Apache

From Network Security Wiki


Intro

Source: vogella.com

  • Apache remained the most widely used web server software, estimated to serve 46% of all active websites and 43% of the top million websites.
  • The name was widely believed to be a pun on 'A Patchy Server' (since it was a set of software patches).
  • When Apache is running, its process name is sometimes httpd, which is short for "HTTP daemon."

Basics

  • List the available modules of the Apache HTTP server
apache2 -l
  • Main configuration file for the Apache Http server
/etc/apache2/apache2.conf
  • The error log of Apache is located in the
/var/log/apache2/error.log
grep MaxClients /var/log/apache2/error.log

Multi-Processing-Module

Apache HTTP can run in different modes. MPM modes determine how the web requests of users are answered.

  • The selected mode is compiled into the server and can be checked with:
sudo apachectl -V | grep -i mpm


  • Configuration for the event mpm is stored in below file:

Configure only the module which your server is using. 

/etc/apache2/mods-available/mpm_event.conf

htaccess

  • One major application of this file is to redirect an URL to other URL’s.
  • You should avoid using .htaccess files completely if you have access to httpd main server config file.
  • Using .htaccess files slows down your Apache http server.
        This section needs verification and rework.
  • The following .htacess file reroutes http://vogella.com to http://www.vogella.com.
  • It also redirect access to a certain webpage (/articles/SpringFramework/article.html) to another webpage via a 301 redirect.
  • The 301 redirect will tell search engines that this side has moved and is the recommended way to move webpages.
RewriteEngine on
RewriteCond %{HTTP_HOST} !^www\.vogella\.de$
RewriteRule ^(.*)$ http://www.vogella.com/$1 [L,R=301]
redirect 301 /articles/SpringFramework/article.html http://www.vogella.com/tutorials/SpringDependencyInjection/article.html

Using modules

Apache Http supports the usage of modules. To enable modules use the a2enmod command 

a2enmod rewrite

Other modules Supporting php and wordpress 

sudo apt-get install libapache2-mod-fcgid
sudo apt-get install php5-cgi

Afterwards activate the corresponding modules: 

sudo a2enmod fastcgi
sudo a2enmod proxy
# required for wordpress blog
sudo a2enmod rewrite

Gzip compression

  • To optimize the download time of your webpages you can turn on gzip compression.
  • This requires the Apache module "mod_deflate":
a2enmod deflate
/etc/init.d/apache2 restart
  • The compression can be activated in the default configuration file for this module located in /etc/apache2/mods-available/deflate.conf or via the ".htaccess" file.
# compress all text & html:
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript

VirtualHost Examples

Source: apache.org

  • Running several name-based web sites on a single IP address
# Ensure that Apache listens on port 80
Listen 80
<VirtualHost *:80>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/www/example2"
    ServerName www.example.org

    # Other directives here
</VirtualHost>
  • Name-based hosts on more than one IP address

The server has two IP addresses. On one (172.20.30.40), we will serve the "main" server, server.example.com and on the other (172.20.30.50), we will serve two or more virtual hosts. 

Listen 80

# This is the "main" server running on 172.20.30.40
ServerName server.example.com
DocumentRoot "/www/mainserver"

<VirtualHost 172.20.30.50>
    DocumentRoot "/www/example1"
    ServerName www.example.com

    # Other directives here ...
</VirtualHost>

<VirtualHost 172.20.30.50>
    DocumentRoot "/www/example2"
    ServerName www.example.org

    # Other directives here ...
</VirtualHost>
  • Serving the same content on different IP addresses (such as an internal and external address)
<VirtualHost 192.168.1.1 172.20.30.40>
    DocumentRoot "/www/server1"
    ServerName server.example.com
    ServerAlias server
</VirtualHost>
  • Running different sites on different ports
Listen 80
Listen 8080

<VirtualHost 172.20.30.40:80>
    ServerName www.example.com
    DocumentRoot "/www/domain-80"
</VirtualHost>

<VirtualHost 172.20.30.40:8080>
    ServerName www.example.com
    DocumentRoot "/www/domain-8080"
</VirtualHost>

<VirtualHost 172.20.30.40:80>
    ServerName www.example.org
    DocumentRoot "/www/otherdomain-80"
</VirtualHost>

<VirtualHost 172.20.30.40:8080>
    ServerName www.example.org
    DocumentRoot "/www/otherdomain-8080"
</VirtualHost>
  • IP-based virtual hosting

The server has two IP addresses (172.20.30.40 and 172.20.30.50) which resolve to the names www.example.com and www.example.org respectively. 

Listen 80

<VirtualHost 172.20.30.40>
    DocumentRoot "/www/example1"
    ServerName www.example.com
</VirtualHost>

<VirtualHost 172.20.30.50>
    DocumentRoot "/www/example2"
    ServerName www.example.org
</VirtualHost>
  • Mixed port-based and ip-based virtual hosts

The server machine has two IP addresses (172.20.30.40 and 172.20.30.50) which resolve to the names www.example.com and www.example.org respectively. In each case, we want to run hosts on ports 80 and 8080. 

