5217
Comment:
|
8479
|
Deletions are marked like this. | Additions are marked like this. |
Line 41: | Line 41: |
* Tools worth noting that relate to enabling sites, modules, and configurations are {{{a2enconf, a2enmod, and a2ensite}}} Each of these sets the appropriate links in the *-enabled directory. If you want to enable a module or configuration for only a single site and not globally, you can link to the file from inside the !VirtualHost configuration of a specific site. | * Tools worth noting that relate to enabling sites, modules, and configurations are {{{a2enconf, a2enmod, and a2ensite}}} and their counterparts {{{a2eisconf, a2dismod, and a2dissite}}}. Each of these sets (or deletes) the appropriate links in the *-enabled directory. If you want to enable a module or configuration for only a single site and not globally, you can link to the file from inside the !VirtualHost configuration of a specific site. |
Line 54: | Line 54: |
Correctly configuring Apache goes a long way to securing it. | We consider three aspects of security here: |
Line 56: | Line 56: |
1. Hardening the server 1. Encrypting communication via SSL 1. Authentication/Authorization options in Apache2 === Hardening Apache2 === Correctly configuring Apache goes a long way to securing it. To that end, we are going to look at the documentation related to hardening the apache server on [[https://wiki.debian.org/Apache/Hardening|ubuntu/debian]]. Give special attention to the security configuration contained in {{{conf-avaialble/security.conf}}} identified here as being in {{{conf.d/security}}} for debian (For full description of !ServerTokens, See: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens). === Encrypting Communication === Configure Apache with an SSL certificate and change settings to require https and disable http. See: https://websiteforstudents.com/how-to-setup-self-signed-ssl-certificates-on-ubuntu-20-04-18-04/ DEMO: Take a look at pinky.scotnpatti.com a.k.a. dra.cs.southern.edu (this machine). === Authentication and Authorization Options for Apache2 === See: https://httpd.apache.org/docs/2.4/howto/auth.html == Logs == When something goes wrong, looking in the logs is essential. Where are they? Well if you are not familiar with BASH scripts this may be a bit confusing. First log directory is something like {{{${APACHE_LOG_DIR}/error.log}}}. But where is {{{APACHE_LOG_DIR}}} set? {{{envvars}}} of course! Looking in that file and we see right away that this is set near the top: {{{ export APACHE_LOG_DIR=/var/log/apache2$SUFFIX }}} And $SUFFIX is defined near the top. {{{ if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR} ] ; then SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" else SUFFIX= if }}} Now, ## deletes longest match of the substring following the ## from the front of original string. So this literally tries to remove "/etc/apache2-" from the front of the config directory that by default is "/etc/apache2". For the default it will be unsuccessful and there will be no suffix. So we can safely assume that the $SUFFIX="", and that APACHE_LOG_DIR="/var/log/apache2/error.log". Of course it didn't take the computer as long to figure that out as it for us. Now let's take a look at where these logs. Make sure to demo tail -f /var/log/apache2/... == Summary == We looked at the following topics We found that '''Installing''' Apache2 on Ubuntu 20.04 is quite easy. Apache2 '''Configuration''' resides completely text files. The main config file is /etc/apache2/apache2.conf. You can find all the other files as they are imported from here. General configuration, module and site configuration files are turned on and off through a level of indirection provided by the *-enabled directories allowing multiple configurations to be retained, but not enabled. We looked at both hardening Apache2 '''Security''' and installing an SSL certificate. I highly recommend letsencrypt as a resource for this on your internet facing websites. Then we looked at the options Apache2 provides for Authentication and Authorization. '''Log''' files were located through the config and envvars files. We used tail to follow the changes being made to the log file. |
Apache Web Server
Note: This page has comments
How to Install, Configure (Server, Virtual Hosts, etc.), Secure, and manage Logs on for Apache 2 on Ubuntu.
Install
The simplest task is installing Apache 2 on Ubuntu. This process has not changed significantly in several versions.
sudo apt install apache2
After this finishes, all required packages are installed and we can test it by going to the default page on our server with a browser. Usually you should see something like this:
Configuration
The first thing you might notice is the location of the resources (web pages) that the server will look in. /var/www/html
The second thing you should know about Linux systems in general is that they almost always include documentation,AND THAT DOCUMENTATION IS SPECIFIC TO THE PLATFORM YOU ARE ON! In this case You will notice that the documentation for this installation references /usr/share/doc/apache2/README.Debian.gz. This tells us that the documentation for this installation (which builds on the Debian distribution) is gzipped and the location of that file.
How would you look at that file without unzipping it? less /usr/share/doc/apache2/README.Debian.gz will show you the page just as if it was a man page.
Demo/View Configuraton:
- Show the man page - it has a list of files and their locations. Look at each one and point out the important parts
/etc/apache2/apache2.conf
Notice the reference to official documentation from Apache http://httpd.apache.org/docs/2.4
- Notice that this configuration varies significantly from the upstream's suggested way to configure the server. This doesn't mean that the server is configured differently and that the official docs are not relevant, but instead that the layout of the files and where we put configuration information is different.
