From 10024bc24de0a3997abf7e30dc05c6305ca4dac6 Mon Sep 17 00:00:00 2001 From: pmulay Date: Fri, 15 Dec 2017 10:08:29 +0530 Subject: [PATCH] Modularized Apache HTTP Server adoc file --- en-US/modules/con_apache-http-server.adoc | 12 ++ .../proc_configuring-apache-httpd.adoc | 141 ++++++++++++++++++ en-US/modules/proc_installing-httpd.adoc | 34 +++++ en-US/modules/proc_installing-webapps.adoc | 24 +++ en-US/modules/proc_securing-apache-httpd.adoc | 119 +++++++++++++++ en-US/modules/ref_apache-http-server.adoc | 8 + 6 files changed, 338 insertions(+) create mode 100644 en-US/modules/con_apache-http-server.adoc create mode 100644 en-US/modules/proc_configuring-apache-httpd.adoc create mode 100644 en-US/modules/proc_installing-httpd.adoc create mode 100644 en-US/modules/proc_installing-webapps.adoc create mode 100644 en-US/modules/proc_securing-apache-httpd.adoc create mode 100644 en-US/modules/ref_apache-http-server.adoc diff --git a/en-US/modules/con_apache-http-server.adoc b/en-US/modules/con_apache-http-server.adoc new file mode 100644 index 0000000..28de856 --- /dev/null +++ b/en-US/modules/con_apache-http-server.adoc @@ -0,0 +1,12 @@ += Apache HTTP Server +[id='apache-http-server'] + +The Apache HTTP Server is one of the most commonly-used web servers. This page acts as a quick start guide to deploying and configuring Apache on Fedora. + +For more details, refer to https://httpd.apache.org/docs/current/[upstream's extensive documentation]. + +include::{md}/proc_installing-httpd.adoc[leveloffset=+1] +include::{md}/proc_securing-apache-httpd.adoc[leveloffset=+1] +include::{md}/proc_installing-webapps.adoc[leveloffset=+1] +include::{md}/proc_configuring-apache-httpd.adoc[leveloffset=+1] +include::{md}/ref_apache-http-server.adoc[leveloffset=+1] diff --git a/en-US/modules/proc_configuring-apache-httpd.adoc b/en-US/modules/proc_configuring-apache-httpd.adoc new file mode 100644 index 0000000..d7ad82d --- /dev/null +++ b/en-US/modules/proc_configuring-apache-httpd.adoc @@ -0,0 +1,141 @@ += Configuring Apache HTTPD +[id='configuring-apache-httpd'] + +`/etc/httpd/conf/httpd.conf` is the main Apache configuration file. Custom confirguration files are specified under `/etc/httpd/conf.d/*.conf`. If the same settings are specified in both `/etc/httpd/conf/httpd.conf` and a `.conf` file in `/etc/httpd/conf.d/`, the setting from the `/etc/httpd/conf.d/` file will be used. + +Files in `/etc/httpd/conf.d/` are read in alphabetical order: a setting from `/etc/httpd/conf.d/z-foo.conf` will be used over a setting from `/etc/httpd/conf.d/foo.conf`. Similarly, a setting from `/etc/httpd/conf.d/99-foo.conf`, will be used over a setting from `/etc/httpd/conf.d/00-foo.conf`. + +As a best practice, do not modify `/etc/httpd/conf/httpd.conf` or any of the `/etc/httpd/conf.d` files shipped by Fedora packages directly. If you make any local changes to these files, then any changes to them in newer package versions will not be directly applied. Instead, a `.rpmnew` file will be created, and you will have to merge the changes manually. + +It is recommended to create a new file in `/etc/httpd/conf.d` which will take precedence over the file you wish to modify, and edit the required settings. For instance, to change a setting specified in `/etc/httpd/conf.d/foo.conf` you could create the file `/etc/httpd/conf.d/z-foo-local.conf`, and place your setting in that file. + +[NOTE] +==== +After making any changes to your server configuration, execute the following command: +---- +# apachectl reload +---- + +Certain changes may require Apache to be fully restarted. To fully restart Apache, execute the following command: +---- +# systemctl restart httpd.service +---- +==== + +== Enabling access to web applications +[id='enabling-access-to-web-applications'] + +By default Fedora-packaged web applications are usually configured such that, access is allowed only from the localhost. This is defined by the file `/etc/httpd/conf.d/webapp.conf` which contains the following settings: +---- + + + # Apache 2.4 + Require local + + + # Apache 2.2 + Order Deny,Allow + Deny from all + Allow from 127.0.0.1 + Allow from ::1 + + +---- + +Before allowing general access to the webapp, ensure to do the following: + +* [*] Webapp has been configured correctly +* [*] Administration interface and other sensitive areas are not accessible without appropriate authentication +* [*] Database configuration is secure, if the application uses a database + +To broaden access to the application, create a file `/etc/httpd/conf.d/z-webapp-allow.conf`. To allow access to all systems on a typical local network, add the following lines into the file: + +---- + + + # Apache 2.4 + Require local + Require ip 192.168.1 + + + # Apache 2.2 + Order Deny,Allow + Deny from all + Allow from 127.0.0.1 + Allow from ::1 + Allow from 192.168.1 + + +---- + +Once the application is correctly configured, add the following configuration to allow access from any host: + +---- + + + # Apache 2.4 + Require all granted + + + # Apache 2.2 + Order Deny,Allow + Allow from all + + +---- + +== Opening firewall ports +[id='opening-firewall-ports'] + +IMPORTANT: This exposes your computer to the Internet and potential attackers. Secure your system and your Apache installation properly before exposing your server to the Internet. + +Apache uses port 80 for plain http connections and port 443 for TLS/SSL connections by default. To make this service available from other computers or the Internet, allow Apache through the firewall using any one the following commands: + +To allow Apache through the firewall at each boot: + +* For plain HTTP connections: ++ +---- +# firewall-cmd --permanent --add-service=http +---- + +* For TLS/SSL connections: ++ +---- +# firewall-cmd --permanent --add-service=https +---- + +To allow Apache through the firewall instantly: + +* For plain HTTP connections: ++ +---- +# firewall-cmd --add-service=http +---- + +* For TLS/SSL connections: ++ +---- +# firewall-cmd --add-service=https +---- + +NOTE: If your server is running in a network with a NAT router, you will also need to configure your router to forward the HTTP and HTTPS ports to your server, if you wish to allow access from outside your local network. + +== Disabling Test Page +[id='disabling-test-page'] + +To disable the test page, comment out all the lines in the file `/etc/httpd/conf.d/welcome.conf` using `pass:[#]` as follows: + +---- +# +# Options -Indexes +# ErrorDocument 403 /.noindex.html +# + +# +# AllowOverride None +# Require all granted +# + +# Alias /.noindex.html /usr/share/httpd/noindex/index.html +---- diff --git a/en-US/modules/proc_installing-httpd.adoc b/en-US/modules/proc_installing-httpd.adoc new file mode 100644 index 0000000..5d03400 --- /dev/null +++ b/en-US/modules/proc_installing-httpd.adoc @@ -0,0 +1,34 @@ += Installing HTTPD +[id='installing-httpd'] + +This procedure describes the steps to install Apache *HTTPD* on Fedora. + +.Procedure + +. Login as root user. ++ +---- +$ su +---- + +. Install *HTTPD* packages. ++ +---- +$ dnf install httpd -y +---- + +. Start the *HTTPD* service. ++ +---- +$ systemctl start httpd.service +---- + +[NOTE] +==== +To enable auto start of *HTTPD* service at boot, execute the following command: +---- +$ systemctl enable httpd.service +---- +==== + +Navigate to http://localhost to access the Apache test page. You may not be able to access the server from any other host. To access the server from other hosts, refer to link:proc_opening-firewall-ports[Opening firewall ports]. diff --git a/en-US/modules/proc_installing-webapps.adoc b/en-US/modules/proc_installing-webapps.adoc new file mode 100644 index 0000000..793d384 --- /dev/null +++ b/en-US/modules/proc_installing-webapps.adoc @@ -0,0 +1,24 @@ += Installing webapps +[id='installing-webapps'] + +You probably want to run something on your web server. Many of the most popular web applications are packaged for Fedora. Using the packaged versions of web applications is recommended. These packages will be configured following the distribution's best practices which help to ensure the security of the installation. + +For instance, by installing static files to locations the web server does not have the ability to write to, and doing access control with configuration files rather than `.htaccess` files, which are slightly more vulnerable to attack. + +Packaged web applications will also be configured to work with SELinux, which provides significant security benefits. + +You will also receive updates through the usual Fedora update process, making it easier to keep your installation up to date. + +They will also often have the default configuration tweaked according to Fedora's conventions, meaning you have to do less work to get the application up and running. + +Most web applications are simply packaged according to their name. For instance, you can install Wordpress by executing the following command: + +---- +# dnf install wordpress +---- + +Packaged web applications will usually provide Fedora-specific instructions in a documentation file. For instance, Wordpress provides the files `/usr/share/doc/wordpress/README.fedora` and `/usr/share/doc/wordpress/README.fedora-multiuser`. + +Packaged web applications usually restrict access by default so you can access them only from the server host itself, to ensure you can run all initial configuration safely and things like administration interfaces are not left accessible to the public. For information on how to broaden access, see link:enabling-access-to-web-applications[Enabling access to web applications]. + +Web applications commonly require the use of a database server. This