From Fedora Project Wiki

(Big edit, transfering the certificate generation out)
Line 5: Line 5:
  $ su
  $ su
  # yum install httpd
  # yum install httpd
If you want TLS/SSL support, you can also install {{package|mod_ssl}}, which is based on [https://www.openssl.org OpenSSL]. Alternatives are {{package|mod_gnutls}} (uses [https://www.gnutls.org/ GnuTLS]) and {{package|mod_nss}} (uses [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS]).
# yum install mod_ssl


To have the server start at each boot:
To have the server start at each boot:
Line 20: Line 16:
At this point, you should be able to browse to http://localhost on the server and access the Apache test page. You will most likely not be able to access the server from any other host, yet: we will change this [[#firewall-configuration|later]].
At this point, you should be able to browse to http://localhost on the server and access the Apache test page. You will most likely not be able to access the server from any other host, yet: we will change this [[#firewall-configuration|later]].


{{anchor|self-signed-tls}}
== TLS/SSL support ==
=== Create a self-signed TLS/SSL certificate: the easy way ===


If you want to use TLS/SSL, you will need a server certificate. The simplest choice is to create a 'self-signed' certificate; this does not require you to deal with a certificate signing authority, but means no system will trust your server by default. You may publish and/or note down the key's fingerprint and verify it each time you connect to your server. If you are using mod_ssl, just want a test certificate and don't mind it having nonsensical metadata, you can run:
If you want TLS/SSL support, you can also install {{package|mod_ssl}}, which is based on [https://www.openssl.org OpenSSL]. Alternatives are {{package|mod_gnutls}} (uses [https://www.gnutls.org/ GnuTLS]) and {{package|mod_nss}} (uses [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS]).


# /etc/pki/tls/certs/make-dummy-cert /etc/pki/tls/localhost.crt
=== Using mod_ssl ===


This will generate a self-signed certificate identifying 'localhost.localdomain'. The private key will be bundled in the same file, {{filename|/etc/pki/tls/localhost.cert}}: by default only root will be able to read this file, and you should never change this. Apache is already configured to read this file, so you should not need to do anything else.
Install mod_ssl package and it will be automatically enabled


=== Create a TLS/SSL certificate: the advanced class ===
# yum install mod_ssl
 
==== Install an existing certificate ====
 
If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:


If you want more control over the certificate metadata, or you want to generate a [https://en.wikipedia.org/wiki/Certificate_signing_request certificate signing request] to send to a recognized [https://en.wikipedia.org/wiki/Certificate_authority certificate authority] so you can receive a valid server certificate, you can use the {{command|/usr/bin/genkey}} tool which is provided by the crypto-utils package. This command:
# mv key_file.key /etc/pki/tls/private/myhost.com.key
# restorecon /etc/pki/tls/private/myhost.com.key
# chown root.root /etc/pki/tls/private/myhost.com.key
# chmod 0600 /etc/pki/tls/private/myhost.com.key
# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt
# restorecon /etc/pki/tls/private/myhost.com.crt
# chown root.root /etc/pki/tls/private/myhost.com.crt
# chmod 0600 /etc/pki/tls/private/myhost.com.crt


# sudo yum install crypto-utils
After this [[#tls-configuration| set it up]]
# /usr/bin/genkey www.myhost.org


would generate a self-signed certificate or a CSR identifying the server 'www.domain.com'. genkey is an interactive tool - it will ask you to choose a key size, and enter some identifying information. It will also ask if you want to generate a CSR. If you say no, you will get a self-signed certificate instead. Fill out the fields as appropriate, but the most important field is 'CN', which should be the fully-qualified domain name (e.g. www.myhost.org) of the server you wish to use the certificate with.
==== Generate a new certificate ====


After generating a certificate this way, you should have the new files {{filename|/etc/pki/tls/certs/www.myhost.org.crt}} and {{filename|/etc/pki/tls/private/www.myhost.org.key}} - the former is your self-signed server certificate, and the latter is the corresponding private key. If you generate a CSR, you will have {{filename|/etc/pki/tls/certs/www.myhost.org.csr}} and {{filename|/etc/pki/tls/private/www.myhost.org.key}}, and you should send the contents of {{filename|/etc/pki/tls/certs/www.myhost.org.csr}} to your CA, who will send you a certificate to save as {{filename|/etc/pki/tls/certs/www.myhost.org.crt}}. You will need to tell Apache to use the files with these names: we will see how to do that [[#tls-configuration|below]].
How to [https://fedoraproject.org/wiki/Https#openssl generate a new certificate]


