Apache HTTP server, installing
From NAS-Central Buffalo - The Linkstation Wiki
(Difference between revisions)
(Corrected php.ini settings for use with swisscenter) |
m |
||
| Line 1: | Line 1: | ||
| - | {{Template:Articles}}< | + | {{Template:Articles|Debian|Mediaserver}}<small><font color=red>''Originally by frontalot from linkstationwiki.org''</font></small> |
| + | '''[[w:LAMP (software bundle)|LAMP]]''' (or '''L.A.M.P.''') refers to a set of [[w:free software|free software]] programs commonly used together to run dynamic [[w:Web site|Web site]]s or [[w:Server (computing)|server]]s: | ||
| + | *[[w:Linux|'''L'''inux]], the [[w:operating system|operating system]]; | ||
| + | *[[w:Apache HTTP Server|'''A'''pache]], the [[w:Web server|Web server]]; | ||
| + | *[[w:MySQL|'''M'''ySQL]], the [[w:DBMS|database management system]] (or database server); | ||
| + | *[[w:PHP|'''P'''HP]], [[w:Perl|'''P'''erl]], [[w:Python programming language|'''P'''ython]], and/or [[w:Mono (software)|'''P'''rimate]] (mod mono), [[w:scripting language|scripting/programming language]]s. | ||
| + | |||
1. Install Apache and it's related packages. Use the command: | 1. Install Apache and it's related packages. Use the command: | ||
| Line 5: | Line 11: | ||
<font color=red>apt-get install apache apache-common </font> | <font color=red>apt-get install apache apache-common </font> | ||
| - | 2. If you want | + | 2. If you want MySQL Use the command: |
| + | |||
| + | <font color=red>apt-get install mysql-server php4-mysql libapache-mod-auth-mysql</font> | ||
| + | |||
| + | Copy over the base small sever configuration (for systems with <= 64MB of RAM): | ||
| + | |||
| + | <font color=red>cp /usr/share/doc/mysql-server/examples/my-small.cnf /etc/mysql/my.cnf </font> | ||
| + | 3. If you want Perl support, install the following packages: | ||
<font color=red>apt-get install libapache-mod-perl libapache-ssi-perl </font> | <font color=red>apt-get install libapache-mod-perl libapache-ssi-perl </font> | ||
| - | + | 4. If you want PHP support, install the following packages: | |
<font color=red>apt-get install libapache-mod-php4 php4 php4-common </font> | <font color=red>apt-get install libapache-mod-php4 php4 php4-common </font> | ||
| - | + | 5. Then configure PHP: | |
<font color=red>cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini</font> | <font color=red>cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini</font> | ||
| - | + | 6. Next edit <font color=red>/etc/php4/apache/php.ini</font> and enable zlib compression and configure some security settings: | |
<font color=red>zlib.output_compression = On</font> | <font color=red>zlib.output_compression = On</font> | ||
| Line 24: | Line 37: | ||
NOTE: If you're installing Swisscenter, you will need to remove the fopen and popen functions as swisscenter needs them to function correctly. | NOTE: If you're installing Swisscenter, you will need to remove the fopen and popen functions as swisscenter needs them to function correctly. | ||
| - | + | 7. You should install the following packages too: | |
<font color=red>apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security</font> | <font color=red>apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security</font> | ||
| - | + | 8. Mod_security allows you to set custom security rules for Apache (highly recommended). Mod_choke is a rate limiter for Apache. Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half. | |
| - | + | 9. If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command: | |
<font color=red>pico /etc/apache/modules.conf</font> | <font color=red>pico /etc/apache/modules.conf</font> | ||
| - | + | 10. Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are: | |
<font color=red>LoadModule security_module /usr/lib/apache/1.3/mod_security.so</font> | <font color=red>LoadModule security_module /usr/lib/apache/1.3/mod_security.so</font> | ||
| Line 40: | Line 53: | ||
<font color=red>LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so </font> | <font color=red>LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so </font> | ||
| - | + | 11. Now let's edit <font color=red>/etc/apache/httpd.conf</font> and configure the modules. A good base mod_gzip configuration: | |
<font color=red> | <font color=red> | ||
| Line 81: | Line 94: | ||
</IfModule> | </IfModule> | ||
</font> | </font> | ||
| - | + | 12. A sample mod_choke configuration: | |
<font color=red> | <font color=red> | ||
| Line 100: | Line 113: | ||
</font> | </font> | ||
| - | + | 13. And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works: | |
<font color=red> | <font color=red> | ||
| Line 155: | Line 168: | ||
</font> | </font> | ||
| - | + | 14. Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing <font color=red>/etc/apache/httpd.conf</font> and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see [[Articles/DebianWebmin]]). If you installed perl support, then you must add ExecCGI to the <Directory /var/www/> section for your scripts to run. I also recommend the following entries for increased security: | |
<font color=red> | <font color=red> | ||
| Line 164: | Line 177: | ||
</font> | </font> | ||
| - | + | 15. Restart the Apache server to apply your changes. Use the command: | |
<font color=red>apachectl restart </font> | <font color=red>apachectl restart </font> | ||
| - | + | 16. Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security: | |
<font color=red>cd /usr/share/mod-security/tests</font> | <font color=red>cd /usr/share/mod-security/tests</font> | ||
<font color=red>./run-test.pl localhost:yourportnumber *.test </font> | <font color=red>./run-test.pl localhost:yourportnumber *.test </font> | ||
| - | + | 17. Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd. | |
| - | + | ||
| - | + | ||
Revision as of 20:16, 7 September 2006
Originally by frontalot from linkstationwiki.org LAMP (or L.A.M.P.) refers to a set of free software programs commonly used together to run dynamic Web sites or servers:
- Linux, the operating system;
- Apache, the Web server;
- MySQL, the database management system (or database server);
- PHP, Perl, Python, and/or Primate (mod mono), scripting/programming languages.
