mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
335 lines
10 KiB
Text
335 lines
10 KiB
Text
|
= Apache HTTP Server
|
|||
|
|
|||
|
'''
|
|||
|
|
|||
|
[NOTE]
|
|||
|
======
|
|||
|
|
|||
|
This page was automatically converted from https://fedoraproject.org/wiki/Apache_HTTP_Server
|
|||
|
|
|||
|
It is probably
|
|||
|
|
|||
|
* Badly formatted
|
|||
|
* Missing graphics and tables that do not covert well from mediawiki
|
|||
|
* Out-of-date
|
|||
|
* In need of other love
|
|||
|
|
|||
|
Please fix it, remove this notice, and then add to `_topic_map.yml`
|
|||
|
|
|||
|
Pull requests accepted at https://pagure.io/fedora-docs/fedora-howto
|
|||
|
|
|||
|
Once that is live, go to the original wiki page and add an `{{old}}`
|
|||
|
tag, followed by a note like
|
|||
|
|
|||
|
....
|
|||
|
{{admon/note|This page has a new home!|
|
|||
|
This wiki page is no longer maintained. Please find the up-to-date
|
|||
|
version at: https://docs.fedoraproject.org/whatever-the-url
|
|||
|
}}
|
|||
|
....
|
|||
|
|
|||
|
======
|
|||
|
|
|||
|
'''
|
|||
|
|
|||
|
|
|||
|
The Apache HTTP Server is one of the most commonly-used web servers.
|
|||
|
This page acts as a quick start guide to deploying and configuring
|
|||
|
Apache on Fedora. For (many) more details, please see
|
|||
|
https://httpd.apache.org/docs/current/[upstream's extensive
|
|||
|
documentation].
|
|||
|
|
|||
|
[[installation]]
|
|||
|
Installation
|
|||
|
~~~~~~~~~~~~
|
|||
|
|
|||
|
`$ su` +
|
|||
|
`# dnf install httpd`
|
|||
|
|
|||
|
To have the server start at each boot:
|
|||
|
|
|||
|
`# systemctl enable httpd.service`
|
|||
|
|
|||
|
To start the server now:
|
|||
|
|
|||
|
`# systemctl start httpd.service`
|
|||
|
|
|||
|
At this point, you should be able to browse to http://localhost on the
|
|||
|
server and access the Apache test page. You will most likely not be able
|
|||
|
to access the server from any other host, yet: we will change this
|
|||
|
link:#firewall-configuration[later].
|
|||
|
|
|||
|
[[tlsssl-support]]
|
|||
|
TLS/SSL support
|
|||
|
~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
If you want TLS/SSL support, you can also install , which is based on
|
|||
|
https://www.openssl.org[OpenSSL]. Alternatives are (uses
|
|||
|
https://www.gnutls.org/[GnuTLS]) and (uses
|
|||
|
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS]).
|
|||
|
|
|||
|
[[using-mod_ssl]]
|
|||
|
Using mod_ssl
|
|||
|
^^^^^^^^^^^^^
|
|||
|
|
|||
|
Install mod_ssl package and it will be automatically enabled
|
|||
|
|
|||
|
`# dnf install mod_ssl`
|
|||
|
|
|||
|
[[install-an-existing-certificate]]
|
|||
|
Install an existing certificate
|
|||
|
+++++++++++++++++++++++++++++++
|
|||
|
|
|||
|
If you already have a certificate generated on another computer, move
|
|||
|
the certificate and the key file to the correct folder, and ensure their
|
|||
|
SELinux contexts, ownership, and permissions are correct:
|
|||
|
|
|||
|
`# mv key_file.key /etc/pki/tls/private/myhost.com.key` +
|
|||
|
`# restorecon /etc/pki/tls/private/myhost.com.key` +
|
|||
|
`# chown root.root /etc/pki/tls/private/myhost.com.key` +
|
|||
|
`# chmod 0600 /etc/pki/tls/private/myhost.com.key` +
|
|||
|
`#` +
|
|||
|
`# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt` +
|
|||
|
`# restorecon /etc/pki/tls/certs/myhost.com.crt` +
|
|||
|
`# chown root.root /etc/pki/tls/certs/myhost.com.crt` +
|
|||
|
`# chmod 0600 /etc/pki/tls/certs/myhost.com.crt`
|
|||
|
|
|||
|
After this link:#mod_ssl-configuration[ set it up]
|
|||
|
|
|||
|
[[generate-a-new-certificate]]
|
|||
|
Generate a new certificate
|
|||
|
++++++++++++++++++++++++++
|
|||
|
|
|||
|
How to https://fedoraproject.org/wiki/Https#openssl[generate a new
|
|||
|
certificate]
|
|||
|
|
|||
|
[[mod_ssl-configuration]]
|
|||
|
mod_ssl configuration
|
|||
|
+++++++++++++++++++++
|
|||
|
|
|||
|
The default TLS/SSL configuration is contained in the file (if you are
|
|||
|
using ). If you examine that file, you will see the directives that
|
|||
|
specify where the TLS/SSL certificate and key are located:
|
|||
|
|
|||
|
`SSLCertificateFile /etc/pki/tls/certs/localhost.crt` +
|
|||
|
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key`
|
|||
|
|
|||
|
If you look carefully, you will see that these directives are actually
|
|||
|
enclosed in a block defining a
|
|||
|
https://httpd.apache.org/docs/current/vhosts/[virtual host]:
|
|||
|
|
|||
|
+
|
|||
|
`...` +
|
|||
|
`SSLCertificateFile /etc/pki/tls/certs/localhost.crt` +
|
|||
|
`...` +
|
|||
|
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key` +
|
|||
|
`...` +
|
|||
|
|
|||
|
If we wanted to define a different location for these files, we could
|
|||
|
edit the lines in directly, but it would be better to create a new file
|
|||
|
:
|
|||
|
|
|||
|
+
|
|||
|
`SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt` +
|
|||
|
`SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key` +
|
|||
|
|
|||
|
This file will override those two settings for the _default_:443 virtual
|
|||
|
host; all other settings from will be kept.
