Monday, August 2, 2010

Apache Web Server

About the HTTP protocol.
HTTP (H Yperen t ext T ransfer P rotocol, or The HyperText Transfer Protocol) is the method used to transfer or convey information on the World Wide Web (WWW,W orld W ide W eb). Its original purpose was to provide a way recupertar depublicar and HTML documents.
HTTP is a protocol request and response via TCP between user agents (browsers, engines index and other tools) and servers regularly using port 80. Among the communication between these servers may act as intermediaries (proxies), gateways and tunnels.
About Apache.
Apache is an HTTP server, open source and free licensing, which runs on Linux, Unix-derived operating systems ™, Windows, Novell Netware and other platforms. It has played an important role in the growth of the global network, and it remains the most widely used HTTP server, and is the de facto server against which they test and compare performance to competing products. Apache is developed and maintained by a community of developers sponsored by the Apache Software Foundation.
Basic Configuration
Installing packages
yum-y install httpd
To start, stop, restart the service:
/ Etc / init.d / httpd start - Starts the Apache service
/ Etc / init.d / httpd stop - Stops the Apache service
/ Etc / init.d / httpd restart - Restart the Apache service
/ Etc / init.d / httpd status - Check the status of Apache
Apache comes with the standard configuration, it is enough to restart the service and go to your browser and typing http://localhost
The apache configuration file defaults to / etc / httpd / conf / httpd.conf.
Any adjustment requires it either to configure virtual Web sites or other additional functionality may be performed without touching the main configuration file using any file with extension *. conf into / etc / httpd / conf.d /.
Virtual Directories.
If, for example, would add the alias for a directory located at / var / FTP / pub / and which we see as the directory / pub / Apache, just enough to create a file which we call arbitrarily as the file called / etc / httpd / conf.d / aliases.conf with the following contents:
Alias / pub / var / ftp / codigolibre
If you try to access to this new virtual directory with the browser, you will notice it is not allowed access. To qualify must have an index document inside (index.html, index.php, etc) or that the directory is configured to display the contents as follows:
Alias / pub / var / ftp / codigolibre Options Indexes Includes FollowSymLinks AllowOve rr ide all 
The index parameter indicates which should display the contents of the directory. FollowSymLinks allows the parameter to place symlinks inside the directory which will be followed. Includes parameter specifies that allows the use of SSI (Server Side Includes) to enable features, such as authentication. The parameterAllowOverride all possible use. Htaccess files.
Restart or reload Apache and access to with any web browser and displays the result.
Directory Access Restriction
® Apache 2.x has better security measures than previous versions, because its default is to disable so many things that may be considered a risk. Part of that includes disabling security SSI (S erver S ide I ncludes or Server Side Inclusions) and use. Htaccess files. The latter serve to modify or add features to directories.
Basically you just need to add the following lines to any definition of the directory you wish to use:
Includes AllowOverride All Options