1. Install Apache and it's related packages. Use the command:
apt-get install apache apache-common
2. If you want MySQL Use the command:
apt-get install mysql-server php4-mysql libapache-mod-auth-mysql
Copy over the base small sever configuration (for systems with <= 64MB of RAM):
cp /usr/share/doc/mysql-server/examples/my-small.cnf /etc/mysql/my.cnf
3. If you want Perl support, install the following packages:
apt-get install libapache-mod-perl libapache-ssi-perl
4. If you want PHP support, install the following packages:
apt-get install libapache-mod-php4 php4 php4-common
5. Then configure PHP:
cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini
6. Next edit /etc/php4/apache/php.ini and enable zlib compression and configure some security settings:
zlib.output_compression = On disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system
NOTE: If you're installing Swisscenter, you will need to remove the fopen and popen functions as swisscenter needs them to function correctly.
7. You should install the following packages too:
apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security
8. Mod_security allows you to set custom security rules for Apache (highly recommended). Mod_choke is a rate limiter for Apache. Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half.
9. If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command:
pico /etc/apache/modules.conf
10. Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are:
LoadModule security_module /usr/lib/apache/1.3/mod_security.so LoadModule choke_module /usr/lib/apache/1.3/mod_choke.so LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so
11. Now let's edit /etc/apache/httpd.conf and configure the modules. A good base mod_gzip configuration:
<IfModule mod_gzip.c> #Turn mod_gzip on@ mod_gzip_on yes@ #Allow mod_gzip to eliminate the HTTP header and join the chunks to one (compressable) packet mod_gzip_dechunk yes #Count HTTP header size as part of total output size mod_gzip_add_header_count yes #Send a vary HTTP header mod_gzip_send_vary yes #Require at least HTTP 1.0 protocol mod_gzip_min_http 1000 #Compress both GET and POST methods mod_gzip_handle_methods GET POST mod_gzip_keep_workfiles No mod_gzip_temp_dir /tmp #Minimum file size required for gzip to compress (in bytes) mod_gzip_minimum_file_size 1000 #Maximum file size required for gzip to compress (in bytes) mod_gzip_maximum_file_size 500000 #Types to compress mod_gzip_item_include file \.htm$ mod_gzip_item_include file \.html$ mod_gzip_item_include file \.pl$ mod_gzip_item_include file \.cgi$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^httpd/unix-directory$ mod_gzip_item_include handler proxy-server mod_gzip_item_include handler ^cgi-script$ #Types to exclude (PHP uses internal zlib compression) mod_gzip_item_exclude mime ^application/x-httpd-php mod_gzip_item_exclude file \.php$ mod_gzip_item_exclude file \.phps$ mod_gzip_item_exclude file \.phtml$ mod_gzip_item_exclude file "\.css$" mod_gzip_item_exclude file "\.js$" mod_gzip_item_exclude mime ^image/ </IfModule>
12. A sample mod_choke configuration:
<IfModule mod_choke.c> #Turn mod_choke on Choke On #Set the choke rate ChokeRate 10k ChokeRateEnv CHOKE_RATE #Allow full rate for this many bytes ChokeBurst 10k ChokeBurstEnv CHOKE_BURST ChokeSummary Off #Set the maximum connections GlobalMaxConnectionsPerIP 2 GlobalMaxConnectionsPerUser 2 </IfModule>
13. And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works:
<IfModule mod_security.c>
#Start engine configuration - Scan dynamic content, POST method, and URL encoding
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:406"
#End engine configuration
#Prevent OS specific keywords - Prevent remote execution
SecFilter /etc/passwd
SecFilter /bin/sh
SecFilterSelective ARGS_NAMES 777
#Prevent operating system command execution
SecFilterSelective ARGS "bin/"
SecFilter /bin/ls
#Prevent path traversal
SecFilter "\.\./"
#Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
#Forbid uncommon encoding types
SecFilterSelective "HTTP_Content-Type" "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"
#Start filter to prevent SQL injection attacks
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*select.+from[^<]*</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*delete.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*insert.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*update.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*drop.+from[^<]*</\s*id\s*>" "deny,status:406"
#End filter
#Forbid file upload
SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
#Forbid chunked transfer encoding requests
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#Require HTTP_USER_AGENT and HTTP_POST headers in every request
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#Enable normalize cookie names and values
SecFilterNormalizeCookies On
#Prevent XSS attack via PHP
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
#Prevent fatal information leak
SecFilterSelective OUTPUT "Fatal error:"
#Filter meta characters (helps prevent SQL attacks and information leaks)
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.{6,}</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.+['\"%][^<]*</\s*id\s*>" "deny,log,status:406"
</IfModule>
14. Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing /etc/apache/httpd.conf and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see Articles/DebianWebmin). If you installed perl support, then you must add ExecCGI to the <Directory /var/www/> section for your scripts to run. I also recommend the following entries for increased security:
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
ServerTokens - Prod
15. Restart the Apache server to apply your changes. Use the command:
apachectl restart
16. Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security:
cd /usr/share/mod-security/tests ./run-test.pl localhost:yourportnumber *.test
17. Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd.
