Apache

From vwiki
Revision as of 10:26, 9 February 2012 by Sstrutt (talk | contribs) (→‎Configuration: Added "Create Secure Website")
Jump to navigation Jump to search
File path What's there
/var/www Default web root
/var/log/apache Logs
/etc/apache2 Config files
/etc/php5/apache2 PHP config file

Configuration

Host Multiple Sites

There are various methods that can be used to enable you to host multiple websites on the same server. This is but one, and allows you to host different domains on the same server.

You'll need a publicly accessible server running Apache, and the ability to create DNS entries for the domains you want to host. In this example we're creating two websites, called web1 and web2, on a server with IP address 123.10.10.2

Before you configure the webserver, you need to set-up DNS correctly, for this example this could be done in one of two ways...

  • A records only
    • web1.domain.com -- A record --> 123.10.10.2
    • web2.domain.com -- A record --> 123.10.10.2
  • A and CNAME records
    • web.domain.com -- A record --> 123.10.10.2
    • web1.domain.com -- CNAME record --> web.domain.com
    • web2.domain.com -- CNAME record --> web.domain.com

...how you choose to do it is up to you, and depends on what changes you might expect to make down the line. If you have a small set-up its probably easiest to go with purely A-records, but where you have a larger number of websites and web-hosts, it can be easier to manage with all your web-hosts having A-records and all web-sites having CNAME-records pointing to the host that they're running from.

Either way, you should be able to ping the addresses of either website and get the correct IP address back.

Next you should check that you web server is working correctly. If its a new install, you should be able to browse to the server's IP address and get a basic "It works!" page back. This site, or any site that's using the root of your web-server will need to be (re)moved.

Now to create the web-sites...

  1. If you have an existing site that's served from the root of your webserver, this needs to be removed 1st. So to remove the default site that's installed with Apache...
    1. Disable the web-site by removing the link to its config from sites-enabled
      • rm /etc/apache2/sites-enabled/000-default
      • service apache2 restart (you may get a warning about no VirtualHosts)
    2. Test by browsing to your web-server's IP address, no webpage should be returned
  2. Now create the required folders...
    1. Create sub-folders for your web-sites, eg
      • mkdir /var/www/web1.domain.com
      • mkdir /var/www/web2.domain.com
    2. Create sub-folders for your web-sites' logs, eg
      • mkdir /var/log/apache2/web1.domain.com
      • mkdir /var/log/apache2/web2.domain.com
  3. Now create the required configs...
    1. Create a config for web1, using the example file contents below
      • vi /etc/apache2/sites-available/web1.domain.com
    2. Create a config for web2, using the example file contents below, but edit so that web1 becomes web2
      • vi /etc/apache2/sites-available/web2.domain.com
  4. Now create some test content, and enable...
    1. Copy the default index.html to your new web-site folders, and edit so that they identify the web-site they're in
      • cp /var/www/index.html /var/www/web1.domain.com/ and edit
      • cp /var/www/index.html /var/www/web2.domain.com/ and edit
    2. Enable the websites
      • cd /etc/apache2/sites-enabled
      • ln -s ../sites-available/web1.domain.com web1.domain.com
      • ln -s ../sites-available/web2.domain.com web2.domain.com
    3. Restart the Apache service to apply
      • service apache2 restart
  5. Test - you should now have two separately accessible websites..!
<VirtualHost *:80>
       ServerAdmin info@domain.com
       ServerName  web1.domain.com

       # Indexes + Directory Root.
       DirectoryIndex index.php
       DocumentRoot /var/www/web1.domain.com/

       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>

       # Logfiles
       ErrorLog  /var/log/apache2/web1.domain.com/error.log
       CustomLog /var/log/apache2/web1.domain.com/access.log combined

</VirtualHost

Create Secure Website

Certificates

In order to run a secure website you need certificates, whist providing a full explanation as to the purpose and usage of certificates is beyond the scope of this page, I'll attempt to summarise...

What kind of certificate your require depends on what you are going to use the site for. Generally speaking a website that's going to be accessed by the general public or non IT-literate users will need to be signed by one of the big certificate authorities (aka well-known root CA) which are already trusted by web-browsers; but if its a internal or test site, or its only going to be access by people who know and trust you, a self-signed certificate will be fine. It boils down to how much trust a user needs to have in your website, and what level of monetary insurance there should be if the security mechanism breaks down.

A self-signed certificate will present an alert to the user, asking them if they really trust the website they're accessing. They can either decide that they do trust you or close the page. If they do trust you, and trust that they're hit your genuine website, they can permanently accept your self-signed certificate as valid and trustworthy. Note that if they (for some reason) go to an invalid website masquerading as you on, before they've accepted your certificate as valid, they can be tricked into trusting somebody else instead.

A commercially signed certificate will normally automatically provide validation that the website is valid and trustworthy, but will also normally cost money. Cheaper (or sometimes free if you're a person rather than a company) require limited validation that you are who you say you are, and minimal insurance for an loss due to security breach. More expensive certificates can be more flexible (can cover an entire domain rather than just a single host), provide greater insurance, and should provide greater assurance to your users (they'll also require much more stringent validation to confirm you (or your company) actually exists, you own your domain etc etc).

If you expect to be handling any money/card transactions or other highly sensitive data, then securing your website can be hard-work and expensive. Both in terms of the certificate(s) you need to purchase, and other measures you need to take to ensure your site is actually secure. There is good reason why many online businesses use 3rd party websites for their transactions. Unless you have dedicated staff that can continually apply preventative measures (be it OS patching, reacting to PHP vulnerabilities, or whatever) and that can promptly detect and react to potential security breaches, do not take on the responsibility yourself. If your site gets breeched, and your clients/customers become exposed, its your fault.

