Difference between revisions of "Apache HTTP server, installing"
From NAS-Central Buffalo - The Linkstation Wiki
m (→Apache 1.3 Modules: Formatting) |
|||
| (9 intermediate revisions by 5 users not shown) | |||
| Line 1: | Line 1: | ||
| + | {{Template:Articles|Debian|Mediaserver}}<small><font color=red>''Originally by frontalot from linkstationwiki.org''</font></small> | ||
| − | + | '''[[w:LAMP (software bundle)|LAMP]]''' (or '''L.A.M.P.''') refers to a set of [[w:free software|free software]] programs commonly used together to run dynamic [[w:Web site|Web site]]s or [[w:Server (computing)|server]]s: | |
| + | *[[w:Linux|'''L'''inux]], the [[w:operating system|operating system]]; | ||
| + | *[[w:Apache HTTP Server|'''A'''pache]], the [[w:Web server|Web server]]; | ||
| + | *[[w:MySQL|'''M'''ySQL]], the [[w:DBMS|database management system]] (or database server); | ||
| + | *[[w:PHP|'''P'''HP]], [[w:Perl|'''P'''erl]], [[w:Python programming language|'''P'''ython]], and/or [[w:Mono (software)|'''P'''rimate]] (mod mono), [[w:scripting language|scripting/programming language]]s. | ||
| − | + | This section is for '''Freelink/Debian''' boxes. | |
| + | |||
| + | == Installing Packages == | ||
| + | === Apache === | ||
| + | |||
| + | Install Apache and its related packages. Use the command: | ||
<font color=red>apt-get install apache apache-common </font> | <font color=red>apt-get install apache apache-common </font> | ||
| − | 2 | + | To install Apache 2, use: |
| + | <font color=red>apt-get install apache2</font> | ||
| + | |||
| + | === MySQL === | ||
| + | If you want MySQL Use the command: | ||
| + | |||
| + | <font color=red>apt-get install mysql-server</font> | ||
| + | |||
| + | Copy over the base small sever configuration (for systems with <= 64MB of RAM): | ||
| + | |||
| + | <font color=red>cp /usr/share/doc/mysql-server/examples/my-small.cnf /etc/mysql/my.cnf </font> | ||
| + | |||
| + | === Perl === | ||
| + | |||
| + | If you want Perl support, install the following packages: | ||
<font color=red>apt-get install libapache-mod-perl libapache-ssi-perl </font> | <font color=red>apt-get install libapache-mod-perl libapache-ssi-perl </font> | ||
| + | If you want Python support, install the following packages: | ||
| + | <font color=red>apt-get install python libapache-mod-python </font> | ||
| − | + | === PHP === | |
| − | + | ==== PHP 5 ==== | |
| − | + | This is the current version of PHP. If you want PHP5 support, install the following packages: | |
| + | |||
| + | <font color=red>apt-get install php5 php5-mysql</font> | ||
| + | |||
| + | Next, configure PHP5. Assuming you are using Apache2, use: | ||
| + | |||
| + | <font color=red>cp /usr/share/doc/php5-common/examples/php.ini-recommended /etc/php5/apache'''2'''/php.ini</font> | ||
| + | |||
| + | If you are using Apache 1.3, replace | ||
| + | apache2 | ||
| + | |||
| + | with | ||
| + | apache | ||
| + | |||
| + | Next edit <font color=red>/etc/php5/apache2/php.ini</font> and enable zlib compression and configure some security settings: | ||
| + | |||
| + | <font color=red>zlib.output_compression = On</font> | ||
| + | <font color=red>disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system</font> | ||
| + | |||
| + | ==== PHP 4 ==== | ||
| + | |||
| + | You can also install PHP4: | ||
| + | |||
| + | <font color=red>apt-get install php4 php4-mysql</font> | ||
| + | |||
| + | Next, configure PHP4. Assuming you are using Apache 1.3, use: | ||
<font color=red>cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini</font> | <font color=red>cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini</font> | ||
| − | + | If you are using Apache 2, replace | |
| + | apache | ||
| + | |||
| + | with | ||
| + | apache2 | ||
| + | |||
| + | Next edit <font color=red>/etc/php4/apache/php.ini</font> and enable zlib compression and configure some security settings: | ||
<font color=red>zlib.output_compression = On</font> | <font color=red>zlib.output_compression = On</font> | ||
<font color=red>disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system</font> | <font color=red>disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system</font> | ||
| − | + | NOTE: If you're installing Swisscenter, you will need to remove the fopen and popen functions as swisscenter needs them to function correctly. | |
| + | |||
| + | == Apache 1.3 Modules == | ||
| + | |||
| + | You should install the following packages too: | ||
<font color=red>apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security</font> | <font color=red>apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security</font> | ||
| − | + | * Mod_security allows you to set custom security rules for Apache (highly recommended). | |
| + | * Mod_choke is a rate limiter for Apache. | ||
| + | * Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half. | ||
| − | + | If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command: | |
