Apache static site
learning target
- Basic Apache configuration and security settings
- Configure a Web site for each system user
- Configure a "virtual directory" using the alias mechanism
- Configure Host Access Control and User Access Control
- Configure IP and Port based virtual hosts
- Configure name-based virtual hosting
- Configure SSL/TLS based virtual hosting
- Configure URL/URI redirection
Task 1: Basic configuration and security settings
Require
- Set server name and administrator Email
- Enable
KeepAlive
the function of HTTP - disable
/etc/httpd/conf.d/welcome.conf
profile - Avoid server information leakage and control the response headers that the server responds to the client
- Controls the server from displaying information in the footer of generated pages
- Install and configure the mod_evasive module to prevent DoS attacks
step
- Install Apache2.4
- Set the server name and administrator Email (please modify according to the actual situation)
- Assuming the server is named
www.olabs.lan
- Assuming the server is named
- Enable
KeepAlive
the function of HTTP - Avoid exposing system information by displaying test pages
- disable
/etc/httpd/conf.d/welcome.conf
configuration - Generate a default site home page file with the content
<H1>It Works!</H1>
- disable
- To avoid leakage of server information, create
/etc/httpd/conf.d/security.conf
Server:
The response headers that the control server responds to the client only displayApache
- Controls the server from displaying information in the footer of generated pages
- Install and configure the mod_evasive module to prevent DoS attacks
- Install mod_evasive from the EPEL repository
- configuration
/etc/httpd/conf.d/mod_evasive.conf
- Configure the firewall to enable access to the http service
- Check configuration file syntax for correctness
- Configure httpd to start and start immediately
- Test with a client that supports the HTTP protocol
- This machine:
curl --head http://localhost
- This machine:
curl -vsI http://localhost | egrep '^(>|<)'
- This machine:
elinks http://localhost
- This machine:
elinks http://192.168.56.71
- This machine:
elinks http://www.olabs.lan
- Windows : http://IPorFQDN
- This machine:
- View Apache default error log and access log files
- Use
ab
the command to stress test
ab -n 10000 -c 100 http://localhost/
Task 2: Configure each system user's Web site
Require
Configure the Web site for each system user, and use the tony user as an example for testing
step
- modify
/etc/httpd/conf.d/userdir.conf
file- Specifies the document root of the Web site for each system user
public_html
- Specifies the document root of the Web site for each system user
- Check syntax correctness and restart Apache
- Prepare Web site for tony user
# useradd tony
# mkdir -m 700 ~tony/public_html
# echo “Test for tony.” > ~tony/public_html/index.html
# chown -R tony.tony ~tony/public_html
# ls -ld ~tony ~tony/public_html
# setfacl -mu:apache:x ~tony
# setfacl -mu:apache:x ~tony/public_html - Browsing test on the client
- http://IPorFQDN/~tony
Task 3: Host Access Control, Alias Mechanism, and Directory Listing
Require
- Assuming the IP of the Apache host is 192.168.56.71
- The configuration allows only the local loopback network or 192.168.56.0/24 to access the alias /yum
- Enable the directory listing function for the file system directory mapped by the alias /yum
step
- create
/etc/httpd/conf.d/pxe.conf
file /yum
Map alias access to the file system/var/ftp/yum
/var/ftp/yum
Set access control on directory- Enable directory listing
- Use Apache's default directory listing option configuration in CentOS (
conf.d/autoindex.conf
) - Only allow local loopback network or 192.168.56.0/24 access
- Check syntax correctness and restart Apache
- Browsing test on the client
- Local: http://localhost/yum
- Remote: http://192.168.56.71/yum
- Remote: http://www.olabs.lan/yum
hint
- Tested on a host other than 192.168.56.0/24, for example in a c6-v1 container
Task 4: Host Access Control vs. User Access Control
Require
- Assuming the IP of the Apache host is 192.168.56.71
- The configuration can only directly access http://127.0.0.1/server-status on localhost
- Configure HTTP basic authentication for access to http://192.168.56.71/server-status outside of localhost
- Configure HTTP digest user authentication to access http://192.168.56.71/sec/ only on the 192.168.56.0/24 network
step
- Set user access control for basic authentication for the mod_status module
- create
/etc/httpd/conf.d/server-status.conf
file- Configure Location container/server-status to set access control
- Enable mod_status module to generate server status information
- Directly accessible on 127.0.0.1
- Access using user authentication on networks other than 127.0.0.1
- Basic authentication using HTTP
- The jason user can use the password JaP455 to access
htpasswd
Set the basic authentication password file using the command/etc/httpd/.bpasswd
- create
/var/www/html/sec
Set Digest Authentication User Access Control for the directory- create
/etc/httpd/conf.d/sec-digest.conf
file- Configure
/var/www/html/sec
Directory Settings Access Control - User authentication access is only available on the 192.168.56.0/24 network
- Digest authentication using HTTP
- The jason user can use the password
JaP455
to access
- Configure
- Use
htdigest
the command to set the digest authentication password file/etc/httpd/.dpasswd
- create
- Check syntax correctness and restart Apache
- Browsing test on the client
- local:
apachectl fullstatus
- local:
elinks http://127.0.0.1/server-status
- local:
elinks http://127.0.0.1/sec/
- local:
elinks http://192.168.56.71/sec/
- Remote: http://IPorFQDN/server-status
- Remote: http://IPorFQDN/sec/
- local:
hint
- Tested on a host other than 192.168.56.0/24, for example in a c6-v1 container
Task 5: Virtual host based on IP and Port
Require
- Assuming the IP of the Apache host is 192.168.56.71
- Configure virtual host based on port number http://192.168.56.71:8888
- Configure IP-based virtual host http://192.168.56.111
Prepare
- Prepare virtual site directory and index.html file
# mkdir -p /srv/www/192.168.56.{111_80,71_8888}/{htdocs,logs}
# for i in 192.168.56.{111_80,71_8888} ;\
do echo " i" > /srv/www /i" > /srv/www/i">/srv/www/i/htdocs/index.html ; done
# tree /srv/www
/srv/www/
├── 192.168.56.111_80
│ ├── htdocs
│ │ └── index.html
│ └── logs
└── 192.168.56.71_8888
├── htdocs
│ └── index.html
└── logs
- A directory for virtual host configuration files to be included by the main Apache configuration file
# mkdir /etc/httpd/vhosts.d
# echo 'IncludeOptional vhosts.d/*.conf' >> /etc/httpd/conf/httpd. conf
step
- Configure port number based virtual hosts
- create
/etc/httpd/vhosts.d/192.168.56.71_8888.conf
- Configure the document root directory of the virtual host as
/srv/www/192.168.56.71_8888/htdocs
- Configure the document root directory of the virtual host as
- create
- Configure IP-based virtual hosting
- Bind the second IP address 192.168.56.111/24 to the host-only network card of this machine
- create
/etc/httpd/vhosts.d/192.168.56.111.conf
- Configure the document root directory of the virtual host as
/srv/www/192.168.56.111_80/htdocs
- Configure the document root directory of the virtual host as
- Check syntax correctness and restart Apache
- Configure the firewall to allow access to port 8888
- Configure domain name resolution (bind or /etc/hosts)
- Set
h111.olabs.lan
the IP of the to the address 192.168.56.111
- Set
- Browsing test on the client
elinks http://192.168.56.71:8888
elinks http://www.olabs.lan:8888
elinks http://192.168.56.111
elinks http://h111.olabs.lan
Task 6: Domain-based virtual hosting
Require
- Create virtual hosts for www.olabs.net and wiki.olabs.net managed by root
