====== Install & Configure Apache ====== ===== Installation ===== If not included as part of the initial Linux installation, install Apache webserver & dependencies. If you plan on running phpMyadmin and/or ReadingRecord via SSL/TLS (https), you'll also need the mod_ssl package & dependencies. ===== Post-Install ===== Once Apache is installed & running, you should be able to open a web browser and see the Apache 2 test page: {{:docs:apache_test_page.png|}} ===== Configuration ===== * Edit the Apache config file '/etc/httpd/conf.d/php.conf', adding the following lines the end: * # Run script to set include_path php_value auto_prepend_file "/var/www/ReadingRecord/config/prepend.php" * Restart Apache. ===== Security Considerations ===== The following are optional, but recommended, steps to help improve the security of your ReadingRecord server. === Disable HTTP TRACE & TRACK === A minor (IMO) issue, but if your library is subject to regular security audits you may get dinged for it. * Create the file '/etc/httpd/conf.d/http.conf': * # http configuration # Deny HTTP TRACE & TRACK methods. # See http://www.kb.cert.org/vuls/id/867593 RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] * Restart Apache. To verify, do the following: * From a shell prompt, type 'telnet localhost 80'. * Once connected, type 'TRACE / HTTP/1.0' & press enter twice. * If the output includes 'HTTP/1.1 OK', TRACE is still enabled. * If the output includes 'HTTP/1.1 403 Forbidden', TRACE is disabled. * Repeat the same test using 'TRACK / HTTP/1.0'. * Actual output will look something like this: * [root@demo ~]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. TRACE / HTTP/1.0 HTTP/1.1 403 Forbidden Date: Thu, 04 Apr 2013 17:25:51 GMT Server: Apache/2.2.3 (CentOS) Accept-Ranges: bytes Content-Length: 5043 Connection: close [remainder of output snipped...] * [root@demo ~]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. TRACK / HTTP/1.0 HTTP/1.1 403 Forbidden Date: Thu, 04 Apr 2013 17:25:51 GMT Server: Apache/2.2.3 (CentOS) Accept-Ranges: bytes Content-Length: 5043 Connection: close [remainder of output snipped...] === Use SSL/TLS (https) to protect data in transit === * If not already doing so, consider using SSL/TLS (https) access for both phpMyAdmin and ReadingRecord to protect data in transit. * Inexpensive single server & wildcard (domain) SSL certificates are available from [[http://www.rapidssl.com|RapidSSL]], the entire process can be accomplished via the Internet & an automated phone call. * If hosting just your own site, a single server certificate should suffice. * If hosting multiple sites using the same DNS domain, a wildcard certificate will be necessary. === Redirect all traffic to https === If using SSL/TLS, redirect all http traffic to https. * If you have disabled HTTP TRACE & TRACK (above), edit the config file again so it looks like this: * # http configuration # Deny HTTP TRACE & TRACK methods. # See http://www.kb.cert.org/vuls/id/867593 RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] # Redirect all traffic to https RewriteEngine On RewriteCond %{HTTPS} !on RewriteRule .? https://%{SERVER_NAME}%{REQUEST_URI} [R,L] * Restart Apache. To verify, do the following: * From a shell prompt, type 'telnet localhost 80'. * Once connected, type 'GET / HTTP/1.0' & press enter twice. * If the output includes 'HTTP/1.1 302 Found', redirection is properly configured. * Actual output will look something like this: * [root@demo conf.d]# telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 302 Found Date: Thu, 04 Apr 2013 17:40:03 GMT Server: Apache/2.2.3 (CentOS) Location: https://demo.readingrecord.org/ Content-Length: 302 Connection: close Content-Type: text/html; charset=iso-8859-1 302 Found

Found

The document has moved here.

Apache/2.2.3 (CentOS) Server at demo.readingrecord.org Port 80
Connection closed by foreign host. === Disable HTTPS TRACE & TRACK === Unfortunately disabling these for HTTP does not also disable them for HTTPS. * Edit the config file '/etc/httpd/conf.d/ssl.conf', adding the following just after the '' line: * # Deny HTTP TRACE & TRACK methods. # See http://www.kb.cert.org/vuls/id/867593 RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] * Restart Apache. To verify, do the following: * From a shell prompt, type 'openssl s_client -connect localhost:443'. * Once connected, type 'TRACE / HTTP/1.0' & press enter twice. * If the output includes 'HTTP/1.1 OK', TRACE is still enabled. * If the output includes 'HTTP/1.1 403 Forbidden', TRACE is disabled. * Repeat the same test using 'TRACK / HTTP/1.0'. * Actual output will look something like this: * [root@demo ~]# openssl s_client -connect localhost:443 [SSL/TLS handshake output snipped...] TRACE / HTTP/1.0 HTTP/1.1 403 Forbidden Date: Thu, 04 Apr 2013 17:47:14 GMT Server: Apache/2.2.3 (CentOS) Accept-Ranges: bytes Content-Length: 5043 Connection: close [remainder of output snipped...] * [root@demo ~]# openssl s_client -connect localhost:443 [SSL/TLS handshake output snipped...] TRACK / HTTP/1.0 HTTP/1.1 403 Forbidden Date: Thu, 04 Apr 2013 17:47:14 GMT Server: Apache/2.2.3 (CentOS) Accept-Ranges: bytes Content-Length: 5043 Connection: close [remainder of output snipped...] ===== Navigation ===== Previous: [[docs:install_configure_linux|]] | Next: [[docs:install_configure_mysql|]]