{{admon/note|Certificate and key naming|Naming certificate and key files after the host they identify is only a convention - the name of the files has no special significance, so long as the server is configured to find them.}}
{{anchor|mod_ssl-configuration}}
==== mod_ssl configuration ====


{{command|genkey}} will ask you whether to set a passphrase for the private key. If you set a passphrase, any time you start or restart Apache (including any time the system is booted), you will have to enter this passphrase: Apache startup will not proceed unless it is entered. If you do not set a passphrase, you will not have to do this, but it is '''essential''' that you guard the key file carefully, as anyone who gains access to it can impersonate your server and intercept 'secure' traffic. Ensure it is owned by root.root and has permissions 0600, be very careful about security of backups, and restrict access to the server machine as strictly as you can (this is a good security practice in any case).
The default TLS/SSL configuration is contained in the file {{filename|/etc/httpd/conf.d/ssl.conf}} (if you are using {{package|mod_ssl}}). If you examine that file, you will see the directives that specify where the TLS/SSL certificate and key are located:
 
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
 
If you look carefully, you will see that these directives are actually enclosed in a block defining a [https://httpd.apache.org/docs/current/vhosts/ virtual host]:
 
<VirtualHost _default_:443>
...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...
</VirtualHost>


{{command|genkey}} can also save keys and certificates to the database used by the mod_nss module. To use NSS format, call {{command|genkey}} with the {{command|--nss}} parameter:
If we wanted to define a different location for these files, we could edit the lines in {{filename|/etc/httpd/conf.d/ssl.conf}} directly, but it would be better to create a new file {{filename|/etc/httpd/conf.d/z-ssl-local.conf}}:


  # genkey --nss www.myhost.org
  <VirtualHost _default_:443>
SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key
</VirtualHost>


=== Install an existing certificate ===
This file will override those two settings for the _default_:443 virtual host; all other settings from {{filename|ssl.conf}} will be kept.


If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:
===== Settings for individual virtual hosts =====


# mv key_file.key /etc/pki/tls/private/localhost.key
If you want a specific virtual host to use SSL/TLS with a different certificate from the default, open that virtual host's configuration file, usually {{filename|/etc/httpd/conf.d/hostname.conf}}, and insert these lines between {{code|<VirtualHost hostname:port>}} and {{code|</VirtualHost>}}:
# restorecon /etc/pki/tls/private/localhost.key
# chown root.root /etc/pki/tls/private/localhost.key
# chmod 0600 /etc/pki/tls/private/localhost.key
# mv certificate.crt /etc/pki/tls/certs/localhost.crt
# restorecon /etc/pki/tls/private/localhost.crt
# chown root.root /etc/pki/tls/private/localhost.crt
# chmod 0600 /etc/pki/tls/private/localhost.crt


=== Installing webapps ===
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key</pre>
 
== Installing webapps ==


You probably want to run something on your web server. Many of the most popular 'web applications' are packaged for Fedora. Using the packaged versions of web applications is usually recommended: they will be configured following the distribution's best practices which help to ensure the security of the installation, for instance by installing static files to locations the web server does not have the ability to write to, and doing access control with configuration files rather than {{filename|.htaccess}} files, which are slightly more vulnerable to attack.
You probably want to run something on your web server. Many of the most popular 'web applications' are packaged for Fedora. Using the packaged versions of web applications is usually recommended: they will be configured following the distribution's best practices which help to ensure the security of the installation, for instance by installing static files to locations the web server does not have the ability to write to, and doing access control with configuration files rather than {{filename|.htaccess}} files, which are slightly more vulnerable to attack.
Line 94: Line 113:


