SETTING UP SECURE WEBSERVER FOR LINUX

View previous topic View next topic Go down

SETTING UP SECURE WEBSERVER FOR LINUX

Post by jamied_uk on 9th January 2012, 23:28

SSL
===

Enabling SSL
------------

To enable SSL, type (as user root):

Code:
sudo a2ensite default-ssl

Code:
sudo a2enmod ssl


If you want to use self-signed certificates, you should install the ssl-cert
package (see below). Otherwise, just adjust the SSLCertificateFile and
SSLCertificateKeyFile directives in /etc/apache2/sites-available/default-ssl to
point to your SSL certificate. Then restart apache:

Code:
sudo /etc/init.d/apache2 restart


The SSL key file should only be readable by root, the certificate file may be
globally readable. These files are read by the Apache parent process which runs
as root. Therefore it is not necessary to make the files readable by the
www-data user.

Creating self-signed certificates
---------------------------------

If you install the ssl-cert package, a self-signed certificate will be
automatically created using the hostname currently configured on your computer.
You can recreate that certificate (e.g. after you have changed /etc/hosts or
DNS to give the correct hostname) as user root with:

Code:
sudo make-ssl-cert generate-default-snakeoil --force-overwrite


To create more certificates with different host names, you can use

Code:
sudo make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt



This will ask you for the hostname and place both SSL key and certificate in
the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile
directive in the apache config (you don't need the SSLCertificateKeyFile in
this case as it also contains the key). The file /path/to/cert-file.crt should
only be readable by root. A good directory to use for the additional
certificates/keys is /etc/ssl/private .

SSL workaround for MSIE
-----------------------

The SSL workaround for MS Internet Explorer needs to be added to your SSL
VirtualHost section (it was previously in ssl.conf but caused keepalive to be
disabled even for non-SSL connections):

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

The default SSL virtual host in /etc/apache2/sites-available/default-ssl
already contains this workaround.


Suexec
======

Debian ships two version of the suexec helper program required by mod_suexec.
It is not installed by default, to avoid possible security issues. The package
apache2-suexec contains the standard version that works only with document root
/var/www, userdir suffix public_html, and apache run user www-data. The package
apache2-suexec-custom contains a customizable version, that can be configured
with a config file to use different settings (like /srv/www as document root).
For more information see the suexec(Cool man page in the apache2-suexec-custom
package.

Since apache2-suexec-custom has received less testing and might be slightly
slower, apache2-suexec is the recommended version unless you need the features
from apache2-suexec-custom.


Documentation
=============

The full apache 2 documentation can be found on the web at

http://httpd.apache.org/docs/2.2/

or, if you have installed the apache2-doc package, in

/usr/share/doc/apache2-doc/manual/

or at

http://localhost/manual/

There is also a wiki that contains useful information:

http://wiki.apache.org/httpd/


Upgrades
========

Changes in the apache packages that require manual configuration adjustments
are announced in NEWS.Debian. Installing the apt-listchanges package is
recommended. It will display the relevant NEWS.Debian sections before
upgrades.


Common Problems
===============

1) Error message "Could not determine the server's fully qualified domain name,
using 127.0.0.1 for ServerName" during start

This can usually be ignored but it means that Apache httpd was unable to obtain
a fully-qualified hostname by doing a reverse lookup on your server's IP
address. You may want to add the fully-qualified hostname to /etc/hosts .


2) Error message "mod_rewrite: could not create rewrite_log_lock"

This probably means that there are some stale SYSV semaphores around. This
usually happens after apache2 has been killed with kill -9 (SIGKILL). You can
clean up the semaphores with:

ipcs -s | grep www-data | awk ' { print $2 } ' | xargs ipcrm sem

3) Message "NameVirtualHost *:80 has no VirtualHosts" in error log

Probably the VirtualHost definitions have not been adjusted after the
NameVirtualHost directive was changed in ports.conf.
See /usr/share/doc/apache2.2-common/NEWS.Debian.gz

4) Message "File does not exist: /htdocs" in error log

In most cases this means that no matching VirtualHost definition could be
found for an incoming request.

5) Message "Couldn't create pollset in child; check user or system limits" in
 error log

On Linux kernels since 2.6.27.8, the value in

   /proc/sys/fs/epoll/max_user_instances

needs to be larger than

   for prefork/itk  MPM: 2 * MaxClients
   for worker/event MPM: MaxClients + MaxClients/ThreadsPerChild

It can be set on boot by adding a line like

       fs.epoll.max_user_instances=1024

to /etc/sysctl.conf.

There are several other error messages related to creating a pollset that can
appear for the same reason.

On the other hand, errors about to adding to a pollset are related to the
setting fs.epoll.max_user_watches. On most systems, max_user_watches should be
high enough by default.

6) Message "Server should be SSL-aware but has no certificate configured" in
  error log

Since 2.2.12, Apache is stricter about certain misconfigurations concerning
name based SSL virtual hosts. See NEWS.Debian.gz for more details.

7) Apache does not pass Authorization header to CGI scripts

This is intentional to avoid security holes. If you really want to change it,
you can use mod_rewrite:

RewriteCond %{HTTP:Authorization} (.*)
RewriteRule . - [env=HTTP_AUTHORIZATION:%1]


Last edited by jamied_uk on 29th April 2017, 23:04; edited 2 times in total
avatar
jamied_uk
Admin

Posts : 2280
Join date : 2010-05-09
Age : 34
Location : UK

http://address-shortner.co.uk

Back to top Go down

Re: SETTING UP SECURE WEBSERVER FOR LINUX

Post by jamied_uk on 23rd April 2016, 15:33



Code:

<?php
function curPageURL() {
 $pageURL = '';
 if ($_SERVER["HTTPS"] == "on") {$pageURL .= "s";}
 $pageURL .= "";
 if ($_SERVER["SERVER_PORT"] != "80") {
  $pageURL .= $_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$_SERVER["REQUEST_URI"];
 } else {
$pageURL .= $_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
 }
return $pageURL;
}
?>
<center>
<?php
$url = curPageURL();
?>
<p><br><p><br>
<font color="blue" font size="+6"><a href="https://<?php echo $url;?>">Please Use Secure J~Net Site https://<?php echo $url;?></a>
<META http-equiv="refresh" content="3;URL=https://<?php echo $url;?>">
avatar
jamied_uk
Admin

Posts : 2280
Join date : 2010-05-09
Age : 34
Location : UK

http://address-shortner.co.uk

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum