can then use content negotiation to give a browser a file in a language the user can understand. Specify a default language. This means that all data going out without a specific language tag (see below) will be marked with this one. You probably do NOT want to set this unless you are sure it is correct for all cases. * It is generally better to not mark a page as * being a certain language than marking it with the wrong * language! DefaultLanguage nl Note 1: The suffix does not have to be the same as the language keyword --- those with documents in Polish (whose net-standard language code is pl) may wish to use "AddLanguage pl.po" to avoid the ambiguity with the common suffix for perl scripts. Note 2: The example entries below illustrate that in some cases the two character 'Language' abbreviation is not identical to the two character 'Country' code for its country, E.g. 'Danmark/dk' versus 'Danish/da'. Note 3: In the case of 'ltz' we violate the RFC by using a three char specifier. There is 'work in progress' to fix this and get the reference data for rfc1766 cleaned up. Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) Norwegian (no) - Polish (pl) - Portugese (pt) Brazilian Portuguese (pt-br) - Russian (ru) - Swedish (sv) Simplified Chinese (zh-cn) - Spanish (es) - Traditional Chinese (zh-tw)

35 AddLanguage ca.ca AddLanguage cs.cz.cs AddLanguage da.dk AddLanguage de.de AddLanguage el.el AddLanguage en.en AddLanguage eo.eo AddLanguage es.es AddLanguage et.et AddLanguage fr.fr AddLanguage he.he AddLanguage hr.hr AddLanguage it.it AddLanguage ja.ja AddLanguage ko.ko AddLanguage ltz.ltz AddLanguage nl.nl AddLanguage nn.nn AddLanguage no.no AddLanguage pl.po AddLanguage pt.pt AddLanguage pt-br.pt-br AddLanguage ru.ru AddLanguage sv.sv AddLanguage zh-cn.zh-cn AddLanguage zh-tw.zh-tw LanguagePriority allows you to give precedence to some languages in case of a tie during content negotiation. Just list the languages in decreasing order of preference. We have more or less alphabetized them here. You probably want to change this. LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-br ru sv zh-cn zh-tw ForceLanguagePriority allows you to serve a result page rather than

36 MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) [in case no accepted languages matched the available variants] ForceLanguagePriority Prefer Fallback Specify a default charset for all content served; this enables interpretation of all content as UTF-8 by default. To use the default browser choice (ISO ), or to allow the META tags in HTML content to override this choice, comment out this directive: AddDefaultCharset UTF-8GGGX 5S'J$N & x7b''j$f%&$@p :B%%tT )$@P N) BP 3B AddType allows you to add to or override the MIME configuration file mime.types for specific file types. AddType application/x-tar.tgz AddEncoding allows you to have certain browsers uncompress information on the fly. Note: Not all browsers support this. Despite the name similarity, the following Add* directives have nothing to do with the FancyIndexing customization directives above. AddEncoding x-compress.z AddEncoding x-gzip.gz.tgz If the AddEncoding directives above are commented-out, then you probably should define those extensions to indicate media types: AddType application/x-compress.z AddType application/x-gzip.gz.tgz AddHandler allows you to map certain file extensions to "handlers":

37 actions unrelated to filetype. These can be either built into the server or added with the Action directive (see below) To use CGI scripts outside of ScriptAliased directories: (You will also need to add "ExecCGI" to the "Options" directive.) AddHandler cgi-script.cgi For files that include their own HTTP headers: AddHandler send-as-is asis For type maps (negotiated resources): (This is enabled by default to allow the Apache "It Worked" page to be distributed in multiple languages.) AddHandler type-map var Filters allow you to process content before it is sent to the client. To parse.shtml files for server-side includes (SSI): (You will also need to add "Includes" to the "Options" directive.) AddType text/html.shtml AddOutputFilter INCLUDES.shtml Action lets you define media types that will execute a script whenever a matching file is called. This eliminates the need for repeated URL pathnames for oft-used CGI file processors. Format: Action media/type /cgi-script/location Format: Action handler-name /cgi-script/location Customizable error responses come in three flavors: 1) plain text 2) local redirects 3) external redirects

38 Some examples: ErrorDocument 500 "The server made a boo boo." ErrorDocument 404 /missing.html ErrorDocument 404 "/cgi-bin/missing_handler.pl" ErrorDocument Putting this all together, we can internationalize error responses. We use Alias to redirect any /error/http_<error>.html.var response to our collection of by-error message multi-language collections. We use includes to substitute the appropriate text. You can modify the messages' appearance without changing any of the default HTTP_<error>.html.var files by adding the line: Alias /error/include/ "/your/include/path/" which allows you to create your own set of files by starting with the /var/www/error/include/ files and copying them to /your/include/path/, even on a per-virtualhost basis. Alias /error/ "/var/www/error/" <IfModule mod_negotiation.c> <IfModule mod_include.c> <Directory "/var/www/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en es de fr ForceLanguagePriority Prefer Fallback </Directory>