  # systemctl restart httpd.service
  # systemctl restart httpd.service
{{anchor|tls-configuration}}
=== TLS/SSL configuration ===
The default TLS/SSL configuration is contained in the file {{filename|/etc/httpd/conf.d/ssl.conf}} (if you are using {{package|mod_ssl}}). If you examine that file, you will see the directives that specify where the TLS/SSL certificate and key are located:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
If you look carefully, you will see that these directives are actually enclosed in a block defining a [https://httpd.apache.org/docs/current/vhosts/ virtual host]:
<VirtualHost _default_:443>
...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...
</VirtualHost>
If we wanted to define a different location for these files, we could edit the lines in {{filename|/etc/httpd/conf.d/ssl.conf}} directly, but it would be better to create a new file {{filename|/etc/httpd/conf.d/z-ssl-local.conf}}:
<VirtualHost _default_:443>
SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key
</VirtualHost>
This file will override those two settings for the _default_:443 virtual host; all other settings from {{filename|ssl.conf}} will be kept.
==== Settings for individual virtual hosts ====
If you want a specific virtual host to use SSL/TLS with a different certificate from the default, open that virtual host's configuration file, usually {{filename|/etc/httpd/conf.d/hostname.conf}}, and insert these lines between {{code|<VirtualHost hostname:port>}} and {{code|</VirtualHost>}}:
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/hostname.crt
SSLCertificateKeyFile /etc/pki/tls/private/hostname.key</pre>


{{anchor|webapp-access-control}}
{{anchor|webapp-access-control}}

Revision as of 00:51, 1 September 2014

The Apache HTTP Server is one of the most commonly-used web servers. This page acts as a quick start guide to deploying and configuring Apache on Fedora. For (many) more details, please see upstream's extensive documentation.

Installation

$ su
# yum install httpd

To have the server start at each boot:

# systemctl enable httpd.service

To start the server now:

# systemctl start httpd.service

At this point, you should be able to browse to http://localhost on the server and access the Apache test page. You will most likely not be able to access the server from any other host, yet: we will change this later.

TLS/SSL support

If you want TLS/SSL support, you can also install mod_ssl, which is based on OpenSSL. Alternatives are mod_gnutls (uses GnuTLS) and mod_nss (uses NSS).

Using mod_ssl

Install mod_ssl package and it will be automatically enabled

# yum install mod_ssl

Install an existing certificate

If you already have a certificate generated on another computer, move the certificate and the key file to the correct folder, and ensure their SELinux contexts, ownerships and permissions are correct:

# mv key_file.key /etc/pki/tls/private/myhost.com.key
# restorecon /etc/pki/tls/private/myhost.com.key
# chown root.root /etc/pki/tls/private/myhost.com.key
# chmod 0600 /etc/pki/tls/private/myhost.com.key
# mv certificate.crt /etc/pki/tls/certs/myhost.com.crt
# restorecon /etc/pki/tls/private/myhost.com.crt
# chown root.root /etc/pki/tls/private/myhost.com.crt
# chmod 0600 /etc/pki/tls/private/myhost.com.crt

After this set it up

Generate a new certificate

How to generate a new certificate

mod_ssl configuration

The default TLS/SSL configuration is contained in the file /etc/httpd/conf.d/ssl.conf (if you are using mod_ssl). If you examine that file, you will see the directives that specify where the TLS/SSL certificate and key are located:

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

If you look carefully, you will see that these directives are actually enclosed in a block defining a virtual host:

<VirtualHost _default_:443>
...
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
...
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
...
</VirtualHost>

If we wanted to define a different location for these files, we could edit the lines in /etc/httpd/conf.d/ssl.conf directly, but it would be better to create a new file /etc/httpd/conf.d/z-ssl-local.conf:

<VirtualHost _default_:443>
SSLCertificateFile /etc/pki/tls/certs/www.myhost.org.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.myhost.org.key
</VirtualHost>

This file will override those two settings for the _default_:443 virtual host; all other settings from ssl.conf will be kept.

Settings for individual virtual hosts

If you want a specific virtual host to use SSL/TLS with a different certificate from the default, open that virtual host's configuration file, usually /etc/httpd/conf.d/hostname.conf, and insert these lines between <VirtualHost hostname:port> and </VirtualHost>:

SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/hostname.crt

SSLCertificateKeyFile /etc/pki/tls/private/hostname.key

Installing webapps

You probably want to run something on your web server. Many of the most popular 'web applications' are packaged for Fedora. Using the packaged versions of web applications is usually recommended: they will be configured following the distribution's best practices which help to ensure the security of the installation, for instance by installing static files to locations the web server does not have the ability to write to, and doing access control with configuration files rather than .htaccess files, which are slightly more vulnerable to attack.

Packaged web applications will also be configured to work with SELinux, which provides significant security benefits.

You will also receive updates through the usual Fedora update process, making it easier to keep your installation up to date.