- We get a hint that Apache was at one time configured by a single .conf file. (httpd.conf or apache2.conf) and that the separation of information into different files is for our benefit.
- ports.conf is very short and we can divert there for a moment - it exists to define the ports on which to listen.
Notice the <IfModule ###>...</...>. These check for a module and if it is loaded, then we define the listening port for that module.
Directory conf-enabled/ links to files in conf-available. Apache2 loads configuration files from conf-available if conf-enabled/ contains a link to them. This is how we switch on and off configurations without deleting them.
Similarly mods-available contains a list of installed modules and their configurations. Look at the ssl.conf file. This is the setup of the module, not the setup of SSL for a website (of which we can host many with Apache). So don't get these confused. We rarely edit files here.
Similarly sites-available contains a list of available web sites and their configurations. Lets look at what is enabled and then at the configuration associated configuration file.
The 000-default.conf (why did they name it 000?) contains a directive for a virtual host: <VirtualHost *:80>. Review this - here we could change the port of this virtual host...
what is a virtual host? See: http://httpd.apache.org/docs/2.4/vhosts/
Tools worth noting that relate to enabling sites, modules, and configurations are a2enconf, a2enmod, and a2ensite and their counterparts a2eisconf, a2dismod, and a2dissite. Each of these sets (or deletes) the appropriate links in the *-enabled directory. If you want to enable a module or configuration for only a single site and not globally, you can link to the file from inside the VirtualHost configuration of a specific site.
As we move down through the rest of the apache2.conf, we see many comments, and only a few real configuration directives. Many of these are set from the envvars files such as filePidFile set to /var/run/apache2/apache2.pid
- Others are more interesting
Timeout 300 (or 5 minutes - that's along time! What does Timeout actually do?)
KeepAlive on (what does this do?) /* https://httpd.apache.org/docs/2.4/mod/core.html#KeepAlive
Notice the Include ports.conf and other includes.
<Directory /> Yeah, I know it looks like a closing tag in HTML, but it is the directory configuration information for the / directory. Take a look at https://httpd.apache.org/docs/2.4/mod/core.html#Directory, because this is an important topic.
AllowOverride see: https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
Options see: https://httpd.apache.org/docs/2.4/mod/core.html#options
<FilesMatch "^\.ht">Require all denied</FilesMatch> keeps users from viewing .htaccess or .htpassword files (we'll talk more about these later).
Security
We consider three aspects of security here:
- Hardening the server
- Encrypting communication via SSL
- Authentication/Authorization options in Apache2
Hardening Apache2
Correctly configuring Apache goes a long way to securing it. To that end, we are going to look at the documentation related to hardening the apache server on ubuntu/debian. Give special attention to the security configuration contained in conf-avaialble/security.conf identified here as being in conf.d/security for debian (For full description of ServerTokens, See: https://httpd.apache.org/docs/2.4/mod/core.html#servertokens).
Encrypting Communication
Configure Apache with an SSL certificate and change settings to require https and disable http. See: https://websiteforstudents.com/how-to-setup-self-signed-ssl-certificates-on-ubuntu-20-04-18-04/
DEMO: Take a look at pinky.scotnpatti.com a.k.a. dra.cs.southern.edu (this machine).
Authentication and Authorization Options for Apache2
See: https://httpd.apache.org/docs/2.4/howto/auth.html
Logs
When something goes wrong, looking in the logs is essential. Where are they? Well if you are not familiar with BASH scripts this may be a bit confusing. First log directory is something like ${APACHE_LOG_DIR}/error.log. But where is APACHE_LOG_DIR set? envvars of course! Looking in that file and we see right away that this is set near the top:
export APACHE_LOG_DIR=/var/log/apache2$SUFFIX
And $SUFFIX is defined near the top.
if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR} ] ; then SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" else SUFFIX= if
Now, ## deletes longest match of the substring following the ## from the front of original string. So this literally tries to remove "/etc/apache2-" from the front of the config directory that by default is "/etc/apache2". For the default it will be unsuccessful and there will be no suffix. So we can safely assume that the $SUFFIX="", and that APACHE_LOG_DIR="/var/log/apache2/error.log". Of course it didn't take the computer as long to figure that out as it for us. Now let's take a look at where these logs.
Make sure to demo tail -f /var/log/apache2/...
Summary
We looked at the following topics
We found that Installing Apache2 on Ubuntu 20.04 is quite easy.
Apache2 Configuration resides completely text files. The main config file is /etc/apache2/apache2.conf. You can find all the other files as they are imported from here. General configuration, module and site configuration files are turned on and off through a level of indirection provided by the *-enabled directories allowing multiple configurations to be retained, but not enabled.
We looked at both hardening Apache2 Security and installing an SSL certificate. I highly recommend letsencrypt as a resource for this on your internet facing websites. Then we looked at the options Apache2 provides for Authentication and Authorization.
Log files were located through the config and envvars files. We used tail to follow the changes being made to the log file.