Apache HTTPd Installation unter Ubuntu Linux
Der Apache HTTPd ist einer der meistverbreitesten Webserver.
Ich beschreibe hier die Installation und Konfiguration unter Ubuntu Linux.
Installation
aptitude install apache2
Konfiguration
Erstmal stoppen wir den Apache Server
service apache2 stop
Nun legen wir das Work Directory unter /srv an und legen die Logfiles hierherein:
mkdir -p /srv/httpd/logs
mkdir -p /srv/httpd/vhosts
rm -rf /var/log/apache2/
ln -s /srv/httpd/logs/ /var/log/apache2
a2enmod rewrite
Nun legen wir die Zertifikats Ordner an (Wenn kein SSL (HTTPs) benötigt wird braucht man diesen Schritt nicht zu machen!)
mkdir /etc/apache2/ssl.crt
mkdir /etc/apache2/ssl.key
mkdir /etc/apache2/ssl.csr
/etc/apache2/conf.d/security
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
<Directory />
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
#ServerTokens OS
#ServerTokens Full
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature Off
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
#
TraceEnable Off
#TraceEnable On
/etc/apache2/vhostdefaults.conf
# Deaktiviert alle Request Methods ausser POST and GET
<Location />
<LimitExcept POST GET>
Deny from All
</LimitExcept>
</Location>
Einrichtung Default vHosts
vHost des Servernames, aus Security Gründen mit Leerer index.html
mkdir -p /srv/httpd/vhosts/$(/bin/hostname -f)/htdocs
touch /srv/httpd/vhosts/$(/bin/hostname -f)/htdocs/index.html
/etc/apache2/sites-available/servername.domain.tld
# default vhost
<VirtualHost *:80>
ServerName FQDN-HOSTNAME
ServerAlias OWNIPADDRESSE
ErrorLog /var/log/apache2/FQDN-HOSTNAME-error.log
CustomLog /var/log/apache2/FQDN-HOSTNAME-access.log combined
Include vhostdefaults.conf
DocumentRoot /srv/httpd/vhosts/FQDN-HOSTNAME/htdocs
<Directory /srv/httpd/vhosts/FQDN-HOSTNAME/htdocs>
Order Deny,Allow
Allow from all
AllowOverride None
Options -Indexes +FollowSymLinks -Includes -MultiViews
</Directory>
</VirtualHost>
Localhost vHost
/etc/apache2/sites-available/localhost
# localhost
<VirtualHost *:80>
ServerName localhost
ServerAlias 127.0.0.1
ErrorLog /var/log/apache2/main-error.log
CustomLog /var/log/apache2/main-access.log combined
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1 localhost
Allow from OWNIPADDRESSE
</Location>
</VirtualHost>
Nun aktivieren:
a2ensite $(/bin/hostname -f)
a2ensite localhost
mv /etc/apache2/sites-enabled/$(/bin/hostname -f) /etc/apache2/sites-enabled/000-$(/bin/hostname -f)
a2dissite default
Hardening
Das Apache Hardening findet ihr in folgender Doku: