tengel/papyri
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
papyri/md/apache_setup.md
tengel 6a9377bcdd move apache to own doc
2024-03-20 11:40:22 -05:00

150 lines
3.8 KiB
Markdown
Raw Permalink Blame History

# Apache Setup
## Contents
- [Apache Installation](#apache-installation)
- [Apache iptables Ports](#apache-iptables-ports)
- [Apache Default Template](#apache-default-template)
- [Apache 80 Template](#apache-80-template)
- [Apache 443 Template](#apache-443-template)
## Apache Installation
The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.
```
apt-get update
apt-get install apache2
a2enmod ssl
a2enmod reqtimeout
a2enmod rewrite
a2enmod headers
a2enmod expires
```
## Apache iptables Ports
Ensure the ports for 80 and 443 are added to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`, typically near where the SSH port has been opened:
```
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
```
Restart the daemon: `systemctl restart netfilter-persistent`
## Apache Default Template
This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to `/etc/apache2/sites-available/00_main.conf` (or use a symlink):
```
Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerName localhost
ServerTokens OS
TraceEnable off
<IfModule prefork.c>
StartServers 3
MinSpareServers 2
MaxSpareServers 4
ServerLimit 9
MaxClients 9
MaxRequestsPerChild 2000
</IfModule>
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
<Directory "/path/to/www">
AllowOverride None
Require all granted
</Directory>
# Port 80
Include /path/to/port_80.conf
# Port 443
Include /path/to/port_443.conf
```
Disable the Debian default website and enable the new one created above:
```
a2dissite 000-default
a2ensite 00_main
```
...or just manually change symlinks in `/etc/apache2/sites-enabled/` as desired.
## Apache 80 Template
Included above as `/path/to/port_80.conf`
```
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin root@example.com
ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
DocumentRoot /path/to/www/html
<Directory /path/to/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
## Apache 443 Template
Included above as `/path/to/port_443.conf`
```
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin root@example.com
ErrorLog /var/log/apache2/example-error.log
CustomLog /var/log/apache2/example-access.log combined
SSLEngine on
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCertificateFile /path/to/sslkeys/2020-example.crt
SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem
Header always set Strict-Transport-Security "max-age=15768000"
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /path/to/www/html
<Directory /path/to/www/html>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
```
Note the above 443 template does not enable HSTS on all subdomains by design, add as required.
Reference in a new issue View git blame Copy permalink