Apache2 Configuration
The first time I tried Apache, I didn't really care about security or configuration tuning, because it runs fine right off the bat, just drop your website in /www and you're live. Since my site is exposed now, I've decided to compile some of my configurations to avoid mistakes in the future if I ever try to run it again. I was mainly confused by Virtual Hosts, but it didn't take long to figure them out, because Apache documentation is amazing. Let's start with installation, either use apt-get or download it from here, if you want new or beta releases.
Installation
As on any other Ubuntu environment, use apt-get to download and install Apache2.
- su
- apt-get update
- apt-get install apache2 apache2-doc apache2-utils
Otherwise:
- cd ~
- wget http://apache.mirror.vu.lt/apache//httpd/httpd-2.2.23.tar.gz
- tar -xvzf httpd-2.2.23.tar.gz
- cd httpd-2.2.23
- ./configure
- make && make install
Initial Configuration
Edit ports you want your server to listen on and don't forget to backup your config files:
- cd /etc/apache2
- cp ports.conf ports.conf.default
- nano ports.conf
Comment out whole SSL section if you don't use it, leave the rest intact. Now if you're hosting only one website, you can drop all its files to /var/www directory and you are set.
In case machine's root directory is exposed through website, disable browsing it. Edit apache2.conf if you're running Debian/Ubuntu, otherwise httpd.conf:
- nano /etc/apache2/apache2.conf
And add:
- <Directory />
- Order Deny,Allow
- Deny from all
- </Directory>
Adding Virtual Hosts
If you own few websites or domains you should probably use Virtual Hosts, it's a way of hosting multiple websites of multiple domains on one machine. To add this functionality, you need to create files that represent your websites in /etc/apache2/sites-available directory. Adding .htaccess files all over your site is a bad practice (if you have root access), so you will also add browsing rules in these files aswell.
- nano /etc/apache2/sites-available/www.example.com
Obviously change example.com to your own domain name, also depending on what language your website is written in, under DirectoryIndex you may add or remove index file types, and everything in this file must remain between VirtualHost tags.
- <VirtualHost *:80>
- ServerAdmin postmaster@example.com
- ServerName www.example.com
- DirectoryIndex index.htm index.html index.php
- DocumentRoot /var/www/www.example.com/htdocs/
- </VirtualHost>
Now that general options are set, insert these lines, where -Indexes stops people from browsing your directories. -MultiViews disables automatic extensions, and the rest are pretty much default settings.
- <Directory "/var/www/www.example.com/htdocs">
- Options -Indexes FollowSymLinks -MultiViews
- AllowOverride None
- Order allow,deny
- Allow from all
- </Directory>
To secure your cgi-bin directory insert:
- ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
- <Directory "/usr/lib/cgi-bin">
- AllowOverride None
- Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
- Order allow,deny
- Allow from all
- </Directory>
This way you don't need to place CGI scripts inside website's root and avoid revealing the source code.
If you want to change error pages, like Not Found 404 add these lines:
- ErrorDocument 403 /errorpages/403.html
- ErrorDocument 404 /errorpages/404.html
- ErrorDocument 500 /errorpages/500.html
And put error pages in /var/www/www.example.com/htdocs/errorpages directory. Lastly insert these to enable logging:
- ErrorLog /var/www/www.example.com/logs/error.log
- CustomLog /var/www/www.example.com/logs/access.log combined
If you have seperate users managing different websites, then change permissions:
- chmod 644 www.example.com
- chown user:group www.example.com
Now that everything is set, you need to enable your virtual host:
- a2ensite www.example.com
And disable default one:
- a2dissite default
301 Permanent Redirect
If you want to permanently redirect some domain to another, create a new file:
- nano /etc/apache2/sites-available/www.old-site.com
And append:
- <VirtualHost *:80>
- ServerAdmin postmaster@new-site.com
- ServerName www.old-site.com
- RedirectPermanent / http://www.new-site.com/
- </VirtualHost>
When redirecting the whole site (domain), pay attention to '/' between RedirectPermanent and new site's link. If you want to redirect just a part of the old-site, add .htaccess file to that directory with one of the following lines inside it:
- RedirectPermanent /catalog http://www.new-site.com/catalog/
- RedirectPermanent /catalog/file.ext1 http://www.ignas.net/another_catalog/file2.ext2
And don't forget to:
- a2ensite www.old-site.com
Stop Hotlinking
It's a practice when one site steals bandwidth from the other by linking to image, video or any other file directly. This can be stopped by allowing access to these files only by trusted domains. Open up apache2.conf (or httpd.conf if running something else besides Debian/Ubuntu):
- su
- cp /etc/apache2/apache2.conf /var/apache2/apache2.conf.default
- nano /var/apache2/apache2.conf
Add:
- SetEnvIf Referer example\.com localref
- <FilesMatch \.(jpg|jpeg|png|gif)$>
- Order deny,allow
- Deny from all
- Allow from env=localref
- </FilesMatch>
Add more desirable file types under FilesMatch. To test if it works, visit altlab.com.
Server-status
If you want to track current connections to your server, you can use little apache module called 'mod_status'. To enable it, add the following lines to virtual host configuration file or apache2.conf/httpd.conf:
- <Location /server-status>
- SetHandler server-status
- Order Deny,Allow
- Deny from all
- Allow from 192.168.1.0/24
- </Location>
I also included 'Allow from 192.168.1.0/24' to only allow access from LAN subnet, you can add this to any <Directory> configuration and any other IP address, subnet or domain.
- Allow from 192.168.1.0/24
- Allow from 192.168.2.244
- Allow from .example.com
Now you just navigate to example.com/server-status and you're set.