Apache HTTP server, installing

From NAS-Central Buffalo - The Linkstation Wiki
Jump to: navigation, search
Originally by frontalot from linkstationwiki.org

1. Install Apache and it's related packages. Use the command:

apt-get install apache apache-common 

2. If you want Perl support, install the following packages:

apt-get install libapache-mod-perl libapache-ssi-perl  

3. If you want PHP support, install the following packages:

apt-get install libapache-mod-php4 php4 php4-common 

4. Then configure PHP:

cp /usr/share/doc/php4-common/examples/php.ini-recommended /etc/php4/apache/php.ini

5. Next edit /etc/php4/apache/php.ini and enable zlib compression and configure some security settings:

zlib.output_compression = On
disable_functions = ini_set, exec, fopen, popen, passthru, readfile, file, system

6. You should install the following packages too:

apt-get install libapache-mod-choke libapache-mod-gzip libapache-mod-security

7. Mod_security allows you to set custom security rules for Apache (highly recommended). Mod_choke is a rate limiter for Apache. Mod_gzip allows on-the-fly compression of web content, potentially cutting bandwidth needs in half.

8. If you installed mod_gzip, mod_choke, and mod_security, ensure the modules are ordered correctly. Use the command:

pico /etc/apache/modules.conf

9. Mod_gzip must be the last module listed (which is actually the first module loaded because Apache loads module.conf in reverse order) and mod_security must be the first module listed. Mod_choke should be towards the end of the list. The lines you should see are:

LoadModule security_module /usr/lib/apache/1.3/mod_security.so
LoadModule choke_module /usr/lib/apache/1.3/mod_choke.so      
LoadModule gzip_module /usr/lib/apache/1.3/mod_gzip.so        

10. Now let's edit /etc/apache/httpd.conf and configure the modules. A good base mod_gzip configuration:

<IfModule mod_gzip.c>
#Turn mod_gzip on@
mod_gzip_on yes@
#Allow mod_gzip to eliminate the HTTP header and join the chunks to one (compressable) packet
mod_gzip_dechunk yes
#Count HTTP header size as part of total output size
mod_gzip_add_header_count yes
#Send a vary HTTP header
mod_gzip_send_vary yes
#Require at least HTTP 1.0 protocol
mod_gzip_min_http 1000
#Compress both GET and POST methods
mod_gzip_handle_methods GET POST
mod_gzip_keep_workfiles No
mod_gzip_temp_dir /tmp
#Minimum file size required for gzip to compress (in bytes)
mod_gzip_minimum_file_size 1000
#Maximum file size required for gzip to compress (in bytes)
mod_gzip_maximum_file_size 500000
#Types to compress
mod_gzip_item_include file \.htm$
mod_gzip_item_include file \.html$
mod_gzip_item_include file \.pl$
mod_gzip_item_include file \.cgi$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^httpd/unix-directory$
mod_gzip_item_include handler proxy-server
mod_gzip_item_include handler ^cgi-script$
#Types to exclude (PHP uses internal zlib compression)
mod_gzip_item_exclude mime ^application/x-httpd-php
mod_gzip_item_exclude file \.php$
mod_gzip_item_exclude file \.phps$
mod_gzip_item_exclude file \.phtml$
mod_gzip_item_exclude file "\.css$"
mod_gzip_item_exclude file "\.js$"
mod_gzip_item_exclude mime ^image/

11. A sample mod_choke configuration:

<IfModule mod_choke.c>
#Turn mod_choke on
Choke         On
#Set the choke rate
ChokeRate     10k
ChokeRateEnv  CHOKE_RATE
#Allow full rate for this many bytes
ChokeBurst    10k
ChokeSummary  Off
#Set the maximum connections
GlobalMaxConnectionsPerIP   2
GlobalMaxConnectionsPerUser 2

12. And a good mod_security configuration. Note that this configuration is fairly restrictive and may prevent you from running some scripts. If you're having any problems running certain scripts, try loosening the mod_security rules and see if your script works:

<IfModule mod_security.c>
#Start engine configuration - Scan dynamic content, POST method, and URL encoding
SecFilterEngine DynamicOnly
SecFilterCheckURLEncoding On
SecFilterForceByteRange 1 255
SecAuditEngine RelevantOnly
SecAuditLog /var/log/audit_log
SecFilterDebugLog /var/log/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:406"
#End engine configuration
#Prevent OS specific keywords - Prevent remote execution
SecFilter /etc/passwd
SecFilter /bin/sh
SecFilterSelective ARGS_NAMES 777
#Prevent operating system command execution
SecFilterSelective ARGS "bin/"
SecFilter /bin/ls
#Prevent path traversal
SecFilter "\.\./"
#Prevent XSS atacks (HTML/Javascript injection)
SecFilter "<(.|\n)+>"
#Forbid uncommon encoding types
SecFilterSelective "HTTP_Content-Type" "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data;)"
#Start filter to prevent SQL injection attacks
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*select.+from[^<]*</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*delete.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*insert.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*update.+from[^<]*</\s*id\s*>" "deny,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.*drop.+from[^<]*</\s*id\s*>" "deny,status:406"
#End filter
#Forbid file upload
SecFilterSelective "HTTP_CONTENT_TYPE" multipart/form-data
#Forbid chunked transfer encoding requests
SecFilterSelective HTTP_Transfer-Encoding "!^$"
#Require HTTP_USER_AGENT and HTTP_POST headers in every request
SecFilterSelective "HTTP_USER_AGENT|HTTP_HOST" "^$"
#Enable normalize cookie names and values
SecFilterNormalizeCookies On
#Prevent XSS attack via PHP
SecFilterSelective ARG_PHPSESSID "!^[0-9a-z]*$"
SecFilterSelective COOKIE_PHPSESSID "!^[0-9a-z]*$"
#Prevent fatal information leak
SecFilterSelective OUTPUT "Fatal error:"
#Filter meta characters (helps prevent SQL attacks and information leaks)
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>" chain
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.{6,}</\s*id\s*>" "deny,log,status:406"
SecFilterSelective POST_PAYLOAD "<\s*id[^>]*>.+['\"%][^<]*</\s*id\s*>" "deny,log,status:406"

13. Configure all other Apache settings such as port number, number of servers, and so on. Apache can be configured manually by editing /etc/apache/httpd.conf and /etc/apache/modules.conf. Alternately, Apache can be configured using Webmin (see Articles/DebianWebmin). If you installed perl support, then you must add ExecCGI to the <Directory /var/www/> section for your scripts to run. I also recommend the following entries for increased security:

RewriteEngine On
RewriteRule .* - [F]
ServerTokens - Prod

14. Restart the Apache server to apply your changes. Use the command:

apachectl restart 

15. Last let's test your security settings. Every test should report failed, indicating a basic (but not invulnerable) level of security:

cd /usr/share/mod-security/tests
./run-test.pl localhost:yourportnumber *.test 

16. Some people may prefer to use a lighter (but less-featured), more appliance-friendly web server such as thttpd or lighttpd.