www.bonsaiframework.com
Page tree
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 26 Next »

Install and Configure

With Ubuntu installing is very straightforward,

sudo apt-get install apache2

Apache 2.x is now installed.

in the tomcat section, we discuss installation using the serveradmin id, how about  installing apache? as serveradmin or staff user?

If you load up your browser and type in the ip address of your server you will see a simple page letting you know Apache is working.

Provide Server Name

Apache is working fine, but during restart you will get the warning message, "apache2: Could not reliably determine the server's fully qualified domain name, using ...".

Most websites have a domain name attached to them. Apache is looking for this on startup. There actually is not much documentation on exactly what is happening here. If you happen to know then please let me know via comments on this page. Based on my reading here is how to resolve the error.

Roderick, try to change all this into a one liner that will take the hostname and append it to the end of http.conf.

Hint to write out the hostname. Hint to append to end of the file. Hint to run multiple commands with sudo.

First use the hostname command to determine the name of your system,

hostname # Determine name of your system. In this example this server will return tinman
tinman

Next load the empty /etc/apache/httpd.conf into an editor of your choice,

sudo ne /etc/apache2/httpd.conf

Add to the very top of the httpd.conf file,

ServerName tinman

Test

Verify that the Apache Web Server is running first by hitting your server's IP Address. If you do not know your ip address, at the console type,

ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 40:40:39:1b:ec:30 brd ff:ff:ff:ff:ff:ff
    inet 173.203.126.225/24 brd 173.203.126.255 scope global eth0
    inet6 fe80::4240:39ff:fe1b:ec30/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 40:40:33:6c:9d:19 brd ff:ff:ff:ff:ff:ff
    inet 10.179.62.235/19 brd 10.179.63.255 scope global eth1
    inet6 fe80::4240:33ff:fe6c:9d19/64 scope link
       valid_lft forever preferred_lft forever

Sometimes you may get back more than one IP address if you have more than one Ethernet card. If you are unsure, just try them one at a time in the next step. In this case mine is 173.203.126.225.

Then launch a browser and enter your ip address into the browser.

You should see a webpage show up saying "It works!".

Apache Basic Server Hardening

Here are some of the basic hardening steps I take today.

As with any security notes, I will write a disclaimer that there are more advanced ways to secure Apache. You can go as far as compiling your own custom version but that's out of scope for now.

Edit /etc/apache2/conf.d/security

set ServerTokens Prod - This turns off all the extra header information sent by Apache. Primarily, it would let a client know what version of Apache is being used. The information could be used to look up vulnerabilities on the particular version of Apache you are running.

set ServerSignatures Off - Removes footer information from default apache pages. For example, page not found.

Optional Optimization

I found that you can save (according to htop about 3MB) of memory if the status apache module is disabled,

sudo a2dismod
Your choices are: alias auth_basic authn_file authz_default authz_groupfile authz_host authz_user autoindex cgid
                  deflate dir env filter jk mime negotiation proxy proxy_http rewrite setenvif status substitute
Which module(s) do you want to disable (wildcards ok)?
status
Module status disabled.
To activate the new configuration, you need to run:
  service apache2 restart
sudo service apache2 restart

Before Ubuntu12, use the following command to restart apache2, sudo /etc/init.d/apache2 restart

 

That is for now. I might flush this section out a bit more later. Surprisingly, the default Apache configuration is very robust that I rarely need optimization. Instead, we focus optimization efforts on application servers which usually give us the biggest improvements.

References

http://cloudservers.mosso.com/index.php/Ubuntu_-_Apache_configuration#Security_Settings - Rackspace wiki on hardening Apache Web Server.

  • No labels