mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-24 21:35:17 +00:00
334 lines
10 KiB
Text
334 lines
10 KiB
Text
= Apache HTTP Server
|
||
|
||
'''
|
||
|
||
[IMPORTANT]
|
||
======
|
||
|
||
This page was automatically converted from https://fedoraproject.org/wiki/Apache_HTTP_Server
|
||
|
||
It is probably
|
||
|
||
* Badly formatted
|
||
* Missing graphics and tables that do not convert well from mediawiki
|
||
* Out-of-date
|
||
* In need of other love
|
||
|
||
Please fix it, remove this notice, and then add to `_topic_map.yml`
|
||
|
||
Pull requests accepted at https://pagure.io/fedora-docs/quick-docs
|
||
|
||
Once that is live, go to the original wiki page and add an `{{old}}`
|
||
tag, followed by a note like
|
||
|
||
....
|
||
{{admon/note|This page has a new home!|
|
||
This wiki page is no longer maintained. Please find the up-to-date
|
||
version at: https://docs.fedoraproject.org/whatever-the-url
|
||
}}
|
||
....
|
||
|
||
======
|
||
|
||
'''
|
||
|
||
|
||
The Apache HTTP Server is one of the most commonly-used web servers.
|
||
This page acts as a quick start guide to deploying and configuring
|
||
Apache on Fedora. For (many) more details, please see
|
||
https://httpd.apache.org/docs/current/[upstream's extensive
|
||
documentation].
|
||
|
||
[[installation]]
|
||
Installation
|
||
~~~~~~~~~~~~
|
||
|
||
`$ su` +
|
||
`# dnf install httpd`
|
||
|
||
To have the server start at each boot:
|
||
|
||
`# systemctl enable httpd.service`
|
||
|
||
To start the server now:
|
||
|
||
`# systemctl start httpd.service`
|
||
|
||
At this point, you should be able to browse to http://localhost on the
|
||
server and access the Apache test page. You will most likely not be able
|
||
to access the server from any other host, yet: we will change this
|
||
link:#firewall-configuration[later].
|
||
|
||
[[tlsssl-support]]
|
||
TLS/SSL support
|
||
~~~~~~~~~~~~~~~
|
||
|
||
If you want TLS/SSL support, you can also install , which is based on
|
||
https://www.openssl.org[OpenSSL]. Alternatives are (uses
|
||
https://www.gnutls.org/[GnuTLS]) and (uses
|
||
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS[NSS]).
|
||
|
||
[[using-mod_ssl]]
|
||
Using mod_ssl
|
||
^^^^^^^^^^^^^
|
||
|
||
Install mod_ssl package and it will be automatically enabled
|
||
|
||
`# dnf install mod_ssl`
|
||
|
||
[[install-an-existing-certificate]]
|
||
Install an existing certificate
|
||
+++++++++++++++++++++++++++++++
|
||
|
||
If you already have a certificate generated on another computer, move
|
||
the certificate and the key file to the correct folder, and ensure their
|
||
SELinux contexts, ownership, and permissions are correct:
|
||
|
||
`# mv key_file.key /etc/pki/tls/private/myhost.com.key` +
|
||
`# restorecon /etc/pki/tls/private/myhost.com.key` +
|
||
`# chown root.root /etc/pki/tls/private/myhost.com.key` +
|
||
`# chmod 0600 /etc/pki/tls/private/myhost.com.key` +
|
||
`#` +
|
||
`# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt` +
|
||
`# restorecon /etc/pki/tls/certs/myhost.com.crt` +
|
||
`# chown root.root /etc/pki/tls/certs/myhost.com.crt` +
|
||
`# chmod 0600 /etc/pki/tls/certs/myhost.com.crt`
|
||
|
||
After this link:#mod_ssl-configuration[ set it up]
|
||
|
||
[[generate-a-new-certificate]]
|
||
Generate a new certificate
|
||
++++++++++++++++++++++++++
|
||
|
||
How to https://fedoraproject.org/wiki/Https#openssl[generate a new
|
||
certificate]
|
||
|
||
[[mod_ssl-configuration]]
|
||
mod_ssl configuration
|
||
+++++++++++++++++++++
|
||
|
||
The default TLS/SSL configuration is contained in the file (if you are
|
||
using ). If you examine that file, you will see the directives that
|
||
specify where the TLS/SSL certificate and key are located:
|
||
|
||
`SSLCertificateFile /etc/pki/tls/certs/localhost.crt` +
|
||
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key`
|
||
|
||
If you look carefully, you will see that these directives are actually
|
||
enclosed in a block defining a
|
||
https://httpd.apache.org/docs/current/vhosts/[virtual host]:
|
||
|
||
+
|
||
`...` +
|
||
`SSLCertificateFile /etc/pki/tls/certs/localhost.crt` +
|
||
`...` +
|
||
`SSLCertificateKeyFile /etc/pki/tls/private/localhost.key` +
|
||
`...` +
|
||
|
||
If we wanted to define a different location for these files, we could
|
||
edit the lines in directly, but it would be better to create a new file
|
||
:
|
||
|
||
+
|
||
`SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt` +
|
||
`SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key` +
|
||
|
||
This file will override those two settings for the _default_:443 virtual
|
||
host; all other settings from will be kept.
