Apache HTTP server, installing

Originally by frontalot from linkstationwiki.org

LAMP (or L.A.M.P.) refers to a set of free software programs commonly used together to run dynamic Web sites or servers:
 * Linux, the operating system;
 * Apache, the Web server;
 * MySQL, the database management system (or database server);
 * PHP, Perl, Python, and/or Primate (mod mono), scripting/programming languages.

This section is for Freelink/Debian boxes.

Apache
Install Apache and its related packages. Use the command:

apt-get install apache apache-common

To install Apache 2, use:

apt-get install apache2

MySQL
If you want MySQL Use the command:

apt-get install mysql-server

Copy over the base small sever configuration (for systems with <= 64MB of RAM):

cp /usr/share/doc/mysql-server/examples/my-small.cnf /etc/mysql/my.cnf

Perl
If you want Perl support, install the following packages: apt-get install libapache-mod-perl libapache-ssi-perl If you want Python support, install the following packages: apt-get install python libapache-mod-python

PHP 5
This is the current version of PHP. If you want PHP5 support, install the following packages:

apt-get install php5 php5-mysql

Next, configure PHP5. Assuming you are using Apache2, use:

cp /usr/share/doc/php5-common/examples/php.ini-recommended /etc/php5/apache2/php.ini

If you are using Apache 1.3, replace apache2

with apache

Next edit /etc/php5/apache2/php.ini and enable zlib compression and configure some security settings:

zlib.output_compression = On disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system

PHP 4
You can also install PHP4:

apt-get install php4 php4-mysql

Next, configure PHP4. Assuming you are using Apache 1.3, use:

cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini

If you are using Apache 2, replace apache

with apache2

Next edit /etc/php4/apache/php.ini and enable zlib compression and configure some security settings:

zlib.output_compression = On disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system

NOTE: If you're installing Swisscenter, you will need to remove the fopen and popen functions as swisscenter needs them to function correctly.

Apache 1.3 Modules
You should install the following packages too:

apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security


 * Mod_security allows you to set custom security rules for Apache (highly recommended).
 * Mod_choke is a rate limiter for Apache.
 * Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half.

If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command:

pico /etc/apache/modules.conf

Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are:

LoadModule security_module /usr/lib/apache/1.3/mod_security.so LoadModule choke_module /usr/lib/apache/1.3/mod_choke.so       LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so

mod_gzip, mod_choke, mod_security
Now let's edit /etc/apache/httpd.conf and configure the modules. A good base mod_gzip configuration:

 mod_gzip_on yes@ mod_gzip_dechunk yes mod_gzip_add_header_count yes mod_gzip_send_vary yes mod_gzip_min_http 1000 mod_gzip_handle_methods GET POST mod_gzip_keep_workfiles No mod_gzip_temp_dir /tmp mod_gzip_minimum_file_size 1000 mod_gzip_maximum_file_size 500000 mod_gzip_item_include file \.htm$ mod_gzip_item_include file \.html$ mod_gzip_item_include file \.pl$ mod_gzip_item_include file \.cgi$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^httpd/unix-directory$ mod_gzip_item_include handler proxy-server mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_exclude mime ^application/x-httpd-php mod_gzip_item_exclude file \.php$ mod_gzip_item_exclude file \.phps$ mod_gzip_item_exclude file \.phtml$ mod_gzip_item_exclude file "\.css$" mod_gzip_item_exclude file "\.js$" mod_gzip_item_exclude mime ^image/ 
 * 1) Turn mod_gzip on@
 * 1) Allow mod_gzip to eliminate the HTTP header and join the chunks to one (compressable) packet
 * 1) Count HTTP header size as part of total output size
 * 1) Send a vary HTTP header
 * 1) Require at least HTTP 1.0 protocol
 * 1) Compress both GET and POST methods
 * 1) Minimum file size required for gzip to compress (in bytes)
 * 1) Maximum file size required for gzip to compress (in bytes)
 * 1) Types to compress
 * 1) Types to exclude (PHP uses internal zlib compression)

A sample mod_choke configuration:

 Choke        On ChokeRate     10k ChokeRateEnv CHOKE_RATE ChokeBurst   10k ChokeBurstEnv CHOKE_BURST ChokeSummary Off GlobalMaxConnectionsPerIP  2 GlobalMaxConnectionsPerUser 2 
 * 1) Turn mod_choke on
 * 1) Set the choke rate
 * 1) Allow full rate for this many bytes
 * 1) Set the maximum connections

And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works:

 SecFilterEngine DynamicOnly SecFilterCheckURLEncoding On SecFilterForceByteRange 1 255 SecAuditEngine RelevantOnly SecAuditLog /var/log/audit_log SecFilterDebugLog /var/log/modsec_debug_log SecFilterDebugLevel 0 SecFilterScanPOST On SecFilterDefaultAction "deny,log,status:406" SecFilter /etc/passwd SecFilter /bin/sh SecFilterSelective ARGS_NAMES 777 SecFilterSelective ARGS "bin/" SecFilter /bin/ls SecFilter "\.\./" SecFilter "<(.|\n)+>" SecFilterSelective "HTTP_Content-Type" "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*select.+from[^<]*" "deny,log,status:406" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*delete.+from[^<]*" "deny,status:406" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*insert.+from[^<]*" "deny,status:406" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*update.+from[^<]*" "deny,status:406" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*drop.+from[^<]*" "deny,status:406" SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data SecFilterSelective HTTP_Transfer-Encoding "!^$" SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$" SecFilterNormalizeCookies On SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$" SecFilterSelective OUTPUT "Fatal error:" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.{6,}" "deny,log,status:406" SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.+['\"%][^<]*" "deny,log,status:406" 
 * 1) Start engine configuration - Scan dynamic content, POST method, and URL encoding
 * 1) End engine configuration
 * 2) Prevent OS specific keywords - Prevent remote execution
 * 1) Prevent operating system command execution
 * 1) Prevent path traversal
 * 1) Prevent XSS atacks (HTML/Javascript injection)
 * 1) Forbid uncommon encoding types
 * 1) Start filter to prevent SQL injection attacks
 * 1) End filter
 * 2) Forbid file upload
 * 1) Forbid chunked transfer encoding requests
 * 1) Require HTTP_USER_AGENT and HTTP_POST headers in every request
 * 1) Enable normalize cookie names and values
 * 1) Prevent XSS attack via PHP
 * 1) Prevent fatal information leak
 * 1) Filter meta characters (helps prevent SQL attacks and information leaks)

Standard configuration
NOTE: You can also use Webmin to configure Apache.

Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing /etc/apache/httpd.conf and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see Articles/DebianWebmin). If you installed perl support, then you must add ExecCGI to the  section for your scripts to run. I also recommend the following entries for increased security:

RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] ServerTokens - Prod

Post-install
Restart the Apache server to apply your changes. Use the command:

apachectl restart

Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security: cd /usr/share/mod-security/tests ./run-test.pl localhost:yourportnumber *.test

Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd.

Because I did something wrong: How to uninstall mysql

apt-get remove --purge mysql* rm /etc/init.d/mysql*