[[Install & Configure Apache]]
 
Trace: » Install & Configure Apache
Table of Contents

Install & Configure Apache

Installation

If not included as part of the initial Linux installation, install Apache webserver & dependencies. If you plan on running phpMyadmin and/or ReadingRecord via SSL/TLS (https), you'll also need the mod_ssl package & dependencies.

Post-Install

Once Apache is installed & running, you should be able to open a web browser and see the Apache 2 test page:

Configuration

  • Edit the Apache config file '/etc/httpd/conf.d/php.conf', adding the following lines the end:
    • # Run script to set include_path
php_value auto_prepend_file "/var/www/ReadingRecord/config/prepend.php"
  • Restart Apache.

Security Considerations

The following are optional, but recommended, steps to help improve the security of your ReadingRecord server.

Disable HTTP TRACE & TRACK

A minor (IMO) issue, but if your library is subject to regular security audits you may get dinged for it.

  • Create the file '/etc/httpd/conf.d/http.conf':
    • # http configuration
<VirtualHost *:80>

# Deny HTTP TRACE & TRACK methods.
# See http://www.kb.cert.org/vuls/id/867593
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</VirtualHost>
  • Restart Apache. To verify, do the following:
    • From a shell prompt, type 'telnet localhost 80'.
    • Once connected, type 'TRACE / HTTP/1.0' & press enter twice.
      • If the output includes 'HTTP/1.1 OK', TRACE is still enabled.
      • If the output includes 'HTTP/1.1 403 Forbidden', TRACE is disabled.
    • Repeat the same test using 'TRACK / HTTP/1.0'.
    • Actual output will look something like this:
    • [root@demo ~]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACE / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Thu, 04 Apr 2013 17:25:51 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 5043
Connection: close

[remainder of output snipped...]
    • [root@demo ~]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
TRACK / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Thu, 04 Apr 2013 17:25:51 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 5043
Connection: close

[remainder of output snipped...]

Use SSL/TLS (https) to protect data in transit

  • If not already doing so, consider using SSL/TLS (https) access for both phpMyAdmin and ReadingRecord to protect data in transit.
    • Inexpensive single server & wildcard (domain) SSL certificates are available from RapidSSL, the entire process can be accomplished via the Internet & an automated phone call.
    • If hosting just your own site, a single server certificate should suffice.
    • If hosting multiple sites using the same DNS domain, a wildcard certificate will be necessary.

Redirect all traffic to https

If using SSL/TLS, redirect all http traffic to https.

  • If you have disabled HTTP TRACE & TRACK (above), edit the config file again so it looks like this:
    • # http configuration
<VirtualHost *:80>

# Deny HTTP TRACE & TRACK methods.
# See http://www.kb.cert.org/vuls/id/867593
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

# Redirect all traffic to https
RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule .? https://%{SERVER_NAME}%{REQUEST_URI} [R,L]

</VirtualHost>
  • Restart Apache. To verify, do the following:
    • From a shell prompt, type 'telnet localhost 80'.
    • Once connected, type 'GET / HTTP/1.0' & press enter twice.
      • If the output includes 'HTTP/1.1 302 Found', redirection is properly configured.
    • Actual output will look something like this:
    • [root@demo conf.d]# telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.1 302 Found
Date: Thu, 04 Apr 2013 17:40:03 GMT
Server: Apache/2.2.3 (CentOS)
Location: https://demo.readingrecord.org/
Content-Length: 302
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://demo.readingrecord.org/">here</a>.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at demo.readingrecord.org Port 80</address>
</body></html>
Connection closed by foreign host.

Disable HTTPS TRACE & TRACK

Unfortunately disabling these for HTTP does not also disable them for HTTPS.

  • Edit the config file '/etc/httpd/conf.d/ssl.conf', adding the following just after the '<VirtualHost _default_:443>' line:
    • # Deny HTTP TRACE & TRACK methods.
# See http://www.kb.cert.org/vuls/id/867593
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
  • Restart Apache. To verify, do the following:
    • From a shell prompt, type 'openssl s_client -connect localhost:443'.
      • Once connected, type 'TRACE / HTTP/1.0' & press enter twice.
        • If the output includes 'HTTP/1.1 OK', TRACE is still enabled.
        • If the output includes 'HTTP/1.1 403 Forbidden', TRACE is disabled.
      • Repeat the same test using 'TRACK / HTTP/1.0'.
      • Actual output will look something like this:
      • [root@demo ~]# openssl s_client -connect localhost:443

[SSL/TLS handshake output snipped...]

TRACE / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Thu, 04 Apr 2013 17:47:14 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 5043
Connection: close

[remainder of output snipped...]
      • [root@demo ~]# openssl s_client -connect localhost:443

[SSL/TLS handshake output snipped...]

TRACK / HTTP/1.0

HTTP/1.1 403 Forbidden
Date: Thu, 04 Apr 2013 17:47:14 GMT
Server: Apache/2.2.3 (CentOS)
Accept-Ranges: bytes
Content-Length: 5043
Connection: close

[remainder of output snipped...]

Navigation

Previous: Install & Configure Linux | Next: Install & Configure MySQL

 
docs/install_configure_apache.txt (5397 views) · Last modified: 2013/04/04 17:17 by esisler