39 ErrorDocument 400 /error/http_bad_request.html.var ErrorDocument 401 /error/http_unauthorized.html.var ErrorDocument 403 /error/http_forbidden.html.var ErrorDocument 404 /error/http_not_found.html.var ErrorDocument 405 /error/http_method_not_allowed.html.var ErrorDocument 408 /error/http_request_time_out.html.var ErrorDocument 410 /error/http_gone.html.var ErrorDocument 411 /error/http_length_required.html.var ErrorDocument 412 /error/http_precondition_failed.html.var ErrorDocument 413 /error/http_request_entity_too_large.html.var ErrorDocument 414 /error/http_request_uri_too_large.html.var ErrorDocument 415 /error/http_unsupported_media_type.html.var ErrorDocument 500 /error/http_internal_server_error.html.var ErrorDocument 501 /error/http_not_implemented.html.var ErrorDocument 502 /error/http_bad_gateway.html.var ErrorDocument 503 /error/http_service_unavailable.html.var ErrorDocument 506 /error/http_variant_also_varies.html.var </IfModule> </IfModule> The following directives modify normal HTTP response behavior to handle known problems with browser implementations. BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response- 1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 The following directive disables redirects on non-get requests for a directory that does not include the trailing slash. This fixes a

40 problem with Microsoft WebFolders which does not appropriately handle redirects for folders with DAV methods. Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully BrowserMatch "^gnome-vfs/1.0" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully Allow server status reports generated by mod_status, with the URL of Change the ".example.com" to match your domain to enable. <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from.example.com </Location> Allow remote server configuration reports, with the URL of (requires that mod_info.c be loaded). Change the ".example.com" to match your domain to enable. <Location /server-info> SetHandler server-info Order deny,allow Deny from all Allow from.example.com </Location> Proxy Server directives. Uncomment the following lines to

41 enable the proxy server: <IfModule mod_proxy.c> ProxyRequests On <Proxy *> Order deny,allow Deny from all Allow from.example.com </Proxy> Enable/disable the handling of HTTP/1.1 "Via:" headers. ("Full" adds the server version; "Block" removes all outgoing Via: headers) Set to one of: Off On Full Block ProxyVia On To enable a cache of proxied content, uncomment the following lines. See for more details. <IfModule mod_disk_cache.c> CacheEnable disk / CacheRoot "/var/cache/mod_proxy" </IfModule> </IfModule> End of proxy directives. Section 3: Virtual Hosts VirtualHost: If you want to maintain multiple domains/hostnames on your machine you can setup VirtualHost containers for them. Most configurations use only name-based virtual hosts so the server doesn't need to worry about

42 IP addresses. This is indicated by the asterisks in the directives below. Please see the documentation at <URL: for further details before you try to setup virtual hosts. You may use the command line option '-S' to verify your virtual host configuration. Use name-based virtual hosting. NameVirtualHost *:80 NOTE: NameVirtualHost cannot be used without a port specifier (e.g. :80) if mod_ssl is being used, due to the nature of the SSL protocol. VirtualHost example: Almost any Apache directive may go into a VirtualHost container. The first VirtualHost section is used for requests without a known server name. '&-=X!L1 & :w E5P&$.N<) <VirtualHost *:80> ServerAdmin [email protected] DocumentRoot /www/docs/dummy-host.example.com ServerName dummy-host.example.com ErrorLog logs/dummy-host.example.com-error_log CustomLog logs/dummy-host.example.com-access_log common </VirtualHost> Include /etc/httpd/conf.d/nagios.conf Include /etc/httpd/conf.d/apcupsd.conf ^@]% % -I % % log

43 ls /usr/local/httpd[ [ mkdir /usr/local/apache cd /usr/local/apache mkdir bin conf logs chown 0. bin conf logs chgrp 0. bin conf logs 5% ServerRoot&$& 5'%-\ t=n<) L."/Rf) Change Group OwnershipL/Rf) $& 5'% 5%-\ f) chmod 755. bin conf logs mkdir /usr/local/apache cd /usr/local/apache logs confbin&$& 5'% mkdir bin conf logs chown 0. bin conf logs L."/Rf) Change Group OwnershipL/Rf) chgrp 0. bin conf logs chmod 755. bin conf logs B y8?. 6 W)W"usr/local[qusr[q[ cp httpd /usr/local/apache/bin chown 0 /usr/local/apache/bin/httpd chgrp 0 /usr/local/apache/bin/httpd chmod 511 /usr/local/apache/bin/httpd <Directory /> AllowOverride None </Directory> System Settings-;"> $% htaccessg % -%

44 R< 9 &$."-;"K This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server's configuration: '\ 53^6 ][B %5'M$ <Directory /> Order Deny,Allow Deny from all </Directory> This will forbid default access to filesystem locations. Add appropriate Directory blocks to allow access only in those areas you wish. For example, B 5B%5%public_html $ <Directory /usr/users/*/public_html> Order Deny,Allow Allow from all </Directory> <Directory /usr/local/httpd> Order Deny,Allow Allow from all </Directory> F%5%/E7 %'NX $6? NQ %:'.? K9B &$MN* + -5 G &$1a ' SX F.C- I K6 789%'4P G & B* + ServerSignature Off ServerTokens Prod %B3^apache]%$L& 't= % '.? K9G User apache Group apache GBCI 5%. web root!3 &F%&$B %BNz=.4 [Directory Order Deny,Allow Deny from all

45 Options None AllowOverride None Directory[ Directory /web Order Allow,Deny Allow from all Directory[ G- '- &$BR$, E G Options Indexes - '- $B{ )-%45 V 9-$B%E G Options Includes Options ExecCGI Options FollowSymLinks Options None '1<"Q /&3E G G$%k %.C&$DR $-3G -1<"Q L6 5!LG 1%<!LN Options -ExecCGI -FollowSymLinks Indexes '1<"Q htaccessg&2e"-c5, G AllowOverride None :'17!R5%t= %f) p"."j)-6? % AccessFileName.httpdoverride Files ~ "^\.ht Order allow,deny Deny from all Satisfy All Files[ E31H 9 GB S$&, -Q.ht '$." { )E"/ 'N''* + % & mod_security1ag /J$"B & 5, <3http:// 5, 6789&

46 , 1<"Q-&$1aG mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex^ 5B &\ 53 grep LoadModule." %httpd.confu=nn51<"q GB, ' %> &$B 5%t=''.? K9G B 6 L 6 /R>)-&$I % chown -R root:root /usr/local/apache chmod -R o-rwx /usr/local/apache G' P 5 % ;5& B)-6 & /'&%7G Timeout 45 F F-5L! %&E3G LimitRequestBody imitrequestfields,limitrequestfieldsize,limitrequestline%g 'J;)I %6 8K-&LE323%&$ %%<)C '%> mod_dav1a&36? % XML5!G LimitXMLRequestBody !$&3%'%> G 5 % F & L6 ;)!$X-%/ 1H& % % %> 6? %:% %3 5 %D& '2-J!L B%=%N% %-;"K!LMaxClients:%!R6 =F@$' MaxSpareServers, MaxRequestsPerChild % 6 / * 5% P 5rRG%3 %%5'F%, % Apache 2 ThreadsPerChild, ServerLimit, MaxSpareThreads %> &$% '& -%456? %& 5%%'%> G Order Deny,Allow Deny from all Allow from /16 %N<B G/CBg %>

47 Or by IP Order Deny,Allow Deny from all Allow from G )5!LNt>? J;) 6>T)."63 }C9 '! * P 5rRG'"T '? % MaxKeepAliveRequests 100 KeepAliveTimeout P 5N %% $ GB%% A 4, 6? 1 % ChrootW> % &3G SecChrootDir /chroot/apache /J$" BI C> R!W> D % &3/Chroot G/C5, 5 R!W> N-mod_security1a''c -0 IPD6 0+)%'%> FF rpm ivh 5%* + wget tar xzvf mod_limitipconn-0.04.tar.gz cd mod_limitipconn-0.04 make make install & /." %6 ;)& ExtendedStatus On Only needed if the module is compiled as a DSO LoadModule limitipconn_module lib/apache/mod_limitipconn.so AddModule mod_limitipconn.c <IfModule mod_limitipconn.c> <Location /somewhere> MaxConnPerIP 3

48 exempting images from the connection limit is often a good idea if your web page has lots of inline images, since these pages often generate a flurry of concurrent image requests NoIPLimit image/* </Location> <Location /mp3> MaxConnPerIP 1 In this case, all MIME types other than audio/mpeg and video* are exempt from the limit check OnlyIPLimit audio/mpeg video </Location> </IfModule> 6 > T )I % &$1aR mod_actions This module provides for executing CGI scripts based on media type or request method. mod_alias Provides for mapping different parts of the host filesystem in the document tree and for URL redirection mod_asis Sends files that contain their own HTTP headers mod_auth_basic Basic authentication mod_auth_digest User authentication using MD5 Digest Authentication. mod_authn_alias Provides the ability to create extended authentication providers based on actual providers mod_authn_anon Allows "anonymous" user access to authenticated areas mod_authn_dbd User authentication using an SQL database mod_authn_dbm User authentication using DBM files mod_authn_default Authentication fallback module mod_authn_file

49 User authentication using text files mod_authnz_ldap Allows an LDAP directory to be used to store the database for HTTP Basic authentication. mod_authz_dbm Group authorization using DBM files mod_authz_default Authorization fallback module mod_authz_groupfile Group authorization using plaintext files mod_authz_host Group authorizations based on host (name or IP address) mod_authz_owner Authorization based on file ownership mod_authz_user User Authorization mod_autoindex Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command mod_cache Content cache keyed to URIs. mod_cern_meta CERN httpd metafile semantics mod_cgi Execution of CGI scripts mod_cgid Execution of CGI scripts using an external CGI daemon mod_charset_lite Specify character set translation or recoding mod_dav Distributed Authoring and Versioning (WebDAV) functionality mod_dav_fs filesystem provider for mod_dav mod_dav_lock generic locking module for mod_dav mod_dbd Manages SQL database connections mod_deflate Compress content before it is delivered to the client mod_dir

50 Provides for "trailing slash" redirects and serving directory index files mod_disk_cache Content cache storage manager keyed to URIs mod_dumpio Dumps all I/O to error log as desired. mod_echo A simple echo server to illustrate protocol modules mod_env Modifies the environment which is passed to CGI scripts and SSI pages mod_example Illustrates the Apache module API mod_expires Generation of Expires and Cache-Control HTTP headers according to user-specified criteria mod_ext_filter Pass the response body through an external program before delivery to the client mod_file_cache Caches a static list of files in memory mod_filter Context-sensitive smart filter configuration module mod_headers Customization of HTTP request and response headers mod_ident RFC 1413 ident lookups mod_imagemap Server-side imagemap processing mod_include Server-parsed html documents (Server Side Includes) mod_info Provides a comprehensive overview of the server configuration mod_isapi ISAPI Extensions within Apache for Windows mod_ldap LDAP connection pooling and result caching services for use by other LDAP modules mod_log_config Logging of the requests made to the server mod_log_forensic Forensic Logging of the requests made to the server

