tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
papyri/md/apache_setup.md
tengel 6a9377bcdd move apache to own doc
2024-03-20 11:40:22 -05:00

3.8 KiB
Raw Permalink Blame History

Apache Setup

Contents

Apache Installation

The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.

apt-get update
apt-get install apache2
a2enmod ssl
a2enmod reqtimeout
a2enmod rewrite
a2enmod headers
a2enmod expires

Apache iptables Ports

Ensure the ports for 80 and 443 are added to /etc/iptables/rules.v4 and /etc/iptables/rules.v6, typically near where the SSH port has been opened:

-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Restart the daemon: systemctl restart netfilter-persistent

Apache Default Template

This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to /etc/apache2/sites-available/00_main.conf (or use a symlink):

Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerName localhost
ServerTokens OS
TraceEnable off

<IfModule prefork.c>
  StartServers       3
  MinSpareServers    2
  MaxSpareServers    4
  ServerLimit        9
  MaxClients         9
  MaxRequestsPerChild  2000
</IfModule>

<IfModule mod_reqtimeout.c>
  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

<Directory "/path/to/www">
  AllowOverride None
  Require all granted
</Directory>

# Port 80
Include /path/to/port_80.conf

# Port 443
Include /path/to/port_443.conf

Disable the Debian default website and enable the new one created above:

a2dissite 000-default
a2ensite 00_main

...or just manually change symlinks in /etc/apache2/sites-enabled/ as desired.

Apache 80 Template

Included above as /path/to/port_80.conf

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin root@example.com
  ErrorLog /var/log/apache2/example-error.log
  CustomLog /var/log/apache2/example-access.log combined

  DocumentRoot /path/to/www/html
  <Directory /path/to/www/html>
    Options FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Apache 443 Template

Included above as /path/to/port_443.conf

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin root@example.com
  ErrorLog /var/log/apache2/example-error.log
  CustomLog /var/log/apache2/example-access.log combined

  SSLEngine on
  SSLHonorCipherOrder on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder on
  SSLCompression off
  SSLSessionTickets off

  SSLCertificateFile /path/to/sslkeys/2020-example.crt
  SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
  SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem

  Header always set Strict-Transport-Security "max-age=15768000"

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  DocumentRoot /path/to/www/html
  <Directory /path/to/www/html>
    Options FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>

Note the above 443 template does not enable HSTS on all subdomains by design, add as required.