Listen 172.20.30.40:80
Listen 172.20.30.40:8080
Listen 172.20.30.50:80
Listen 172.20.30.50:8080

<VirtualHost 172.20.30.40:80>
    DocumentRoot "/www/example1-80"
    ServerName www.example.com
</VirtualHost>

<VirtualHost 172.20.30.40:8080>
    DocumentRoot "/www/example1-8080"
    ServerName www.example.com
</VirtualHost>

<VirtualHost 172.20.30.50:80>
    DocumentRoot "/www/example2-80"
    ServerName www.example.org
</VirtualHost>

<VirtualHost 172.20.30.50:8080>
    DocumentRoot "/www/example2-8080"
    ServerName www.example.org
</VirtualHost>
  • Mixed name-based and IP-based vhosts
Listen 80
<VirtualHost 172.20.30.40>
    DocumentRoot "/www/example1"
    ServerName www.example.com
</VirtualHost>

<VirtualHost 172.20.30.40>
    DocumentRoot "/www/example2"
    ServerName www.example.org
</VirtualHost>

<VirtualHost 172.20.30.40>
    DocumentRoot "/www/example3"
    ServerName www.example.net
</VirtualHost>

# IP-based
<VirtualHost 172.20.30.50>
    DocumentRoot "/www/example4"
    ServerName www.example.edu
</VirtualHost>

<VirtualHost 172.20.30.60>
    DocumentRoot "/www/example5"
    ServerName www.example.gov
</VirtualHost>
  • You enable or disable virtual hosts with the following command.

Enable the vhost 

sudo a2ensite vogella.conf

Disable the vhost 

sudo a2dissite www.vogella.com

After enabling sites you have to reload Apache: 

sudo service apache2 reload

Custom Logging

Enabled different logs for multiple virtual hosts 

<VirtualHost *:80>
  ServerName www.foo.com
  DocumentRoot /var/www/www.foo.com/htdocs

  CustomLog /var/log/apache/www.foo.com-access.log combined
  ErrorLog /var/log/apache/www.foo.com-error.log
</VirtualHost>

<VirtualHost *:80>
  ServerName mail.foo.com
  DocumentRoot /var/www/mail.foo.com/htdocs

  CustomLog /var/log/apache/mail.foo.com-access.log combined
  ErrorLog /var/log/apache/mail.foo.com-error.log
</VirtualHost>

Using with Flask

Source: codementor.io

  • Works with python 3.6
  • Install Apache
sudo apt update
sudo apt install apache2
  • Install mod_wsgi
sudo apt-get install libapache2-mod-wsgi-py3 python-dev
  • Install flask
sudo pip3 install flask
  • Create files
mkdir -p ~/ExampleFlask/ExampleFlask
cd ~/ExampleFlask/ExampleFlask
touch __init__.py              # (Empty file)

nano my_flask_app.py

from flask import Flask
app = Flask(__name__)
@app.route("/")
def hello():
    return "Hello world!"
if __name__ == "__main__":
    app.run()

nano my_flask_app.wsgi
  • The name of above wsgi file should be same as the flask application
  • Add a shebang line to specify which interpreter to use
#! /usr/bin/python3

import logging
import sys

logging.basicConfig(stream=sys.stderr)
sys.path.insert(0, '/home/username/ExampleFlask/')

from my_flask_app import app as application
application.secret_key = 'anything you wish'



sudo nano /etc/apache2/sites-available/ExampleFlask.conf

 
<VirtualHost *:80>
     # Add machine's IP address (use ifconfig command)
     ServerName 192.168.1.103
     # Give an alias to to start your website url with
     WSGIScriptAlias /testFlask /home/username/ExampleFlask/my_flask_app.wsgi
     <Directory /home/username/ExampleFlask/ExampleFlask/>
     		# set permissions as per apache2.conf file
            Options FollowSymLinks
            AllowOverride None
            Require all granted
     </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     LogLevel warn
     CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

sudo a2ensite /etc/apache2/sites-available/ExampleFlask.conf
sudo service apache2 restart

Secure Apache2 Server

Source: tecmint.com

  • Hide Apache Version and OS Identity from Errors
sudo nano /etc/apache2/apache2.conf

ServerSignature Off
ServerTokens Prod
  • Disable Directory Listing
sudo nano /etc/apache2/apache2.conf

<Directory /var/www/html>
    Options -Indexes
</Directory>
  • Run Apache as separate User and Group

Create Apache User and Group 

groupadd www-data
useradd -d /var/www/html/ -g www-data -s /bin/nologin www-data

Search for keyword “User” and “Group” and specify the username and groupname to use: 

sudo nano /etc/apache2/apache2.conf 
User www-data 
Group www-data

Troubleshooting

  • Debug virtual host configuration
apachectl -S
  • If Apache is not listening to custom port mentioned by Listen directive in conf file from sites-enabled:
sudo nano /etc/apache2/ports.conf
Listen 8080


References





{{#widget:DISQUS |id=networkm |uniqid=Apache |url=https://aman.awiki.org/wiki/Apache }}

Retrieved from "https://aman.awiki.org/wiki/Apache?oldid=4330"