Authentication directories.
Authentication for a directory against a file containing passwords, is done through the following syntax in any. Htaccess file.
AuthName "Access only authorized users" AuthType Basic require valid-user AuthUserFile / any / path / to / file / to / key
It should create a directory to be viewed from any browser as .
Create the file / etc / httpd / conf.d / sample-autenticar.conf with the following contents:
Alias / private / var / www / private "/var/www/privado "> Options Indexes Includes AllowOverride All Order allow, deny Allow from all 
Create the directory / var / www / private / doing the following:
mkdir-p / var / www / private
Create the file / var / www / private / cc e ss .hta doing the following:
touch / var / www / private / cc e ss .hta
Edit the file / var / www / private / cc e ss .hta and add the following content:
AuthName "Authorized Users Only" AuthType Basic require valid-user AuthUserFile / var / www / keys
Generate passwords file as / var / www / passwords, using the following procedure:
touch / var / www / keys
In order to establish the necessary security, change the attributes to read and write only for the apache user:
chmod 600 / var / www / keys chown apache: apache / var / www / keys
Add some virtual users to password file, / var / www / keys, using the following procedure with the htpasswd command:
htpasswd / var / www / keys guy htpasswd / var / www / keys-so
Restart the httpd service:
service httpd restart
Support Apache SSL / TLS
Log in as root.
You must create the directory where to store the certificates for all SSL sites. The directory, for security reasons, should be only accessible by root.
mkdir-m 0700 / etc / ssl
In order to maintain some organization and a dedicated directory for each virtual SSL site, it should create a specific directory to store certificates for each SSL virtual site. Also, for safety reasons, should be only accessible by root.
mkdir-m 0700 / etc / ssl / codigolibre.local
Access to the directory you just created.
cd / etc / ssl / codigolibre.local
Generating keys and certificates.
You must create an RSA key of 1024 bytes and structure x509, which is encrypted using Triple DES (D ata S tandard E ncryption), stored in PEM format so that it is interpreted as ASCII text. In the process described below, are used 5 files compressed with gzip, which are used as random seeds to improve the security of the created key (server.key).
openssl des3-rand genrsa-fichero1.gz: fichero2.gz: fichero3.gz: fichero4.gz: fichero5.gz-out server.key 1024
Using this file (server.key) for the virtual site settings will require administrator interaction each time you have to start, or restart the httpd service by entering the password of the RSA key. This is the safest procedure, however, because it would be impractical to have to enter a password each time you start the httpd service, it is convenient to generate a key with Triple DES, which allowed to start normally, without any interaction , the httpd service. In order not to sacrifice too much security is a prerequisite to this key (server.pem file) is accessible only to root. This is the reason you create the directory / etc / ssl / allowed access only toroot.
openssl rsa-in server.key-out server.pem
Optionally generates a CSR request file (C ertificate igning R S Equest) being delivered to a RA (R egistration A uthority or Registration Authority) like Verisign,who, after the relevant payment, send back a certificate ( server.crt) signed by that authority.
openssl req-new-key server.key-out server.csr
This will request various data are entered:
Two-letter code for the country.
State or province.
Name of company or business.
Unit or section.
Name of the host.
Optionally you can add another password and again the name of the company.
The output returned will be similar to the following:
You are about to be Asked to enter That information will be   incorporated Into your certificate request.What you are about to enter is What is Called a Distinguished Name or   to DN.   There are quite a FEW dog but you leave fields blank Some   For There Will Be Some fields a default value,   If you enter '.', The field will be left blank.   -----   Country Name (2 letter code) [GB]: DR   State or Province Name (full name) [Berkshire]: National District   Locality Name (eg, city) [Newbury]: Santo Domingo   Organization Name (eg, company) [My Company Ltd]: Code Free   Organizational Unit Name (eg, section) [] FoundationCommon Name (eg, your name or your server's hostname) []: codigolibre.local   Email Address []:webmaster@codigolibre.local   Please enter the Following 'extra' attributes   to be sent with your certificate request   A challenge password []:   An optional company name []:
If you do not want a certificate signed by an RA, you can generate a proper certificate request file using the CSR (server.csr). In the example below creates an X.509 certificate structure establishing valid for 730 days (two years).
openssl x509-req-days 730-in-signkey server.csr server.key-out server.crt
In order that only the root user can access files created, you must change the permissions for them to read only for root.
chmod 400 / etc / ssl / gnulab / server .*
Create the file / etc / httpd / conf.d / midominio.conf with the following contents, where abcd corresponds to an IP address, and for the domain name to set for the virtual web site:

Cnunez ServerAdmin @ gnulab 
DocumentRoot / var / ftp / codigolibre 
ServerName gnulab 
Redirect 301 / https://gnulab 
ErrorLog / var / log / httpd / error_log 
CustomLog / var / log / httpd / access_log common 
Cnunez ServerAdmin @ gnulab 
DocumentRoot / var / ftp / codigolibre 
ServerName gnulab 
SSLEngine on 
SSLCertificateFile / etc / ssl / server.crt 
SSLCertificateKeyFile / etc / ssl / server.pem 
ErrorLog / var / log / httpd / error_log 
CustomLog / var / log / httpd / access_log common


Just enough to direct any gnulab HTTP browser to verify that everything is working properly. After accepting the certificate, in case it has not been signed by an RA, it must be possible to observe a sign on the browser's status bar, which indicates that this is a secure connection. 

Thanks to Joel Barrios Duenas