|
||
|
||
[[settings-for-individual-virtual-hosts]]
|
||
Settings for individual virtual hosts
|
||
|
||
If you want a specific virtual host to use SSL/TLS with a different
|
||
certificate from the default, open that virtual host's configuration
|
||
file, usually , and insert these lines between and :
|
||
|
||
`SSLEngine on` +
|
||
`SSLCertificateFile /etc/pki/tls/certs/hostname.crt` +
|
||
`SSLCertificateKeyFile /etc/pki/tls/private/hostname.key`
|
||
|
||
[[installing-webapps]]
|
||
Installing webapps
|
||
~~~~~~~~~~~~~~~~~~
|
||
|
||
You probably want to run something on your web server. Many of the most
|
||
popular 'web applications' are packaged for Fedora. Using the packaged
|
||
versions of web applications is usually recommended: they will be
|
||
configured following the distribution's best practices which help to
|
||
ensure the security of the installation, for instance by installing
|
||
static files to locations the web server does not have the ability to
|
||
write to, and doing access control with configuration files rather than
|
||
files, which are slightly more vulnerable to attack.
|
||
|
||
Packaged web applications will also be configured to work with SELinux,
|
||
which provides significant security benefits.
|
||
|
||
You will also receive updates through the usual Fedora update process,
|
||
making it easier to keep your installation up to date.
|
||
|
||
They will also often have the default configuration tweaked according to
|
||
Fedora's conventions, meaning you have to do less work to get the
|
||
application up and running.
|
||
|
||
Most web applications are simply packaged according to their name. For
|
||
example, you can install Wordpress with:
|
||
|
||
`# dnf install wordpress`
|
||
|
||
Packaged web applications will usually provide Fedora-specific
|
||
instructions in a documentation file - for instance, Wordpress provides
|
||
the files and . It is always a good idea to read these files!
|
||
|
||
Packaged web applications usually restrict access by default so you can
|
||
access them only from the server host itself, to ensure you can run all
|
||
initial configuration safely and things like administration interfaces
|
||
are not left accessible to the public. For information on how to broaden
|
||
access, see link:#webapp-access-control[below].
|
||
|
||
Web applications commonly require the use of a database server. This
|
||
wiki contains information on installing and configuring PostgreSQL and
|
||
MariaDB on Fedora.
|
||
|
||
[[configuration]]
|
||
Configuration
|
||
~~~~~~~~~~~~~
|
||
|
||
is the main Apache configuration file. It _includes_ : if the same
|
||
setting is specified in both and a file in , the setting from the file
|
||
will win. Files in are read in alphabetical order: a setting from will
|
||
win over a setting from , which will win over a setting from , which
|
||
will win over a setting from .
|
||
|
||
It is usually best practice never to modify or any of the files shipped
|
||
by Fedora packages directly. If you make any local changes to these
|
||
files, then any changes to them in newer package versions will not be
|
||
directly applied: instead a file will be created and you will have to
|
||
merge the changes manually. It is usually better instead to create a new
|
||
file in which will take precedence over the file you wish to 'modify',
|
||
and make your settings there. For instance, to change a setting
|
||
specified in you could create the file and place your setting in that
|
||
file. We will see an example of this next.
|
||
|
||
After making any changes to your server configuration, you should run:
|
||
|
||
`# apachectl reload`
|
||
|
||
to apply the changes. Certain changes may require Apache to be fully
|
||
restarted:
|
||
|
||
`# systemctl restart httpd.service`
|
||
|
||
[[enabling-access-to-web-applications]]
|
||
Enabling access to web applications
|
||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Fedora-packaged web applications are usually configured such that, by
|
||
default, access is allowed only from localhost. Typically you will find
|
||
that there is a file with the following (among other settings):
|
||
|
||
+
|
||
` ` +
|
||
` # Apache 2.4` +
|
||
` Require local` +
|
||
` ` +
|
||
` ` +
|
||
` # Apache 2.2` +
|
||
` Order Deny,Allow` +
|
||
` Deny from all` +
|
||
` Allow from 127.0.0.1` +
|
||
` Allow from ::1` +
|
||
` ` +
|
||
|
||
Before allowing general access to the webapp, ensure you have configured
|
||
it correctly and the administration interface and other sensitive areas
|
||
are not accessible without appropriate authentication. Also remember to
|
||
ensure your database configuration is secure, if the application uses a
|
||
database. To broaden access to the application, you can create a file .
|
||
To allow access to all systems on a typical local network, you could
|
||
write:
|
||
|
||
+
|
||
` ` +
|
||
` # Apache 2.4` +
|
||
` Require local` +
|
||
` Require ip 192.168.1` +
|
||
` ` +
|
||
` ` +
|
||
` # Apache 2.2` +
|
||
` Order Deny,Allow` +
|
||
` Deny from all` +
|
||
` Allow from 127.0.0.1` +
|
||
` Allow from ::1` +
|
||
` Allow from 192.168.1` +
|
||
` ` +
|
||
|
||
Once you are sure the application is correctly configured, this
|
||
configuration will allow access from any host:
|
||
|
||
+
|
||
` ` +
|
||
` # Apache 2.4` +
|
||
` Require all granted` +
|
||
` ` +
|
||
` ` +
|
||
` # Apache 2.2` +
|
||
` Order Deny,Allow` +
|
||
` Allow from all` +
|
||
` ` +
|
||
|
||
[[opening-firewall-ports]]
|
||
Opening firewall ports
|
||
^^^^^^^^^^^^^^^^^^^^^^
|
||
|
||
Apache uses port 80 for plain http connections and port 443 for TLS/SSL
|
||
connections by default. To make this service available from other
|
||
computers or the Internet your have to allow Apache through the firewall
|
||
like this:
|
||
|
||
To open the firewall at each boot:
|
||
|
||
For plain HTTP connections:
|
||
|
||
`# firewall-cmd --permanent --add-service=http`
|
||
|
||
For TLS/SSL connections:
|
||
|
||
`# firewall-cmd --permanent --add-service=https`
|
||
|
||
To open the firewall right now:
|
||
|
||
For plain HTTP connections:
|
||
|
||
`# firewall-cmd --add-service=http`
|
||
|
||
For TLS/SSL connections:
|
||
|
||
`# firewall-cmd --add-service=https`
|
||
|
||
Remember that if your server is running behind a NAT router, you will
|
||
also need to configure your router to forward the HTTP and HTTPS ports
|
||
to your server if you wish to allow access from outside your local
|
||
network.
|
||
|
||
[[disable-test-page]]
|
||
Disable test page
|
||
^^^^^^^^^^^^^^^^^
|
||
|
||
To disable the test page comment out all the lines in the file
|
||
|
||
[[references]]
|
||
References
|
||
~~~~~~~~~~
|
||
|
||
* https://httpd.apache.org/docs/current/[Apache documentation]
|
||
* https://httpd.apache.org/docs/current/getting-started.html[Apache
|
||
"Getting Started"]
|
||
* https://httpd.apache.org/docs/current/ssl/[Apache TLS/SSL
|
||
documentation]
|
||
* https://httpd.apache.org/docs/current/misc/security_tips.html[Apache
|
||
security tips]
|
||
* OwnCloud
|
||
'''
|
||
|
||
See a typo, something missing or out of date, or anything else which can be
|
||
improved? Edit this document at https://pagure.io/fedora-docs/quick-docs.
|