51 mod_logio Logging of input and output bytes per request mod_mem_cache Content cache keyed to URIs mod_mime Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding) mod_mime_magic Determines the MIME type of a file by looking at a few bytes of its contents mod_negotiation Provides for content negotiation mod_nw_ssl Enable SSL encryption for NetWare mod_proxy HTTP/1.1 proxy/gateway server mod_proxy_ajp AJP support module for mod_proxy mod_proxy_balancer mod_proxy extension for load balancing mod_proxy_connect mod_proxy extension for CONNECT request handling mod_proxy_ftp FTP support module for mod_proxy mod_proxy_http HTTP support module for mod_proxy mod_proxy_scgi SCGI gateway module for mod_proxy mod_reqtimeout Set timeout and minimum data rate for receiving requests mod_rewrite Provides a rule-based rewriting engine to rewrite requested URLs on the fly mod_setenvif Allows the setting of environment variables based on characteristics of the request mod_so Loading of executable code and modules into the server at start-up or restart time

52 mod_speling Attempts to correct mistaken URLs that users might have entered by ignoring capitalization and by allowing up to one misspelling mod_ssl Strong cryptography using the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols mod_status Provides information on server activity and performance mod_substitute Perform search and replace operations on response bodies mod_suexec Allows CGI scripts to run as a specified user and Group mod_unique_id Provides an environment variable with a unique identifier for each request mod_userdir User-specific directories mod_usertrack Clickstream logging of user activity on a site mod_version Version dependent configuration mod_vhost_alias Provides for dynamically configured mass virtual hosting -% -%45%'%> RLimitMEM bytes max [bytes max] RLimitNPROC number max [number max] RLimitCPU seconds max [seconds max] mod_rewrite* + G/redirect^C5<C5<]F%& 5'% & 5'%D'N1aN ' G%,> dos / ddos6 8K-&LE3&! D'.R%N$ B SSH % - J/ * + - 5% %C* + 6? % nano &% '%F,- yum install nano J/- %F, 6 ;)."3-

53 nano /etc/httpd/conf/httpd.conf Ctrl+w )\53& ]J/\53 -%."N %4- LoadModule rewrite_module modules/mod_rewrite.so )%BZ1<")]`J/m :% N1 %L AllowOverride none J$4)- AllowOverride All :J/&- ~%\ 1K: ) '5- service httpd restart J'1<"' -D& NF $% % -%'-.htaccess." Options +FollowSymLinks RewriteEngine On. ) ' 5, mod_proxy Links : > Modules : yum install httpd-devel yum install libxml2-devel Configuration:

54 cp proxy_html.conf /etc/httpd/conf/ vim /etc/httpd/conf/httpd.conf LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so Include conf/proxy_html.conf ( Also Check : LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_connect_module modules/mod_proxy_connect.so ) Vhost : Example : <VirtualHost :80> ServerAdmin "[email protected]" ServerName upframr.com ServerAlias MIMEMagicFile /dev/null CustomLog logs/upframr.com_access_log "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" ErrorLog logs/upframr.com_error_log DocumentRoot "/home/admin2/public_html" <Directory "/home/admin2/public_html"> Options +Indexes +FollowSymLinks Order allow,deny Allow from all AllowOverride All AddHandler mod_python.py PythonHandler mod_python.publisher PythonDebug On </Directory> Alias /mod_perl "/home/admin2/public_html/mod_perl" <Directory "/home/admin2/public_html/mod_perl"> SetHandler perl-script PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI </Directory> <Location /perl-status> SetHandler perl-script PerlResponseHandler Apache::Status Order deny,allow Deny from all Allow from upframr.com </Location> ScriptAlias /cgi-bin "/home/admin2/public_html/cgi-bin"

55 Alias /usage /var/www/stats/upframr.com <Directory /var/www/stats/upframr.com> Order allow,deny Allow from all </Directory> <Location /usage> Order allow,deny Allow from all </Location> </VirtualHost> %'N&$ Overview Technical Reference: Apache 2.0 DMZ Secure Server Install This document is a guide to installing and hardening an Apache 2.0 web server to common security standards. It will guide you through practical measures to harden your Apache server, by way of example. Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to attack. Therefore, it s vital that you follow this guide to ensure that: 1) The opportunity to compromise the web server is limited 2) Should the web server be compromised, the damage potential to the rest of the network, data, and systems is limited. 1. Prepare the host operating system 1.1 Install and secure the host operating system. Follow the hardening guidelines in the The Center for Internet Security. Hardening the host O/S ensures that, should someone compromise the security of your web server, the amount of damage that they could inflict will be minimized. 1.2 Create the directories to hold the Apache files

