11_Apache Web Server by Murad Isa

Apache2 Web Server : /etc/apache2

murado — 2015-08-16 16:17:05 UTC

cd /etc/apache2

ls -la

Apache Web Server

murado — 2015-08-16 17:02:48 UTC

Install:
apt install apache2 apache2-utils -y

Apache Ubuntu Default Page :
/var/www/html/index.html

2. Apache2 Web Server : configuration file

murado — 2015-08-16 17:04:15 UTC

https://www.digitalocean.com/community/tutorials/how-to-configure-the-apache-web-server-on-an-ubuntu-or-debian-vps

Apache HTTP Server,

murado — 2015-08-18 14:53:57 UTC

https://httpd.apache.org/
world's most widely used web server software. open community of developers
Apache Software Foundation.
Apache License
free
open-source software.
As of June 2013, Apache was estimated to serve 54.2% of all active websites

https

murado — 2015-08-22 07:53:28 UTC

Install Apache2:
apt update; apt install apache2

Activate the SSL Module:
a2enmod ssl

cd /etc/apache2/

mkdir /etc/apache2/ssl

##create cert & key :

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

openssl: OpenSSL to create and manage certificates, keys, signing requests, etc.
req: This specifies a subcommand for X.509 certificate signing request (CSR) management. X.509 is a public key infrastructure standard that SSL adheres to for its key and certificate managment.
-x509: make a self-signed certificate file instead of generating a certificate request.
-nodes: do not wish to secure our key file with a passphrase. Having a password protected key file would get in the way of Apache starting automatically as we would have to enter the password every time the service restarts.
-days 365: the certificate we are creating will be valid for one year.
-newkey rsa:2048: create the certificate request and a new private key at the same time. This is necessary since we didn't create a private key in advance. The rsa:2048 tells OpenSSL to generate an RSA key that is 2048 bits long.
-keyout: output file for the private key
-out: output file for the certificate (crt)

The questions portion looks something like this:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company
Organizational Unit Name (eg, section) []:Department of Kittens
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:your_email@domain.com

The key and certificate will be created and placed in your /etc/apache2/ssl directory.

nano /etc/apache2/sites-available/default-ssl.conf

ServerAdmin admin@example.com
ServerName your_domain.com
ServerAlias www.your_domain.com
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Enable site:
a2ensite default-ssl.conf

Restart Apache2:
systemctl restart apache2

https://server_domain_name_or_IP

Disable Directory Listing (indexes)

murado — 2015-08-22 07:53:39 UTC

Enable Directory Listing:

Options Indexes FollowSymLinks

AllowOverride None

Require all granted

Disable Directory Listing:

Options -Indexes +FollowSymLinks

AllowOverride None

Require all granted

systemctl restart apache2

apache2 command

murado — 2015-08-22 07:53:47 UTC

systemctl stop apache2

systemctl start apache2

systemctl restart apache2

apachectl configtest

a2enmod ssl

a2dismod ssl

a2ensite default_ssl

s2dissite default_ssl

htaccess

murado — 2015-08-22 07:54:00 UTC

apt update ; apt install apache2 apache2-utils -y

#Create the Password File
htpasswd -c /etc/apache2/.htpasswd username
htpasswd /etc/apache2/.htpasswd another_user

> cat /etc/apache2/.htpasswd
username:$apr1$lzxsIfXG$tmCvCfb49vpPFwKGVsuYz.
another_user:$apr1$p1E9MeAf$kiAhneUwr.MhAE2kKGYHK.

#Configure Apache Password Authentication

edit the Apache configuration and add our password protection to the virtual host file. This will generally give better performance because it avoids the expense of reading distributed configuration files. (recommended)

If you do not have the ability to modify the virtual host file (or if you are already using .htaccess files for other purposes), you can restrict access using an
.htaccess file. Apache uses .htaccess` files in order to allow certain configuration items to be set within a file in a content directory.

The disadvantage is that Apache has to re-read these files on every request that involves the directory, which can impact performance.

#Configuring Access Control within the Virtual Host Definition (recommended)

"virtual host" file that you wish to add a restriction to. For our example, we'll be using the 000-default.conf file that holds the default virtual host

> pico /etc/apache2/sites-enabled/000-default.conf

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

> systemctl restart apache2

## CARA 2: Configuring Access Control with .htaccess Files (not recommended)

nano /etc/apache2/apache2.conf

Options Indexes FollowSymLinks
AllowOverride All
Require all granted

Next, we need to add an .htaccess file to the directory we wish to restrict.

nano /var/www/html/.htaccess

AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user

systemctl restart apache2

##Confirm the Password Authentication.

To confirm that your content is protected, try to access your restricted content in a web browser. You should be presented with a username and password prompt.

cakephp1.mbi.org

murado — 2019-08-10 06:34:08 UTC

ServerName cakephp1.mbi.org
DocumentRoot "/var/www/cakephp1.mbi.org/webroot"
Redirect permanent / https://cakephp1.mbi.org

ServerAdmin webmaster@mbi.org
ServerName cakephp1.mbi.org
DocumentRoot "/var/www/cakephp1.mbi.org/webroot"

Options +FollowSymlinks
Allowoverride All
# Required All granted

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

SSLOptions +StdEnvVars

SSLOptions +StdEnvVars

Configure ModSecurity on Apache

murado — 2019-08-11 06:24:59 UTC

apt  install  libapache2-mod-security2

mod_evasive

murado — 2019-08-11 06:28:23 UTC

mod_evasive is a module for Apache that provides evasive action in the event of an HTTP Distributed Denial of Service (DDoS/DoS) attack or brute force attack.

It is also designed to be a detection and network management tool, and can be easily configured to talk to ipchains, firewalls, routers, and more. mod_evasive presently reports abuse via email and syslog facilities.

Apache mod_status

murado — 2019-08-11 06:38:02 UTC

/server-status

Apache2Buddy

murado — 2019-08-11 06:39:18 UTC

hide Apache Version and OS Identity from Errors

murado — 2019-08-11 06:41:26 UTC

Run Apache as separate User and Group

murado — 2019-08-11 06:42:24 UTC

Apache is run as user www-data and group www-data.
chown -R www-data:www-data /var/www/html