tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

move apache to own doc

Browse source
This commit is contained in:
tengel 2024-03-20 11:40:22 -05:00
parent 780dbcf843
commit 6a9377bcdd
3 changed files with 152 additions and 150 deletions
Download patch file Download diff file Expand all files Collapse all files

1
README.md
View file

@ -5,6 +5,7 @@ memoirs, musings and reminiscences - long form writings stored in the code repo,
## Index ## Index
- [Active Directory with Winbind](md/active_directory_with_winbind.md) - [Active Directory with Winbind](md/active_directory_with_winbind.md)
- [Apache Setup](md/apache_setup.md)
- [Arch UEFI Installation](md/arch_uefi_installation.md) - [Arch UEFI Installation](md/arch_uefi_installation.md)
- [CIFS Client Setup](md/cifs_client_setup.md) - [CIFS Client Setup](md/cifs_client_setup.md)
- [Compose Key Sequences](md/compose_key_sequences.md) - [Compose Key Sequences](md/compose_key_sequences.md)

150
md/apache_setup.md Normal file
View file

@ -0,0 +1,150 @@
# Apache Setup
## Contents
- [Apache Installation](#apache-installation)
- [Apache iptables Ports](#apache-iptables-ports)
- [Apache Default Template](#apache-default-template)
- [Apache 80 Template](#apache-80-template)
- [Apache 443 Template](#apache-443-template)
## Apache Installation
The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.
```
apt-get update
apt-get install apache2
a2enmod ssl
a2enmod reqtimeout
a2enmod rewrite
a2enmod headers
a2enmod expires
```
## Apache iptables Ports
Ensure the ports for 80 and 443 are added to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`, typically near where the SSH port has been opened:
```
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
```
Restart the daemon: `systemctl restart netfilter-persistent`
## Apache Default Template
This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to `/etc/apache2/sites-available/00_main.conf` (or use a symlink):
```
Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerName localhost
ServerTokens OS
TraceEnable off
<IfModule prefork.c>
StartServers 3
MinSpareServers 2
MaxSpareServers 4
ServerLimit 9
MaxClients 9
MaxRequestsPerChild 2000
</IfModule>
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
<Directory "/path/to/www">
AllowOverride None
Require all granted
</Directory>
# Port 80
Include /path/to/port_80.conf
# Port 443
Include /path/to/port_443.conf
```
Disable the Debian default website and enable the new one created above:
```
a2dissite 000-default
a2ensite 00_main
```
...or just manually change symlinks in `/etc/apache2/sites-enabled/` as desired.
## Apache 80 Template
Included above as `/path/to/port_80.conf`
```
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin root@example.com
ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
DocumentRoot /path/to/www/html
<Directory /path/to/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
## Apache 443 Template
Included above as `/path/to/port_443.conf`
```
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin root@example.com
ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCertificateFile /path/to/sslkeys/2020-example.crt
SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem
Header always set Strict-Transport-Security "max-age=15768000"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /path/to/www/html
<Directory /path/to/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
Note the above 443 template does not enable HSTS on all subdomains by design, add as required.

151
md/debian_server_setup.md
View file

@ -7,11 +7,6 @@
- [Disable root Login](#disable-root-login) - [Disable root Login](#disable-root-login)
- [Server Hardening](#server-hardening) - [Server Hardening](#server-hardening)
- [fail2ban Setup](#fail2ban-setup) - [fail2ban Setup](#fail2ban-setup)
- [Apache Webserver](#apache-webserver)
- [Apache iptables Ports](#apache-iptables-ports)
- [Apache Default Template](#apache-default-template)
- [Apache 80 Template](#apache-80-template)
- [Apache 443 Template](#apache-443-template)
## Server Installation ## Server Installation
@ -198,7 +193,7 @@ apt-get install fail2ban sqlite3
cat << 'EOF' > /etc/fail2ban/jail.local cat << 'EOF' > /etc/fail2ban/jail.local
[DEFAULT] [DEFAULT]
ignoreip = 127.0.0.1/8 ignoreip = 127.0.0.1/8
bantime = 600 bantime = 3600
maxretry = 3 maxretry = 3
backend = auto backend = auto
destemail = root@localhost destemail = root@localhost
@ -228,147 +223,3 @@ chown root:root /etc/cron.weekly/f2b-cleanup
chmod 0755 /etc/cron.weekly/f2b-cleanup chmod 0755 /etc/cron.weekly/f2b-cleanup
``` ```
## Apache Webserver
Optional: adding a webserver might be desired, the method of obtain the SSL certificate is not covered here.
### Apache Installation
The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.
```
apt-get update
apt-get install apache2
a2enmod ssl
a2enmod reqtimeout
a2enmod rewrite
a2enmod headers
a2enmod expires
```
### Apache iptables Ports
Ensure the ports for 80 and 443 are added to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`, typically near where the SSH port has been opened:
```
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
```
Restart the daemon: `systemctl restart netfilter-persistent`
### Apache Default Template
This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to `/etc/apache2/sites-available/00_main.conf` (or use a symlink):
```
Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerName localhost
ServerTokens OS
TraceEnable off
<IfModule prefork.c>
StartServers 3
MinSpareServers 2
MaxSpareServers 4
ServerLimit 9
MaxClients 9
MaxRequestsPerChild 2000
</IfModule>
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
<Directory "/path/to/www">
AllowOverride None
Require all granted
</Directory>
# Port 80
Include /path/to/port_80.conf
# Port 443
Include /path/to/port_443.conf
```
Disable the Debian default website and enable the new one created above:
```
a2dissite 000-default
a2ensite 00_main
```
...or just manually change symlinks in `/etc/apache2/sites-enabled/` as desired.
### Apache 80 Template
Included above as `/path/to/port_80.conf`
```
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin root@example.com
ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
DocumentRoot /path/to/www/html
<Directory /path/to/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
### Apache 443 Template
Included above as `/path/to/port_443.conf`
```
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin root@example.com
ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCertificateFile /path/to/sslkeys/2020-example.crt
SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem
Header always set Strict-Transport-Security "max-age=15768000"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /path/to/www/html
<Directory /path/to/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
Note the above 443 template does not enable HSTS on all subdomains by design, add as required.