<font color=red>pico /etc/apache/modules.conf</font> | <font color=red>pico /etc/apache/modules.conf</font> | ||
| − | + | Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are: | |
<font color=red>LoadModule security_module /usr/lib/apache/1.3/mod_security.so</font> | <font color=red>LoadModule security_module /usr/lib/apache/1.3/mod_security.so</font> | ||
| Line 39: | Line 102: | ||
<font color=red>LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so </font> | <font color=red>LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so </font> | ||
| − | + | == Configuring Apache == | |
| + | |||
| + | === Apache 1.3 === | ||
| + | ==== mod_gzip, mod_choke, mod_security ==== | ||
| + | Now let's edit <font color=red>/etc/apache/httpd.conf</font> and configure the modules. A good base mod_gzip configuration: | ||
<font color=red> | <font color=red> | ||
| Line 80: | Line 147: | ||
</IfModule> | </IfModule> | ||
</font> | </font> | ||
| − | + | ||
| + | A sample mod_choke configuration: | ||
<font color=red> | <font color=red> | ||
| Line 99: | Line 167: | ||
</font> | </font> | ||
| − | + | And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works: | |
<font color=red> | <font color=red> | ||
| Line 154: | Line 222: | ||
</font> | </font> | ||
| − | + | ==== Standard configuration ==== | |
| + | |||
| + | NOTE: You can also use Webmin to configure Apache. | ||
| + | |||
| + | Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing <font color=red>/etc/apache/httpd.conf</font> and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see [[Articles/DebianWebmin]]). If you installed perl support, then you must add ExecCGI to the <Directory /var/www/> section for your scripts to run. I also recommend the following entries for increased security: | ||
<font color=red> | <font color=red> | ||
| Line 163: | Line 235: | ||
</font> | </font> | ||
| − | + | === Post-install === | |
| + | |||
| + | Restart the Apache server to apply your changes. Use the command: | ||
<font color=red>apachectl restart </font> | <font color=red>apachectl restart </font> | ||
| − | + | Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security: | |
<font color=red>cd /usr/share/mod-security/tests</font> | <font color=red>cd /usr/share/mod-security/tests</font> | ||
<font color=red>./run-test.pl localhost:yourportnumber *.test </font> | <font color=red>./run-test.pl localhost:yourportnumber *.test </font> | ||
| − | + | Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd. | |
| + | |||
| + | '''Because I did something wrong: How to uninstall mysql''' | ||
| − | + | <font color=red>apt-get remove --purge mysql* | |
| + | rm /etc/init.d/mysql* | ||
| + | </font> | ||
Latest revision as of 05:20, 21 December 2007
Originally by frontalot from linkstationwiki.org
LAMP (or L.A.M.P.) refers to a set of free software programs commonly used together to run dynamic Web sites or servers:
- Linux, the operating system;
- Apache, the Web server;
- MySQL, the database management system (or database server);
- PHP, Perl, Python, and/or Primate (mod mono), scripting/programming languages.
This section is for Freelink/Debian boxes.
Contents
Installing Packages
Apache
Install Apache and its related packages. Use the command:
apt-get install apache apache-common
To install Apache 2, use:
apt-get install apache2
MySQL
If you want MySQL Use the command:
apt-get install mysql-server
Copy over the base small sever configuration (for systems with <= 64MB of RAM):
cp /usr/share/doc/mysql-server/examples/my-small.cnf /etc/mysql/my.cnf
Perl
If you want Perl support, install the following packages:
apt-get install libapache-mod-perl libapache-ssi-perl
If you want Python support, install the following packages:
apt-get install python libapache-mod-python
PHP
PHP 5
This is the current version of PHP. If you want PHP5 support, install the following packages:
apt-get install php5 php5-mysql
Next, configure PHP5. Assuming you are using Apache2, use:
cp /usr/share/doc/php5-common/examples/php.ini-recommended /etc/php5/apache2/php.ini
If you are using Apache 1.3, replace
apache2
with
apache
Next edit /etc/php5/apache2/php.ini and enable zlib compression and configure some security settings:
zlib.output_compression = On disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system
PHP 4
You can also install PHP4:
apt-get install php4 php4-mysql
Next, configure PHP4. Assuming you are using Apache 1.3, use:
cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini
If you are using Apache 2, replace
apache
with
apache2
Next edit /etc/php4/apache/php.ini and enable zlib compression and configure some security settings:
zlib.output_compression = On disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system
NOTE: If you're installing Swisscenter, you will need to remove the fopen and popen functions as swisscenter needs them to function correctly.
