Installation: Apache HTTP
Requirements
- A server running Rocky Linux
- Knowledge of the command-line and text editors
- Basic knowledge about installing and running web services
Introduction
The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. The goal of the project is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.1
This guide will demonstrate the requirements and steps needed to install an Apache web server on Rocky Linux OS. Based on this firm's need there a multiple configuration steps included in this document. Multiple external sources have been used to develop this guide. It should be noted that not all steps to the networking process are outlined here. Topics such as port-forwarding, reverse-proxies, DNS, or DHCP, will not be discussed in this document.
Install Apache, PHP, and Associated Packages
Install Apache HTTP and PHP.
dnf install httpd phpInstall Apache mod_ssl.
dnf install mod_sslEnable Apache mod_ssl.
a2enmod sslCreate Configuration Directories
Create two directories in /etc/httpd/ called "sites-available" and "sites-enabled."
mkdir /etc/httpd/sites-availablemkdir /etc/httpd/sites-enabledCreate a directory where the sites will reside.
mkdir /var/www/sub-domains/Server Configuration
Add Include /etc/httpd/sites-enabled to the bottom of the httpd.conf file.
vi /etc/httpd/conf/httpd.confThis folder and document structure will enable the System Administrator to create symbolic links between the configuration files in the sites-available and sites-enabled. This same administrator, if needed, may remove the symbolic link between the two folders and disable a site.
Site Configuration
Create a configuration file in sites-available:
vi /etc/httpd/sites-available/com.wiki.wwwThe configuration file configuration content will look something like this:
<VirtualHost *:80>
ServerNamecom.wiki.www [email protected]
Redirect / https://com.wiki.www/
</VirtualHost>
<VirtualHost *:443>
ServerNamecom.wiki.www [email protected]
DocumentRoot /var/www/sub-domains/com.wiki.www/html
DirectoryIndexindex.php index.htm index.html
Alias /icons//var/www/icons/#
ScriptAlias /cgi-bin/ /var/www/sub-domains/com.wiki.wwwe/cgi-bin/
CustomLog"/var/log/httpd/com.wiki.www-access_log"combined
ErrorLog"/var/log/httpd/com.wiki.www-error_log"
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCompression off
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
SSLCertificateFile /var/www/sub-domains/com.wiki.www/ssl/ssl.crt/com.wiki.www.crt
SSLCertificateKeyFile /var/www/sub-domains/com.wiki.www/ssl/ssl.key/com.wiki.www.key
SSLCertificateChainFile /var/www/sub-domains/com.wiki.www/ssl/ssl.crt/com.wiki.www.ca-bundle
<Directory /var/www/sub-domains/your-server-hostname/html>
Options-ExecCGI -Indexes
AllowOverride None
Order deny,allow
Denyfrom all
Allowfrom all
Satisfy all
</Directory>
RewriteEngine On
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteRule ^/app https://XXX.XXX.XXX.XXX:8080/app [R=301,L]
RewriteRule ^/app https://XXX.XXX.XXX.XXX:8080/app [R=301,L]
</Location "/app"> #Preserve Host header to avoid cross-origin problems
ProxyPreserveHost on #Proxy to Application
ProxyPass http://XXX.XXX.XXX.XXX:8080/app
ProxyPassReverse http://XXX.XXX.XXX.XXX:8080/app
</Location>
</VirtualHost>Once the file is created, write (save) it with: shift : wq
Based on the DocumentRoot line from the example above, create the directory for the website codebase.
mkdir -p /var/www/sub-domains/com.wiki.www/htmlCopy the website files to the path above:
cp -Rf wiki_source/* /var/www/sub-domains/com.wiki.www/html/SSL Configuration
Add further SSL configuration items to the file.
- SSLEngine on - use SSL
- SSLProtocol all -SSLv2 -SSLv3 -TLSv1 - use all available protocols, except those that have been found to have vulnerabilities
- SSLHonorCipherOrder on - deal with cipher suites in the order that they are given
Add the proper SSL configuration to fit the server's needs
SSLProxyEngine on
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCompression off
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5Create a new directory structure for the SSL files, outside the document root:
mkdir -p /var/www/sub-domains/com.wiki.www/ssl/{ssl.key,ssl.crt,ssl.csr}Copy the SSL files to the specified directory location defined by the http configuration file specified in the lines prefixed by SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile
- SSLCertificateFile - the location of the newly purchased and applied certificate file
- SSLCertificateKeyFile - the location of the newly purchased and applied key file
- SSLCertificateChainFile - the location of the newly purchased and applied chain bundle file
cp /root/com.wiki.www.key /var/www/sub-domains/com.wiki.www/ssl/ssl.crt/com.wiki.www.crt
cp /root/com.wiki.www.csr /var/www/sub-domains/com.wiki.www/ssl/ssl.key/com.wiki.www.key
cp /root/com.wiki.www.crt /var/www/sub-domains/com.wiki.www/ssl/ssl.crt/com.wiki.www.ca-bundleSite Redirection
Upon implementing SSL certificates, redirect users from port *:80 (http) to *:443 (https).
<VirtualHost *:80>
ServerName com.wiki.www
ServerAdmin [email protected]
Redirect / https://com.wiki.www/
</VirtualHost>URL Rewrite
The Apache module mod_rewrite is a very powerful and sophisticated module which provides a way to do URL manipulations. With it, you can do nearly all types of URL rewriting that you may need. It is, however, somewhat complex, and may be intimidating to the beginner.2
RewriteEngine On
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteRule ^/app https://XXX.XXX.XXX.XXX:8080/app [R=301,L]
RewriteRule ^/app https://XXX.XXX.XXX.XXX:8080/app [R=301,L] Reverse Proxy
A proxy server is a go‑between or intermediary server that forwards requests for content from multiple clients to different servers across the Internet. A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers.3
</Location "/app"> #Preserve Host header to avoid cross-origin problems
ProxyPreserveHost on #Proxy to Application
ProxyPass http://XXX.XXX.XXX.XXX:8080/app
ProxyPassReverse http://XXX.XXX.XXX.XXX:8080/app
</Location>Firewall Settings
Install firewalld if it is not installed.
dnf install firewalldEnable and start the firewall.
systemctl enable firewalldsystemctl start firewalldOpen the related ports to the HTTP service.
firewall-cmd --permanent --add-service=httpfirewall-cmd --permanent --add-service=httpsReload the firewall
firewall-cmd --reloadSE Linux & Permissions
Create the rules for SE Linux to allow httpd to connect to the local network.
setsebool -P httpd_can_network_connect 1setsebool -P httpd_can_network_connect_db 1Allow Apache to modify files in a website directory if needed
sudo chcon -Rv --type=httpd_sys_rw_content_t /var/www/sub-domains/com.wiki.www/htmlFor further allowances for apache or other users to modify files in the website, refer to the below code
chown -R apache:apache com.wiki.wwwchcon -t httpd_sys_content_t /var/www/html/ -Rfind . -type d -exec chmod 0755 {} \;find . -type f -exec chmod 0644 {} \;Server Initialization
Create the symbolic links between the sites-available and the sites-enabled folders.
ln -s /etc/httpd/sites-available/your-server-hostname /etc/httpd/sites-enabled/Start httpd with systemctl start httpd. Enable httpd with systemctl enable httpd
Conclusion
Apache is the most popular open-source, cross-platform web server available. It’s actively maintained by the Apache Software Foundation with many high-profile companies such as Cisco, IBM, Salesforce, General Electric, Adobe, VMware, Xerox, LinkedIn, Facebook, Hewlett-Packard, AT&T, Siemens, eBay, using the software.