- Create virtual hosts for www.olabs.org and wiki.olabs.org managed by olabsorg
Prepare
- Prepare virtual site directory and index.html file for root user
# mkdir -p /srv/www/olabs.net/{www,wiki}/{htdocs,logs,conf}
# echo “www.olabs.net” > /srv /www/olabs.net/www/htdocs/index.html
# echo “wiki.olabs.net” > /srv/www/olabs.net/wiki/htdocs/index.html - For olabsorg users, prepare a virtual site directory and index.html document
# useradd -d /srv/www/olabs.org olabsorg
# su - olabsorg -c “mkdir -p ~olabsorg/{www,wiki}/{htdocs,logs,conf }”
# su - olabsorg
$ echo “www.olabs.org” > www/htdocs/index.html
$ echo “wiki.olabs.org” > wiki/htdocs/index.html
$ exit - Show /srv/www directory structure
# tree /srv/www
/srv/www
├── olabs.net
│ ├── wiki
│ │ ├── conf
│ │ ├── htdocs
│ │ │ └── index.html
│ │ └── logs
│ └── www
│ ├── conf
│ ├── htdocs
│ │ └── index.html
│ └── logs
└── olabs.org
├── wiki
│ ├── conf
│ ├── htdocs
│ │ └── index.html
│ └── logs
└── www
├── conf
├── htdocs
│ └── index.html
└── logs
- A directory for virtual host configuration files to be included by the main Apache configuration file
grep 'vhosts.d' /etc/httpd/conf/httpd.conf &> /dev/null \
|| echo 'IncludeOptional vhosts.d/*.conf' >> /etc/httpd/conf/httpd.conf
step
- create
/etc/httpd/vhosts.d/olabs.org.conf
- Configure the virtual host for www.olabs.org
- Configure the document root directory of the virtual host as
/srv/www/olabs.org/www/htdocs
- The error log for configuring the virtual host is
/srv/www/olabs.org/www/logs/error_log
- Configure the access log of the virtual host as
/srv/www/olabs.org/www/logs/access_log
- Configure the document root directory of the virtual host as
- Configure virtual hosts for wiki.olabs.org
- Configure the document root directory of the virtual host as
/srv/www/olabs.org/wiki/htdocs
- The error log for configuring the virtual host is
/srv/www/olabs.org/wiki/logs/error_log
- Configure the access log of the virtual host as
/srv/www/olabs.org/wiki/logs/access_log
- Configure the document root directory of the virtual host as
- Configure the virtual host for www.olabs.org
- create
/etc/httpd/vhosts.d/olabs.net.conf
- Configure the virtual host of www.olabs.net
- Configure the document root directory of the virtual host as
/srv/www/olabs.net/www/htdocs
- The error log for configuring the virtual host is
/srv/www/olabs.net/www/logs/error_log
- Configure the access log of the virtual host as
/srv/www/olabs.net/www/logs/access_log
- Configure the document root directory of the virtual host as
- Configure the virtual host for wiki.olabs.net
- Configure the document root directory of the virtual host as
/srv/www/olabs.net/wiki/htdocs
- The error log for configuring the virtual host is
/srv/www/olabs.net/wiki/logs/error_log
- Configure the access log of the virtual host as
/srv/www/olabs.net/wiki/logs/access_log
- Configure the document root directory of the virtual host as
- Configure the virtual host of www.olabs.net
- create
/etc/httpd/vhosts.d/olabs.lan.conf
- Configure the default virtual host for the main server, the domain name is
www.olabs.lan
<VirtualHost _default_:80>
- Configure the default virtual host for the main server, the domain name is
- Configure log rolling for all virtual hosts
if [ -e /etc/logrotate.d/httpd_vhosts ] ; then :
else
cp /etc/logrotate.d/httpd{,_vhosts}
sed -i 's#/var/log/httpd#/srv/www/*/*/logs#' /etc/logrotate.d/httpd_vhosts
fi
- Configure domain name resolution (bind or /etc/hosts)
- Set the IP of {www,wiki}.olabs.{org,net} to the local address 192.168.56.71
- Check syntax correctness and restart Apache
- Check Apache name-based virtual host configuration
- Browsing test on the client
elinks http://www.olabs.net
elinks http://wiki.olabs.net
elinks http://www.olabs.org
elinks http://wiki.olabs.org
elinks http://www.olabs.lan
Task 7: SSL/TLS based virtual hosting
Require
- Configure HTTPS access to www.olabs.lan
- Configure HTTPS access to wiki.olabs.net