56 It s important to separate the binaries /bin, docs (/htdocs), and logs (/logs) into separate partitions on the system. You can choose whatever root you want, but this example will use /opt/apache2 as the root directory for the Apache web server. 1.3 Create the host groups for administering and running the server. Create a distinct group for all the users who will have permission to change the configuration, start, and stop the web server. For example, if you want to call the group webadmin, create it like this: groupadd webadmin Create a distinct group for the web server user no one will actually log into this group, but it will only be used to hold the userid which will run the web server. For example, if you want to call that group webserv, create it like this: groupadd webserv Take note that you should not create a web developer group on this host. Since this is a hardened production host you must not provide web developers login accounts on this system. Instead, developers should deploy documents and code to the server using your code/content deployment system, such as Kintana s Apps*Integrity. 1.4 Create an unprivileged host user id to run the server. Never run the web server as root; if the web server is ever compromised, the attacker will have complete control over the system. Instead, the best way to reduce your exposure to attack when running a web server is to create a for the server application. The userid is often used for this purpose, but a userid and group that are unique to the web server is a more secure solution.! "

57 $% & '( ) *+, "- useradd -d /opt/apache2/htdocs -g webserv -c "Web Server" webserv 1.5 Lock down the web server account It s important that no one can successfully execute a password guessing attack against this account, so in this step, we ll restrict this account so that no one can log into it Issue this command to lock the password for the web server account: passwd l webserv Password changed. grep webserv /etc/shadow a :!: at the beginning of the line indicates that the password is locked Issue this command to remove the shell for this account: usermod s /bin/false webserv To be sure the account is locked, issue the command:

58 grep webserv /etc/passwd /bin/false at the end of the line indicates that the shell is set to a nonexistent shell Test the web server account to be sure you can t login. Issue this command to try to log in: > login webserv 2. Download and verify Apache source code By default, web servers return information about the product and version they are running in the Server variable of the HTTP header. This information can be very useful to hackers, enabling them to target attacks to that specific server. To prevent that information from being returned from the web server, this step shows you how to modify that header and build your own copy of the web server. Because web servers often host sensitive information, or allow users to log in with plain-text passwords, it s important to encrypt the HTTP traffic. Therefore, this section will show you how to configure mod_ssl on your web server. Note: Don t build the web server on your production, hardened host. Build it on a staging or development server (with identical O/S), and then copy it to your production host. These steps will guide you through downloading Apache source code, validating it, compiling it, and installing it. We don t recommend use of pre-compiled or DSO versions. DSO versions may allow a hacker to introduce new features without having to recompile the code. If you intend to add other module to your Apache web server installation, repeat the validation steps below for each module you add.

59 2.1 Download the latest version of Apache 2.0 Ensure that you retrieve the latest copy, so that you have cumulative bug fixes and security patches. You can download it from the Apache site. From here, download four files: 1) The Apache source code itself, called something like httpd tar.gz. 2) The PGP keys for the Apache signers: a file named KEYS 3) The PGP key for this source distribution, called something like httpd tar.gz.asc 4) The MD5 checksum for this source distribution, called something like httpd tar.gz.md5 wget wget wget wget Verify PGP signature for the Apache source To ensure that you have an authentic version from the Apache Group, and that it s not been tampered with (remember, there are many mirrors from which you can download the Apache source), you should check the PGP signature. If you don t have PGP installed on this server, you can validate these files on another machine. a) If you don t already have them in your PGP keyring, import the public keys from the Apache Group into your keyring:

60 ~> pgp ka KEYS b) Check the PGP signature: ~> pgp httpd_ tar.gz if the signature is correct, you should get something similar to this: -- CUT -- File 'httpd tar.gz.asc' has signature, but with no text. Text is assumed to be in file 'httpd tar.gz'. Good signature from user "Justin R. Erenkrantz Signature made 2003/03/31 07:49 GMT WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Justin R. Erenkrantz <[email protected]>". The fact that it says, Good Signature from is what we re looking for here. The WARNING statement indicates that we ve not verified this signature with a 3 rd party, which is ok here.

61 2.3 Verify the MD5 checksum for the Apache source. MD5 is a way to validate the integrity of the file itself, much more reliable than checksum and similar methods. Normally, mismatches in the MD5 checksum from the Apache source are the result of download errors or file corruption. If you don t have MD5 on your system, you can download it from here. Compare the results of these two commands visually inspect them to ensure they match (if they don t, download it again): ~> pwd /usr/local/build ~> cat httpd tar.gz.md5 MD5 (httpd tar.gz) = 1f33e9a2e2de06da190230fa72738d75 ~> md5 apache_ tar.gz MD5 (httpd tar.gz) = 1f33e9a2e2de06da190230fa72738d75

62 2.4 Extract the zipped Apache source file. ~> /pwd /usr/local/build ~> tar xvfz httpd tar.gz This will create a new directory under your current one, named httpd Create SSL certificates! " $ % & '' $$' '' '() "$ * $ * + ' % ', 3.1 Create a key and certificate request for your web server Using OpenSSL, the following command will create a 1024-bit private key named, private.key and generate a certificate signing request (CSR). You need to have the CSR signed by a Certificate Authority (CA) who can validate your identity. When prompted to input information, note the answers in bold print below. (Answer the prompts with the information relevant for your server, of course). Note: If you provide a challenge password, you will be unable to start the web server unattended. We don t recommend providing a challenge password, just leave it blank. ~> pwd