|
|||
|
|
|||
|
[[settings-for-individual-virtual-hosts]]
|
|||
|
Settings for individual virtual hosts
|
|||
|
|
|||
|
If you want a specific virtual host to use SSL/TLS with a different
|
|||
|
certificate from the default, open that virtual host's configuration
|
|||
|
file, usually , and insert these lines between and :
|
|||
|
|
|||
|
`SSLEngine on` +
|
|||
|
`SSLCertificateFile /etc/pki/tls/certs/hostname.crt` +
|
|||
|
`SSLCertificateKeyFile /etc/pki/tls/private/hostname.key`
|
|||
|
|
|||
|
[[installing-webapps]]
|
|||
|
Installing webapps
|
|||
|
~~~~~~~~~~~~~~~~~~
|
|||
|
|
|||
|
You probably want to run something on your web server. Many of the most
|
|||
|
popular 'web applications' are packaged for Fedora. Using the packaged
|
|||
|
versions of web applications is usually recommended: they will be
|
|||
|
configured following the distribution's best practices which help to
|
|||
|
ensure the security of the installation, for instance by installing
|
|||
|
static files to locations the web server does not have the ability to
|
|||
|
write to, and doing access control with configuration files rather than
|
|||
|
files, which are slightly more vulnerable to attack.
|
|||
|
|
|||
|
Packaged web applications will also be configured to work with SELinux,
|
|||
|
which provides significant security benefits.
|
|||
|
|
|||
|
You will also receive updates through the usual Fedora update process,
|
|||
|
making it easier to keep your installation up to date.
|
|||
|
|
|||
|
They will also often have the default configuration tweaked according to
|
|||
|
Fedora's conventions, meaning you have to do less work to get the
|
|||
|
application up and running.
|
|||
|
|
|||
|
Most web applications are simply packaged according to their name. For
|
|||
|
example, you can install Wordpress with:
|
|||
|
|
|||
|
`# dnf install wordpress`
|
|||
|
|
|||
|
Packaged web applications will usually provide Fedora-specific
|
|||
|
instructions in a documentation file - for instance, Wordpress provides
|
|||
|
the files and . It is always a good idea to read these files!
|
|||
|
|
|||
|
Packaged web applications usually restrict access by default so you can
|
|||
|
access them only from the server host itself, to ensure you can run all
|
|||
|
initial configuration safely and things like administration interfaces
|
|||
|
are not left accessible to the public. For information on how to broaden
|
|||
|
access, see link:#webapp-access-control[below].
|
|||
|
|
|||
|
Web applications commonly require the use of a database server. This
|
|||
|
wiki contains information on installing and configuring PostgreSQL and
|
|||
|
MariaDB on Fedora.
|
|||
|
|
|||
|
[[configuration]]
|
|||
|
Configuration
|
|||
|
~~~~~~~~~~~~~
|
|||
|
|
|||
|
is the main Apache configuration file. It _includes_ : if the same
|
|||
|
setting is specified in both and a file in , the setting from the file
|
|||
|
will win. Files in are read in alphabetical order: a setting from will
|
|||
|
win over a setting from , which will win over a setting from , which
|
|||
|
will win over a setting from .
|
|||
|
|
|||
|
It is usually best practice never to modify or any of the files shipped
|
|||
|
by Fedora packages directly. If you make any local changes to these
|
|||
|
files, then any changes to them in newer package versions will not be
|
|||
|
directly applied: instead a file will be created and you will have to
|
|||
|
merge the changes manually. It is usually better instead to create a new
|
|||
|
file in which will take precedence over the file you wish to 'modify',
|
|||
|
and make your settings there. For instance, to change a setting
|
|||
|
specified in you could create the file and place your setting in that
|
|||
|
file. We will see an example of this next.