wiki contains information on installing and configuring https://fedoraproject.org/wiki/PostgreSQL[PostgreSQL] and https://fedoraproject.org/wiki/MariaDB[MariaDB] on Fedora. diff --git a/en-US/modules/proc_securing-apache-httpd.adoc b/en-US/modules/proc_securing-apache-httpd.adoc new file mode 100644 index 0000000..09e0eac --- /dev/null +++ b/en-US/modules/proc_securing-apache-httpd.adoc @@ -0,0 +1,119 @@ += Securing Apache HTTPD +[id='securing-apache-httpd'] + +To enable TLS/SSL support, download and install one of the following packages: + +* https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl], based on https://www.openssl.org[OpenSSL] +* https://apps.fedoraproject.org/packages/mod_gnutls[mod_gnutls], based on https://www.gnutls.org/[GnuTLS] +* https://apps.fedoraproject.org/packages/mod_nss[mod_nss], based on https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS] + +== Using mod_ssl +[id='using-mod-ssl'] + +=== Installing mod_ssl +[id='installing-mod-ssl'] + +The https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl] package will be automatically enabled post installation. Install the https://apps.fedoraproject.org/packages/mod_ssl[mod_ssl] package using the following command: + +---- +$ dnf install mod_ssl -y +---- + +=== Generating a new certificate +[id='generating-new-certificate'] + + +To generate a new certificate, refer to https://fedoraproject.org/wiki/Https#openssl[Create a certificate using OpenSSL]. +// The topic ID can be used here instead of the absolute link. Have used absolute link as the destination content in question is in a topic that may not be a part of this activity. + +=== Installing an existing certificate +[id='installing-existing-certificate'] + +If you already have a certificate generated on another computer, do the following: + +. Move the certificate and the key file to the correct folder ++ +---- +# mv key_file.key /etc/pki/tls/private/myhost.com.key + +# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt +---- + +. Ensure that the following parameters are correct: ++ +.. SELinux contexts ++ +---- +# restorecon /etc/pki/tls/private/myhost.com.key + +# restorecon /etc/pki/tls/certs/myhost.com.crt +---- + +.. Ownership ++ +---- +# chown root.root /etc/pki/tls/private/myhost.com.key + +# chown root.root /etc/pki/tls/certs/myhost.com.crt +---- + +.. Permissions ++ +---- +# chmod 0600 /etc/pki/tls/private/myhost.com.key + +# chmod 0600 /etc/pki/tls/certs/myhost.com.crt +---- + +After installing the existing certificate, setup the certificate using link:mod-ssl-configuration[mod_ssl configuration] + +=== mod_ssl configuration +[id='mod-ssl-configuration'] + +The default TLS/SSL configuration is contained in the file `/etc/httpd/conf.d/ssl.conf`. In the `ssl.conf` file, following are the directives that specify where the TLS/SSL certificate and key are located: + +---- +SSLCertificateFile /etc/pki/tls/certs/localhost.crt +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key +---- + +These directives are enclosed in a block defining a https://httpd.apache.org/docs/current/vhosts/[virtual host]: + +---- + +... +SSLCertificateFile /etc/pki/tls/certs/localhost.crt +... +SSLCertificateKeyFile /etc/pki/tls/private/localhost.key +... + +---- + +To define a different location for these files, do the following: + +. Create a copy of the `/etc/httpd/conf.d/ssl.conf` file and renew the file to `z-ssl-local.conf`. ++ +. Edit the following lines in the `z-ssl-local.conf` file: + +---- + +SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt +SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key + +---- + +This file will override the two settings for the `pass:[_default_]:443` virtual host; all other settings from `ssl.conf` will be retained. + +=== Settings for individual virtual hosts +[id='settings-individual-virtual-hosts'] + +To use SSL/TLS for a specific virtual host with a different certificate as default, do the following: + +. Open that virtual host's configuration file `/etc/httpd/conf.d/hostname.conf` ++ +. Insert these lines between `` and ``: +---- +SSLEngine on +SSLCertificateFile /etc/pki/tls/certs/hostname.crt +SSLCertificateKeyFile /etc/pki/tls/private/hostname.key +---- diff --git a/en-US/modules/ref_apache-http-server.adoc b/en-US/modules/ref_apache-http-server.adoc new file mode 100644 index 0000000..961ca1d --- /dev/null +++ b/en-US/modules/ref_apache-http-server.adoc @@ -0,0 +1,8 @@ += References +[id='ref_apache-http-server'] + +* https://httpd.apache.org/docs/current/[Apache Documentation] +* https://httpd.apache.org/docs/current/getting-started.html[Apache "Getting Started"] +* https://httpd.apache.org/docs/current/ssl/[Apache TLS/SSL documentation] +* https://httpd.apache.org/docs/current/misc/security_tips.html[Apache security tips] +* https://fedoraproject.org/wiki/OwnCloud[OwnCloud]