Install & Configure Apache

Installation

If not included as part of the initial Linux installation, install Apache webserver & dependencies. If you plan on running phpMyadmin and/or ReadingRecord via SSL/TLS (https), you'll also need the mod_ssl package & dependencies.

Post-Install

Once Apache is installed & running, you should be able to open a web browser and see the Apache 2 test page:

Configuration

  • Edit the Apache config file '/etc/httpd/conf.d/php.conf', adding the following lines the end:
    • # Run script to set include_path
      php_value auto_prepend_file "/var/www/ReadingRecord/config/prepend.php"
  • Restart Apache.

Security Considerations

The following are optional, but recommended, steps to help improve the security of your ReadingRecord server.

Disable HTTP TRACE & TRACK

A minor (IMO) issue, but if your library is subject to regular security audits you may get dinged for it.

  • Create the file '/etc/httpd/conf.d/http.conf':
    • # http configuration
      <VirtualHost *:80>
      
      # Deny HTTP TRACE & TRACK methods.
      # See http://www.kb.cert.org/vuls/id/867593
      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
      RewriteRule .* - [F]
      </VirtualHost>
  • Restart Apache. To verify, do the following:
    • From a shell prompt, type 'telnet localhost 80'.
    • Once connected, type 'TRACE / HTTP/1.0' & press enter twice.
      • If the output includes 'HTTP/1.1 OK', TRACE is still enabled.
      • If the output includes 'HTTP/1.1 403 Forbidden', TRACE is disabled.
    • Repeat the same test using 'TRACK / HTTP/1.0'.
    • Actual output will look something like this:
    • [root@demo ~]# telnet localhost 80
      Trying 127.0.0.1...
      Connected to localhost.
      Escape character is '^]'.
      TRACE / HTTP/1.0
      
      HTTP/1.1 403 Forbidden
      Date: Thu, 04 Apr 2013 17:25:51 GMT
      Server: Apache/2.2.3 (CentOS)
      Accept-Ranges: bytes
      Content-Length: 5043
      Connection: close
      
      [remainder of output snipped...]
    • [root@demo ~]# telnet localhost 80
      Trying 127.0.0.1...
      Connected to localhost.
      Escape character is '^]'.
      TRACK / HTTP/1.0
      
      HTTP/1.1 403 Forbidden
      Date: Thu, 04 Apr 2013 17:25:51 GMT
      Server: Apache/2.2.3 (CentOS)
      Accept-Ranges: bytes
      Content-Length: 5043
      Connection: close
      
      [remainder of output snipped...]

Use SSL/TLS (https) to protect data in transit

  • If not already doing so, consider using SSL/TLS (https) access for both phpMyAdmin and ReadingRecord to protect data in transit.
    • Inexpensive single server & wildcard (domain) SSL certificates are available from RapidSSL, the entire process can be accomplished via the Internet & an automated phone call.
    • If hosting just your own site, a single server certificate should suffice.
    • If hosting multiple sites using the same DNS domain, a wildcard certificate will be necessary.

Redirect all traffic to https

If using SSL/TLS, redirect all http traffic to https.

  • If you have disabled HTTP TRACE & TRACK (above), edit the config file again so it looks like this:
    • # http configuration
      <VirtualHost *:80>
      
      # Deny HTTP TRACE & TRACK methods.
      # See http://www.kb.cert.org/vuls/id/867593
      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
      RewriteRule .* - [F]
      
      # Redirect all traffic to https
      RewriteEngine On
      RewriteCond %{HTTPS} !on
      RewriteRule .? https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
      
      </VirtualHost>
  • Restart Apache. To verify, do the following:
    • From a shell prompt, type 'telnet localhost 80'.
    • Once connected, type 'GET / HTTP/1.0' & press enter twice.
      • If the output includes 'HTTP/1.1 302 Found', redirection is properly configured.
    • Actual output will look something like this:
    • [root@demo conf.d]# telnet localhost 80
      Trying 127.0.0.1...
      Connected to localhost.
      Escape character is '^]'.
      GET / HTTP/1.0
      
      HTTP/1.1 302 Found
      Date: Thu, 04 Apr 2013 17:40:03 GMT
      Server: Apache/2.2.3 (CentOS)
      Location: https://demo.readingrecord.org/
      Content-Length: 302
      Connection: close
      Content-Type: text/html; charset=iso-8859-1
      
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>302 Found</title>
      </head><body>
      <h1>Found</h1>
      <p>The document has moved <a href="https://demo.readingrecord.org/">here</a>.</p>
      <hr>
      <address>Apache/2.2.3 (CentOS) Server at demo.readingrecord.org Port 80</address>
      </body></html>
      Connection closed by foreign host.

Disable HTTPS TRACE & TRACK

Unfortunately disabling these for HTTP does not also disable them for HTTPS.

  • Edit the config file '/etc/httpd/conf.d/ssl.conf', adding the following just after the '<VirtualHost _default_:443>' line:
    • # Deny HTTP TRACE & TRACK methods.
      # See http://www.kb.cert.org/vuls/id/867593
      RewriteEngine on
      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
      RewriteRule .* - [F]
  • Restart Apache. To verify, do the following:
    • From a shell prompt, type 'openssl s_client -connect localhost:443'.
      • Once connected, type 'TRACE / HTTP/1.0' & press enter twice.
        • If the output includes 'HTTP/1.1 OK', TRACE is still enabled.
        • If the output includes 'HTTP/1.1 403 Forbidden', TRACE is disabled.
      • Repeat the same test using 'TRACK / HTTP/1.0'.
      • Actual output will look something like this:
      • [root@demo ~]# openssl s_client -connect localhost:443
        
        [SSL/TLS handshake output snipped...]
        
        TRACE / HTTP/1.0
        
        HTTP/1.1 403 Forbidden
        Date: Thu, 04 Apr 2013 17:47:14 GMT
        Server: Apache/2.2.3 (CentOS)
        Accept-Ranges: bytes
        Content-Length: 5043
        Connection: close
        
        [remainder of output snipped...]
      • [root@demo ~]# openssl s_client -connect localhost:443
        
        [SSL/TLS handshake output snipped...]
        
        TRACK / HTTP/1.0
        
        HTTP/1.1 403 Forbidden
        Date: Thu, 04 Apr 2013 17:47:14 GMT
        Server: Apache/2.2.3 (CentOS)
        Accept-Ranges: bytes
        Content-Length: 5043
        Connection: close
        
        [remainder of output snipped...]

Navigation

 
docs/install_configure_apache.txt (4852 views) · Last modified: 2013/04/04 17:17 by esisler