They will also often have the default configuration tweaked according to Fedora's conventions, meaning you have to do less work to get the application up and running.

Most web applications are simply packaged according to their name. For example, you can install Wordpress with:

# yum install wordpress

Packaged web applications will usually provide Fedora-specific instructions in a documentation file - for instance, Wordpress provides the files /usr/share/doc/wordpress/README.fedora and /usr/share/doc/wordpress/README.fedora-multiuser. It is always a good idea to read these files!

Packaged web applications usually restrict access by default so you can access them only from the server host itself, to ensure you can run all initial configuration safely and things like administration interfaces are not left accessible to the public. For information on how to broaden access, see below.

Web applications commonly require the use of a database server. This wiki contains information on installing and configuring PostgreSQL and MariaDB on Fedora.

Configuration

/etc/httpd/conf/httpd.conf is the main Apache configuration file. It includes all the files in /etc/httpd/conf.d/: if the same setting is specified in both /etc/httpd/conf/httpd.conf and a file in /etc/httpd/conf.d/, the setting from the /etc/httpd/conf.d/ file will win. Files in /etc/httpd/conf.d/ are read in alphabetical order: a setting from /etc/httpd/conf.d/z-foo.conf will win over a setting from /etc/httpd/conf.d/foo.conf, which will win over a setting from /etc/httpd/conf.d/99-foo.conf, which will win over a setting from /etc/httpd/conf.d/00-foo.conf.

It is usually best practice never to modify /etc/httpd/conf/httpd.conf or any of the /etc/httpd/conf.d files shipped by Fedora packages directly. If you make any local changes to these files, then any changes to them in newer package versions will not be directly applied: instead a .rpmnew file will be created and you will have to merge the changes manually. It is usually better instead to create a new file in /etc/httpd/conf.d which will take precedence over the file you wish to 'modify', and make your settings there. For instance, to change a setting specified in /etc/httpd/conf.d/foo.conf you could create the file /etc/httpd/conf.d/z-foo-local.conf and place your setting in that file. We will see an example of this next.

After making any changes to your server configuration, you should run:

# apachectl reload

to apply the changes. Certain changes may require Apache to be fully restarted:

# systemctl restart httpd.service

Enabling access to web applications

Fedora-packaged web applications are usually configured such that, by default, access is allowed only from localhost. Typically you will find that there is a file /etc/httpd/conf.d/webapp.conf with the following (among other settings):

<Directory /usr/share/webapp>
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require local
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
        Allow from ::1
    </IfModule>
</Directory>

Before allowing general access to the webapp, ensure you have configured it correctly and the administration interface and other sensitive areas are not accessible without appropriate authentication. Also remember to ensure your database configuration is secure, if the application uses a database. To broaden access to the application, you can create a file /etc/httpd/conf.d/z-webapp-allow.conf. To allow access to all systems on a typical local network, you could write:

<Directory /usr/share/webapp>
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require local
        Require ip 192.168.1
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Deny from all
        Allow from 127.0.0.1
        Allow from ::1
        Allow from 192.168.1
    </IfModule>
</Directory>

Once you are sure the application is correctly configured, this configuration will allow access from any host:

<Directory /usr/share/webapp>
    <IfModule mod_authz_core.c>
        # Apache 2.4
        Require all granted
    </IfModule>
    <IfModule !mod_authz_core.c>
        # Apache 2.2
        Order Deny,Allow
        Allow from all
    </IfModule>
</Directory>

Opening firewall ports

This exposes your computer to the Internet and potential attackers. Secure your system and your Apache installation properly before exposing your server to the Internet.

Apache uses port 80 for plain http connections and port 443 for TLS/SSL connections by default. To make this service available from other computers or the Internet your have to allow Apache through the firewall like this:

To open the firewall at each boot:

For plain HTTP connections:

# firewall-cmd --permanent --add-service=http

For TLS/SSL connections:

# firewall-cmd --permanent --add-service=https

To open the firewall right now:

For plain HTTP connections:

# firewall-cmd --add-service=http

For TLS/SSL connections:

# firewall-cmd --add-service=https

Remember that if your server is running behind a NAT router, you will also need to configure your router to forward the HTTP and HTTPS ports to your server if you wish to allow access from outside your local network.

Disable test page

To disable the test page comment out all the lines in the file /etc/httpd/conf.d/welcome.conf

References