Apache 1.3 Modules
You should install the following packages too:
apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security
- Mod_security allows you to set custom security rules for Apache (highly recommended).
- Mod_choke is a rate limiter for Apache.
- Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half.
If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command:
pico /etc/apache/modules.conf
Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are:
LoadModule security_module /usr/lib/apache/1.3/mod_security.so LoadModule choke_module /usr/lib/apache/1.3/mod_choke.so LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so
Configuring Apache
Apache 1.3
mod_gzip, mod_choke, mod_security
Now let's edit /etc/apache/httpd.conf and configure the modules. A good base mod_gzip configuration:
<IfModule mod_gzip.c> #Turn mod_gzip on@ mod_gzip_on yes@ #Allow mod_gzip to eliminate the HTTP header and join the chunks to one (compressable) packet mod_gzip_dechunk yes #Count HTTP header size as part of total output size mod_gzip_add_header_count yes #Send a vary HTTP header mod_gzip_send_vary yes #Require at least HTTP 1.0 protocol mod_gzip_min_http 1000 #Compress both GET and POST methods mod_gzip_handle_methods GET POST mod_gzip_keep_workfiles No mod_gzip_temp_dir /tmp #Minimum file size required for gzip to compress (in bytes) mod_gzip_minimum_file_size 1000 #Maximum file size required for gzip to compress (in bytes) mod_gzip_maximum_file_size 500000 #Types to compress mod_gzip_item_include file \.htm$ mod_gzip_item_include file \.html$ mod_gzip_item_include file \.pl$ mod_gzip_item_include file \.cgi$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^httpd/unix-directory$ mod_gzip_item_include handler proxy-server mod_gzip_item_include handler ^cgi-script$ #Types to exclude (PHP uses internal zlib compression) mod_gzip_item_exclude mime ^application/x-httpd-php mod_gzip_item_exclude file \.php$ mod_gzip_item_exclude file \.phps$ mod_gzip_item_exclude file \.phtml$ mod_gzip_item_exclude file "\.css$" mod_gzip_item_exclude file "\.js$" mod_gzip_item_exclude mime ^image/ </IfModule>
A sample mod_choke configuration:
<IfModule mod_choke.c> #Turn mod_choke on Choke On #Set the choke rate ChokeRate 10k ChokeRateEnv CHOKE_RATE #Allow full rate for this many bytes ChokeBurst 10k ChokeBurstEnv CHOKE_BURST ChokeSummary Off #Set the maximum connections GlobalMaxConnectionsPerIP 2 GlobalMaxConnectionsPerUser 2 </IfModule>
And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works:
<IfModule mod_security.c>
#Start engine configuration - Scan dynamic content, POST method, and URL encoding
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:406"
#End engine configuration
#Prevent OS specific keywords - Prevent remote execution
SecFilter /etc/passwd
SecFilter /bin/sh
SecFilterSelective ARGS_NAMES 777
#Prevent operating system command execution
SecFilterSelective ARGS "bin/"
SecFilter /bin/ls
#Prevent path traversal
SecFilter "\.\./"
#Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
#Forbid uncommon encoding types
SecFilterSelective "HTTP_Content-Type" "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"
#Start filter to prevent SQL injection attacks
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*select.+from[^<]*</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*delete.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*insert.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*update.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*drop.+from[^<]*</\s*id\s*>" "deny,status:406"
#End filter
#Forbid file upload
SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
#Forbid chunked transfer encoding requests
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#Require HTTP_USER_AGENT and HTTP_POST headers in every request
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#Enable normalize cookie names and values
SecFilterNormalizeCookies On
#Prevent XSS attack via PHP
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
#Prevent fatal information leak
SecFilterSelective OUTPUT "Fatal error:"
#Filter meta characters (helps prevent SQL attacks and information leaks)
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.{6,}</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.+['\"%][^<]*</\s*id\s*>" "deny,log,status:406"
</IfModule>
Standard configuration
NOTE: You can also use Webmin to configure Apache.
Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing /etc/apache/httpd.conf and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see Articles/DebianWebmin). If you installed perl support, then you must add ExecCGI to the <Directory /var/www/> section for your scripts to run. I also recommend the following entries for increased security:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
ServerTokens - Prod
Post-install
Restart the Apache server to apply your changes. Use the command:
apachectl restart
Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security:
cd /usr/share/mod-security/tests ./run-test.pl localhost:yourportnumber *.test
Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd.
Because I did something wrong: How to uninstall mysql
apt-get remove --purge mysql* rm /etc/init.d/mysql*