63 /usr/local/build ~> openssl req -nodes -newkey rsa:1024 -keyout /usr/local/build/server.key -out /usr/local/build/server.crt Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key writing new private key to 'server.key' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:NC Locality Name (eg, city) []:RTP Organization Name (eg, company):xianco Systems, Inc. Organizational Unit Name (eg, section) []:InfoSec Common Name (eg, YOUR name) []:xianshield.xianco.com Address []:[email protected] Please enter the following 'extra' attributes

64 to be sent with your certificate request A challenge password []: <blank> An optional company name []: <blank> Most importantly, make sure your Common Name above matches the DNS name of your server. The locale information is less important, but we think it s best to use the locality of the server itself Submit CSR for validation/signing by a CA. -,./''.%$ 0$''1 $ $$ $.%$ * ' $ * '.%* $ 23 '45", $ $.%''26.%$5 Send your request for a certificate to the CA. Include your name, your web server (Apache, in this case) your OS, and of course, the.csr (certificate signing request).

65 3.3 Rename your certificate files The names aren t important, they just have to match what s in conf/ssl.conf. You will receive 2 files from the PKI team. The first file will be your server certificate (and will probably be named <server name>.cer), the 2 nd file is the certificate chain. Here, we ll rename them to fit what s specified in conf/ssl.conf. mv XianCo CA (01-03).cer ca.crt mv xianshield.cer server.crt 3.4 Copy certificates to your server.

66 Since you received these certs via , and they re now sitting on your laptop, we need to copy both server.crt and ca.crt to the server. We ll copy them up to /usr/local/build. We ll move them both to the appropriate locations under conf/ssl.conf later. scp *.crt xianshield:/usr/local/build/. 4. Configure and build the Apache Server In this section, we ll configure Apache with SSL and mod_ldap support. As of Apache V2, these are both included modules, and don t require a separate download. In order to customize Apache to the extent necessary, we need to download the source for the latest version of Apache. Once that s complete, we ll configure and test it. 4.1 Alter the Apache version We want to remove/modify the default HTTP response header parameter for the Server: token to hide the identity of our web server. (You d be surprised how many vulnerability scanners are looking for specific versions of Apache.) To do this, we must open a header file (httpd.h) prior to compiling the server. To do this, edit the ap_release.h file located in ${ApacheSrcDir}/include ~> pwd /usr/local/build/httpd /include ~> vi ap_release.h

67 define AP_SERVER_BASEVENDOR "Apache Software Foundation" Change this define AP_SERVER_BASEPRODUCT "Apache" and this These are the lines you want to change; change these to remove references to Apache. We ll hide the actual version using the ServerTokens directive in the httpd.conf file. Example: define SERVER_BASEVENDOR "Network Services" define SERVER_BASEPRODUCT "Networks, Inc." 4.2 Configure Apache software for compilation There are a few standard modules that should be disabled when you set up the Apache web server. Modules to disable Generally, the following modules make it easier to configure/support your web server but also give too much information to attackers. We recommend that you disable the following default modules for your production server: info: gives out too much information about your web server to potential attackers. status: gives out server stats via web pages autoindex: provides directory listings when no index.html file is present imap: provides server-side mapping of index files include: provides server-side includes (.shtml files) userdir: translates URLs to user-specific directories auth: you won t need it you ll set up authentication against LDAP via mod_ldap

68 Modules to enable Here are two modules that will provide strong authentication and encryption for your web server. If you have any protected content on your web server, it s important that you only allow your users to access it over SSL, otherwise your user passwords will be sent in clear text, subject to snooping. ssl: Encrypts the traffic from the browser to the web server an important means of protecting login passwords and sensitive data. auth_ldap: Allows you to validate passwords against ldap.xianco.com or other LDAP. A word about LDAP authentication It s important that you don t set up your own userid/password store, since it propagates passwords into insecure locations. Instead, you should modify your configuration to defer authentication to a central store, such as a centrally maintained LDAP. To authenticate against an LDAP store, you need to compile Apache with support. In order to use mod_ldap, you ll need LDAP libraries installed on your system. You can use OpenLDAP or Netscape Directory SDK for the LDAP client libraries. Configuration commands Here s how to configure Apache with these options: ~> pwd /usr/local/build/httpd ~> sudo./configure -prefix=/opt/apache2 \ --enable-so \ --enable-ssl \ --with-ldap \ --enable-ldap \ --enable-auth-ldap \ --disable-info \

69 --disable-status \ --disable-autoindex \ --disable-imap \ --disable-include \ --disable-userdir \ --disable-auth checking for chosen layout... Apache checking for working mkdir -p... yes checking build system type... sparc64-unknown-linux-gnu checking host system type... sparc64-unknown-linux-gnu checking target system type... sparc64-unknown-linux-gnu Configuring Apache Portable Runtime library Compile the Apache server

70 Now that the software is validated and configured, it s time to compile it. Since you won t have a compiler on your production host, we ll compile and install it on a separate server, then tar/compress it and scp it to your production host. You ll need to run make using sudo so that Apache knows it can use ports < ~> pwd /usr/local/build/httpd ~> sudo make ===> src make[1]: Entering directory `/usr/local/build/httpd ' make[2]: Entering directory `/usr/local/build/httpd /src' ===> src/regex sh./mkh -p regcomp.c >regcomp.ih 4.4 Install the Apache server If you have followed our instructions for securing the host, you will have to unpack the distribution and compile it on a separate host. To make your server more secure, use a separate disk partition for your web content. Create a unique mount point for this directory -- htdocs is a good name to use, but make it somewhere outside the ServerRoot directory. You'll need to update /etc/vfstab to mount this partition as part of your server's startup process..! ' ( (!( ( + ( / 0+ 1" ~> pwd