step
- install mod_ssl
- Configure SSL/TLS for Default Virtual Host
- Revise
/etc/httpd/conf.d/ssl.conf
- Use the certificate and private key files created in Chapter 8, Task 10
myservers.{crt,key}
- Use the certificate and private key files created in Chapter 8, Task 10
- Revise
- Configure SSL/TLS for wiki.olabs.net virtual host
- Revise
/etc/httpd/vhosts.d/olabs.net.conf
- Create wiki.olabs.net:443 virtual host
- Use the certificate and private key files created in Chapter 8, Task 10
myservers.{crt,key}
- Revise
- Check syntax correctness and restart Apache
- Check Apache name-based virtual host configuration
- Configure the firewall to allow access to https services
- Browsing test on the client
https://www.olabs.lan
https://wiki.olabs.net
Task 8: Redirect
Require
- Permanently redirect http://olabs.org to http://www.olabs.org
- Permanently redirect http://dl.olabs.org to http://www.olabs.org/download
- Permanently redirect http://wiki.olabs.net to https://wiki.olabs.net
- Permanently redirect http://help.olabs.net to https://wiki.olabs.net
step
- Permanently redirect http://olabs.org to http://www.olabs.org
- Revise
/etc/httpd/vhosts.d/olabs.org.conf
- Create a virtual host based on the domain name olabs.org
- Permanently redirect to http://www.olabs.org
- Create a virtual host based on the domain name olabs.org
- Permanently redirect http://dl.olabs.org to http://www.olabs.org/download
mkdir /srv/www/olabs.org/www/htdocs/download
- Revise
/etc/httpd/vhosts.d/olabs.org.conf
- Create a virtual host based on the domain name dl.olabs.org
- Permanently redirect to http://www.olabs.org/download
- Create a virtual host based on the domain name dl.olabs.org
- Permanently redirect http://wiki.olabs.net to https://wiki.olabs.net
- Revise
/etc/httpd/vhosts.d/olabs.net.conf
- Modify the virtual host based on the domain name wiki.olabs.net:80
- Permanently redirect to https://wiki.olabs.net
- Modify the virtual host based on the domain name wiki.olabs.net:80
- Permanently redirect http://help.olabs.net to https://wiki.olabs.net
- Revise
/etc/httpd/vhosts.d/olabs.net.conf
- Create a virtual host based on the domain name help.olabs.net
- Permanently redirect to https://wiki.olabs.net
- Create a virtual host based on the domain name help.olabs.net
- Reload the Apache configuration
- Check Apache name-based virtual host configuration
- Check syntax correctness and restart Apache
- Configure domain name resolution (bind or /etc/hosts) and test
- Set the IP of {,dl.}olabs.org, {help,wiki}.olabs.net to the local address 192.168.56.71
- Browsing test on the client
curl -I http://olabs.org
curl -IL http://olabs.org
curl -I http://download.olabs.org
curl -IL http://download.olabs.org
curl -I http://wiki.olabs.net
curl -IL http://wiki.olabs.net
curl -I http://help.olabs.net
curl -IL http://help.olabs.net
Task 9*: Limit the maximum number of connections and rate limit per IP
Require
- Limit bandwidth to 500 KB/sec for access to http://www.olabs.org/download
- Limit the maximum number of connections per IP to 5 for access to http://www.olabs.org/download
step
- speed limit
- Revise
/etc/httpd/vhosts.d/olabs.org.conf
- Limit bandwidth to 500 KB/sec for /download of www.olabs.org
- Revise
- Limit the number of connections per IP
- Install mod_limitipconn
- Revise
/etc/httpd/conf.modules.d/10-limitipconn.conf
IfModule
Adding in the container meansMaxConnPerIP 0
that the default is unlimited
- Revise
/etc/httpd/vhosts.d/olabs.org.conf
- Limit the maximum number of connections per IP to 5 for www.olabs.org's /download
- Check Apache name-based virtual host configuration
- Browsing test on the client
Task 10*: Apache on CentOS 6 and Debian 9
Require
- Configure Apache 2.2 on CentOS 6
- Complete the functions of task 1~task 9 on container c6-v1
- Configuring Apache 2.4 on Debian 9
- Complete the functions of task 1~task 9 on container d9-v1