Create Self-Signed Certificate

This is basically an adapted version of what has been documented previously by Van Emery, if well worth checking out.

  1. Create private (self generated) Certificate Authority (CA) key and certificate for you/your organisation
    • These will be used as a basis for any future cert/key's for web-servers you need - keep them safe!
    1. Create folder for them, and move into the folder
      • EG mkdir /root/certs
      • EG chmod 0770 /root/certs
      • EG cd /root/certs
    2. Create CA key (you'll need to provide a passphrase/password for your key)
      • EG openssl genrsa -des3 -out self-ca.key 2048
    3. Create CA X.509 certificate (you'll need to provide details about you (if your website is public, these details will viewable))
      • EG openssl req -new -x509 -days 3650 -key self-ca.key -out self-ca.crt
    4. Check certificate
      • EG openssl x509 -in self-ca.crt -text -noout
  2. Create a private key and certificate for your website
    1. Generate the private key for the server (you'll need to provide a passphrase/password for your key)
      • This is specific to your server (not the website)
      • EG openssl genrsa -des3 -out my-server.key 1024
    2. Create a Certificate Signing Request (CSR) for the website
      • EG openssl req -new -key my-server.key -out web-my-server.csr
      • The Common Name must match the FQDN of your website
    3. Create certificate for the website
      • EG openssl x509 -req -in web-my-server.csr -out web-my-server.crt -sha1 -CA self-ca.crt -CAkey self-ca.key -CAcreateserial -days 3650
    4. Check certificate
      • EG openssl x509 -in web-my-server.crt -text -noout
    5. Protect keys and copy to Apache directory
      • EG chmod 0400 *.key
      • EG mkdir /etc/apache/ssl
      • EG cp web-my-server.crt /etc/apache/ssl/
      • EG cp my-server.key /etc/apache/ssl/
      • EG cp self-ca.crt /etc/apache/ssl/

Setup Secured Website

  1. Create sub-folders for your web-sites, eg
    • EG mkdir /var/www/www.domain.com
  2. Create sub-folders for your web-sites' logs, eg
    • EG mkdir /var/log/apache2/www.domain.com
  3. Enable mod_ssl
    • cd /etc/apache2/mods-enabled
    • ln -s ../mods-available/ssl.conf ssl.conf
    • ln -s ../mods-available/ssl.load ssl.load
  4. Create config file for site (see below for content)
    • EG vi /etc/apache2/sites-available/ssl-site
  5. Enable site
    • cd /etc/apache2/sites-enabled
    • ln -s ../sites-available/ssl-site ssl-site
  6. Restart Apache to apply
    • service apache2 restart
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
       ServerName www.domain.com
       ServerAdmin info@domain.com

       DocumentRoot /var/www/www.domain.com
       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       <Directory /var/www/www.domain.com>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               allow from all
       </Directory>

       ErrorLog  "|/usr/sbin/rotatelogs /var/log/apache2/www.domain.com/error-%Y-%m-%d.log 86400"
       CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/www.domain.com/access-%Y-%m-%d.log 86400" combined

       #   SSL Engine Switch:
       #   Enable/Disable SSL for this virtual host.
       SSLEngine on
       #   Server Certificate:
       SSLCertificateFile /etc/apache2/ssl/mail-sync2.crt

       #   Server Private Key:
       SSLCertificateKeyFile /etc/apache2/ssl/web2-server.key

       #   Server Certificate Chain:
       SSLCertificateChainFile /etc/apache2/ssl/self-ca.crt

       #   Certificate Authority (CA):
       SSLCACertificateFile /etc/apache2/ssl/self-ca.crt

</VirtualHost>
</IfModule>

Log Rotation

There are two ways to ensure your logs get rotated...

  • logrotate - The standard, cross application log rotation solution. Its very reliable and easy to configure, but requires that Apache is restarted every time your log is rotated so that it follows the log switch around.
  • rotatelog pipe - Has more overhead as logs are piped to a child process to handle, but doesn't require Apache restarts.

rotatelog

Edit you existing config file to redirect logging through the child rotatelogs process, this will probably be found in either your site config (EG in /etc/apache2/sites-enabled) or your Apache service config (EG in /etc/apache2/ )

ErrorLog  "|/usr/sbin/rotatelogs /var/log/apache2/error-%Y-%m-%d.log 86400"
CustomLog "|/usr/sbin/rotatelogs /var/log/apache2/access-%Y-%m-%d.log 86400" combined

Check that the path for rotatelogs is correct (search using find / -iname rotatelogs )

Restart Apache, perform a test page load on your site (that would generate log entries), and check that a log file has been generated as per your config

User/pass restrictions

  1. Create a user/pass entry in a file for a username
    • htpasswd -c /usr/local/apache2/conf/htusers username
  2. Add the relavent bits to the /etc/apache2/httpd.conf file, eg
    • <Directory />
    • AuthType Basic
    • AuthName "Restricted Access"
    • AuthUserFile /usr/local/apache2/conf/htusers
    • Require valid-user
    • </Directory>
  3. Restart the apache service
    • service apache2 restart

Troubleshooting

NameVirtualHost *:80 has no VirtualHosts

On restarting Apache you get presented with the following warning

[Thu Jan 12 10:58:20 2012] [warn] NameVirtualHost *:80 has no VirtualHosts

This is generally caused by duplicate NameVirtualHost entries in your config.

Perform the following in /etc/apache2 folder to identify where the entries and delete the unwanted duplicates..

grep NameVir * -R