71 /usr/local/build/httpd ~> sudo make install ===> [mktree: Creating Apache installation tree]./src/helpers/mkdir.sh /opt/apache2/bin./src/helpers/mkdir.sh /opt/apache2/libexec./src/helpers/mkdir.sh /opt/apache2/man/man1./src/helpers/mkdir.sh /opt/apache2/man/man8./src/helpers/mkdir.sh /opt/apache2/conf.. 5. Install SSL certificates Now that the server is installed, we need to copy certificate key, server certificate, and CA chain to Apache s configuration directory. 5.1 Set up the Apache certificate directories ~> pwd /opt/apache2/conf ~> sudo mkdir ssl.crt ssl.key 5.2 Copy the certificate and key to the SSL configuration directory ~> sudo cp /usr/local/build/server.crt./ssl.crt/. ~> sudo cp /usr/local/build/server.key./ssl.key/.

72 6. Configure the Apache server Configure the file permissions and runtime settings of the Apache server. It s important that you place your htdocs, cgi-bin, and logs directories on separately mounted filesystems. 6.1 Configure httpd.conf Set the following in your httpd.conf file. You can also download an example httpd.conf with these settings here. Directive and setting ServerSignature Off ServerTokens Prod Listen 80 (remove) User webserv (or whatever you created in step 2 above) Group webserv (or whatever you created in step 2 above) ErrorDocument 404 errors/404.html ErrorDocument 500 errors/500.html etc. ServerAdmin <hostname>[email protected] UserDir disabled root Description/rationale Prevents server from giving version info on error pages. Prevents server from giving version info in HTTP headers Remove the Listen directive we ll set this directive only in ssl.conf, so that it will only be available over https. Ensure that the child processes run as unprivileged user Ensure that the child processes run as unprivileged group To further obfuscate the web server and version, this will redirect to a page that you should create, rather than using the default Apache pages. Use a mail alias never use a person s address here. Remove the UserDir line, since we disabled this module. If you do enable user directories, you ll need this line to protect root s files.

73 <Directory /> Order Deny, Allow Deny access to the root file system. deny from all </Directory> <Directory /opt/apache2/htdocs"> <LimitExcept GET POST> deny from all </LimitExcept> Options -FollowSymLinks -Includes -Indexes -MultiViews AllowOverride None Order allow,deny Allow from all </Directory> LimitExcept prevents TRACE from allowing attackers to find a path through cache or proxy servers. The - before any directive disables that option. FollowSymLinks allows a user to navigate outside the doc tree, and Indexes will reveal the contents of any directory in your doc tree. Includes allows.shtml pages, which use server-side includes (potentially allowing access to the host). If you really need SSI, use IncludesNoExec instead. AllowOverride None will prevent developers from overriding these specifications in other parts of the doc tree.

74 AddIcon (remove) IndexOptions (remove) AddDescription (remove) Remove all references to these directives, since we disabled the fancy indexing module. ReadmeName (remove) HeaderName (remove) IndexIgnore (remove) Alias /manual (remove) Don t provide any accessible references to the Apache manual, it gives attackers too much info about your server. You should familiarize yourself with the following parameters. Unless you are running a highvolume web site, you can safely leave the settings at their default values. If you are running a high-volume web site, you ll want to adjust these directives upward to better withstand denial-ofservice attacks. StartServers MinSpareServers MaxSpareServers Timeout Keepalive MaxKeepAliveRequests KeepAliveTimeout MaxClients MaxRequestsPerChild 6.2 Configure ssl.conf

75 Set the following in your ssl.conf file. You can also download an example ssl.conf with these settings here. Directive and setting SSLCertificateChainFile /opt/apache2/conf/ssl.crt/ca.crt Description/rationale (Find this line and uncomment it). This points to the Certificate Authority file for your chained certificate. 6.3 Remove default Apache files " *.7"2 * % 5$ * '' '$ * 6$,' 8$ $ * $'$ ~> sudo rm fr /opt/apache2/htdocs/* ~> sudo rm fr /opt/apache2/cgi-bin/* ~> sudo rm fr /opt/apache2/icons To test that your web server is running, you can now place this file in your htdocs directory it s just a simple index.html file. Make sure you set the permissions to world-readable. 6.4 Set directory and file permissions for the server To protect the directories on your server, it s important that you protect the directories themselves. bin is where the executable portion of the Apache web server is. It should be readable/executable only by members of the webadmin group, but only writable by root.