|
|||
|
|
|||
|
After making any changes to your server configuration, you should run:
|
|||
|
|
|||
|
`# apachectl reload`
|
|||
|
|
|||
|
to apply the changes. Certain changes may require Apache to be fully
|
|||
|
restarted:
|
|||
|
|
|||
|
`# systemctl restart httpd.service`
|
|||
|
|
|||
|
[[enabling-access-to-web-applications]]
|
|||
|
Enabling access to web applications
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
Fedora-packaged web applications are usually configured such that, by
|
|||
|
default, access is allowed only from localhost. Typically you will find
|
|||
|
that there is a file with the following (among other settings):
|
|||
|
|
|||
|
+
|
|||
|
` ` +
|
|||
|
` # Apache 2.4` +
|
|||
|
` Require local` +
|
|||
|
` ` +
|
|||
|
` ` +
|
|||
|
` # Apache 2.2` +
|
|||
|
` Order Deny,Allow` +
|
|||
|
` Deny from all` +
|
|||
|
` Allow from 127.0.0.1` +
|
|||
|
` Allow from ::1` +
|
|||
|
` ` +
|
|||
|
|
|||
|
Before allowing general access to the webapp, ensure you have configured
|
|||
|
it correctly and the administration interface and other sensitive areas
|
|||
|
are not accessible without appropriate authentication. Also remember to
|
|||
|
ensure your database configuration is secure, if the application uses a
|
|||
|
database. To broaden access to the application, you can create a file .
|
|||
|
To allow access to all systems on a typical local network, you could
|
|||
|
write:
|
|||
|
|
|||
|
+
|
|||
|
` ` +
|
|||
|
` # Apache 2.4` +
|
|||
|
` Require local` +
|
|||
|
` Require ip 192.168.1` +
|
|||
|
` ` +
|
|||
|
` ` +
|
|||
|
` # Apache 2.2` +
|
|||
|
` Order Deny,Allow` +
|
|||
|
` Deny from all` +
|
|||
|
` Allow from 127.0.0.1` +
|
|||
|
` Allow from ::1` +
|
|||
|
` Allow from 192.168.1` +
|
|||
|
` ` +
|
|||
|
|
|||
|
Once you are sure the application is correctly configured, this
|
|||
|
configuration will allow access from any host:
|
|||
|
|
|||
|
+
|
|||
|
` ` +
|
|||
|
` # Apache 2.4` +
|
|||
|
` Require all granted` +
|
|||
|
` ` +
|
|||
|
` ` +
|
|||
|
` # Apache 2.2` +
|
|||
|
` Order Deny,Allow` +
|
|||
|
` Allow from all` +
|
|||
|
` ` +
|
|||
|
|
|||
|
[[opening-firewall-ports]]
|
|||
|
Opening firewall ports
|
|||
|
^^^^^^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
Apache uses port 80 for plain http connections and port 443 for TLS/SSL
|
|||
|
connections by default. To make this service available from other
|
|||
|
computers or the Internet your have to allow Apache through the firewall
|
|||
|
like this:
|
|||
|
|
|||
|
To open the firewall at each boot:
|
|||
|
|
|||
|
For plain HTTP connections:
|
|||
|
|
|||
|
`# firewall-cmd --permanent --add-service=http`
|
|||
|
|
|||
|
For TLS/SSL connections:
|
|||
|
|
|||
|
`# firewall-cmd --permanent --add-service=https`
|
|||
|
|
|||
|
To open the firewall right now:
|
|||
|
|
|||
|
For plain HTTP connections:
|
|||
|
|
|||
|
`# firewall-cmd --add-service=http`
|
|||
|
|
|||
|
For TLS/SSL connections:
|
|||
|
|
|||
|
`# firewall-cmd --add-service=https`
|
|||
|
|
|||
|
Remember that if your server is running behind a NAT router, you will
|
|||
|
also need to configure your router to forward the HTTP and HTTPS ports
|
|||
|
to your server if you wish to allow access from outside your local
|
|||
|
network.
|
|||
|
|
|||
|
[[disable-test-page]]
|
|||
|
Disable test page
|
|||
|
^^^^^^^^^^^^^^^^^
|
|||
|
|
|||
|
To disable the test page comment out all the lines in the file
|
|||
|
|
|||
|
[[references]]
|
|||
|
References
|
|||
|
~~~~~~~~~~
|
|||
|
|
|||
|
* https://httpd.apache.org/docs/current/[Apache documentation]
|
|||
|
* https://httpd.apache.org/docs/current/getting-started.html[Apache
|
|||
|
"Getting Started"]
|
|||
|
* https://httpd.apache.org/docs/current/ssl/[Apache TLS/SSL
|
|||
|
documentation]
|
|||
|
* https://httpd.apache.org/docs/current/misc/security_tips.html[Apache
|
|||
|
security tips]
|
|||
|
* OwnCloud
|
|||
|
'''
|
|||
|
|
|||
|
See a typo, something missing or out of date, or anything else which can be
|
|||
|
improved? Edit this document at https://pagure.io/fedora-docs/fedora-howto.
|