76 ~> sudo chown R root:webadmin /opt/apache2/bin ~> sudo chmod R 770 /opt/apache2/bin conf is where your web server configuration files are and needs to be read/writable only by the webadmin group. ~> sudo chown R root:webadmin /opt/apache2/conf ~> sudo chmod R 770 /opt/apache2/conf logs is where your access and error logs will go. It should be readable only by the webadmin group. ~> sudo chown R root:webadmin /opt/apache2/logs ~> sudo chmod R 755 /opt/apache2/logs htdocs is where your HTML files are and needs to be world readable, but writable only by root (you should copy content in from a staging server). ~> sudo chown R root /opt/apache2/htdocs ~> sudo chmod R 775 /opt/apache2/htdocs cgi-bin is where your executable scripts are and needs to be world read/executable, but writable only by root (you should copy content in from a staging server). ~> sudo chown R root /opt/apache2/cgi-bin ~> sudo chmod R 775 /opt/apache2/cgi-bin

77 7. Make final configuration and start server Lastly, we need to modify the startup configuration for Apache and restart the server. 7.1 Modify Apache startup script so that it will notify you when it s restarted. % $ * $ Open /opt/apache/bin/apachectl and add something like this to the file: tail /opt/apache2/logs/error_log /bin/mail -s 'Apache web server has restarted' <hostname>[email protected] 7.2 Test your configuration by starting the server sudo /opt/apache2/bin/apachectl startssl 7.3 Keep your web server patched. $ % ' Apache web server: OpenSSL:

78 OpenLDAP: 8. Configure authentication against an LDAP directory. In this final section, we ll configure the Apache httpd.conf file so that resources are authenticated against an LDAP server. This step really can t be run until you ve installed the web server. Once you ve got your web server installed, just add the LDAP authentication directives to any directory (or httpd.conf file) where you want password protection with CEC credentials. Here s an example of protecting a directory named Internal <Location "/internal"> AuthName CEC AuthType Basic AuthLDAPURL ldap://ldap.xianco.com:389/ou=employees,ou=people,o=xianco.com?uid?sub? (objectclass=xiancoperson) require valid-user </Location> httpd%/e7>!/bin/bash Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software

79 distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. httpd Startup script for the Apache Web Server chkconfig: description: The Apache HTTP Server is an efficient and extensible \ server implementing the current HTTP standards. processname: httpd pidfile: /var/log/httpd/httpd.pid config: /etc/sysconfig/httpd BEGIN INIT INFO Provides: httpd Required-Start: $local_fs $remote_fs $network $named Required-Stop: $local_fs $remote_fs $network Should-Start: distcache Short-Description: start and stop Apache HTTP Server Description: The Apache HTTP Server is an extensible server implementing the current HTTP standards. END INIT INFO Source function library.. /etc/rc.d/init.d/functions if [ -f /etc/sysconfig/httpd ]; then. /etc/sysconfig/httpd fi Start httpd in the C locale by default. HTTPD_LANG=${HTTPD_LANG-"C"} This will prevent initlog from swallowing up a pass-phrase prompt if mod_ssl needs a pass-phrase from the user. INITLOG_ARGS=""

80 Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server with the thread-based "worker" MPM; BE WARNED that some modules may not work correctly with a thread-based MPM; notably PHP will refuse to start. httpd=${httpd-/usr/sbin/httpd} prog=httpd pidfile=${pidfile-/var/log/httpd/httpd.pid} lockfile=${lockfile-/var/lock/subsys/httpd} RETVAL=0 check for 1.3 configuration check13 () { CONFFILE=/etc/httpd/conf/httpd.conf GONE="(ServerType BindAddress Port AddModule ClearModuleList " GONE="${GONE}AgentLog RefererLog RefererIgnore FancyIndexi ng " GONE="${GONE}AccessConfig ResourceConfig)" if grep -Eiq "^[[:space:]]*($gone)" $CONFFILE; then echo echo 1>&2 " Apache 1.3 configuration directives found" echo 1>&2 " please failure "Apache 1.3 config directives test" echo exit 1 fi } The semantics of these two functions differ from the way apachectl does things -- attempting to start while running is a failure, and shutdown when not running is also a failure. So we just do it the way init scripts are expected to behave here. start() { echo -n $"Starting $prog: " check13 exit 1 LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS RETVAL=$? echo

81 [ $RETVAL = 0 ] && touch ${lockfile} return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc -p ${pidfile} $httpd RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile} } reload() { echo -n $"Reloading $prog: " check13 exit 1 killproc -p ${pidfile} $httpd -HUP RETVAL=$? echo } See how we were called. case "$1" in start) start ;; stop) stop ;; status) if! test -f ${pidfile}; then echo $prog is stopped RETVAL=3 else status -p {$pidfile} $httpd RETVAL=$? fi ;; restart) stop start ;; condrestart)

82 if test -f ${pidfile} && status -p ${pidfile} $httpd >&/dev/null; then stop start fi ;; reload) reload ;; configtest) LANG=$HTTPD_LANG $httpd $OPTIONS -t RETVAL=$? ;; graceful) echo -n $"Gracefully restarting $prog: " LANG=$HTTPD_LANG $httpd $OPTIONS -k RETVAL=$? echo ;; *) echo $"Usage: $prog {start stop restart condrestart reload status graceful help configtest}" exit 1 esac exit $RETVAL $ '% N + :B %'m % RN ' &$.15'W)$5 N H' G% %%3@ /." % $5 G &% '<, V rk cpanel,directadmin&) 5 '1a* + %N 5C 5:R % GB 5"L %45% '^ EF - 5CR ]%% N$ ^- -5'5K] BJ;)5BN/-N 5' %RN G$%X!L 6 $C5BN J, '% %&%-&$C5BY.R% N UC)

83 GGGB$5E'RN 2F