Message-ID: <19152640.505.1711723670700.JavaMail.serveradmin@t01app> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_504_10892134.1711723670697" ------=_Part_504_10892134.1711723670697 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
With Ubuntu installing is very straightforward,
sudo ap= t-get install apache2=20
Apache 2.x is now installed.
What about Zero Footprint Apache? Definitely doable, but practically wit= h virtualization, and how rarely Apache actually changes right now I'm lean= ing towards just scripting configuration files only inside of a container.<= /p>
Having said that, if time permits I might build a BonsaiFramework versio= n.
Verify that the Apache Web Server is running first by hitting your serve= r's IP Address. If you do not know your ip address, at the console type,
ip addre= ss 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast = state UNKNOWN qlen 1000 link/ether 40:40:39:1b:ec:30 brd ff:ff:ff:ff:ff:ff inet 173.203.126.225/24 brd 173.203.126.255 scope global eth0 inet6 fe80::4240:39ff:fe1b:ec30/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast = state UNKNOWN qlen 1000 link/ether 40:40:33:6c:9d:19 brd ff:ff:ff:ff:ff:ff inet 10.179.62.235/19 brd 10.179.63.255 scope global eth1 inet6 fe80::4240:33ff:fe6c:9d19/64 scope link valid_lft forever preferred_lft forever=20
Sometimes you may get back more than one IP address if you have more tha= n one Ethernet card. If you are unsure, just try them one at a time in the = next step. In this case mine is 173.203.126.225.
Launch a browser and enter your ip address into the browser.
You should see a default Apache webpage.
You should know the basic commands to running Apache 2. Go ahead and try= them. Note ignore the warning message about "fully qualified domain name" = as that is covered in the next section.
As of Ubuntu 12, the following the basic commands to manage Apache2 are,=
sudo se= rvice apache2 stop sudo service apache2 start sudo service apache2 restart # restart will restart the service (safer, as = not all services support reload) sudo service apache2 reload # reload will re-load the configuration files, = with little or no downtime. Not all services support it (source: http://as= kubuntu.com/questions/105200/what-is-the-difference-between-service-restart= -and-service-reload)=20
Before Ubuntu12,
sudo /e= tc/init.d/apache2 stop sudo /etc/init.d/apache2 start sudo /etc/init.d/apache2 restart sudo /etc/init.d/apache2 reload=20
This is now corrected as part of Apache 2.4.18 and onwards.
Apache is working fine, but during restart you will get the warning mess= age, "apache2: Could not reliably determine the server's fully qualified do= main name, using ...".
Most websites have a domain name attached to them. Apache is looking for= this on start-up. Depending on the version of Apache and Ubuntu this can b= e resolved by adding the ServerName Directive with the hostname.
You can determine hostname by typing,
hostnam= e=20
Adding an entry into the Global Configuration ensures that the change wi= ll persist even if Apache is upgraded,
# creat= e the configuration file in the "available" section echo "ServerName localhost" | sudo tee /etc/apache2/conf-available/serverna= me.conf # enable it by creating a symlink to it from the "enabled" section sudo a2enconf servername=20
This concept has changed over time = and look here for legacy versions of Apache.
Restart Apache to confirm you do n= ot get the warning messages,
sudo se= rvice apache2 restart=20
Before hardening your Web Server you should make sure it works with it's= intended integrated purpose in a test environment. Otherwise you may spend= lots of wasted time trouble-shooting.
So, assuming that your Web Server passes testing of it's intended purpos= e, you may perform "Basic Hardening". Because this is "basic" I often perfo= rm these all at once and then test.
Here are some of the basic hardening steps I take today by default,
As with any security notes, I will write a disclaimer that there are mor= e advanced ways to secure Apache. You can go as far as compiling your own c= ustom version but that's out of scope for now.
By default Apache provides extra information about your server when = ;403, 404, 502 or similar error pages are invoked. The information cou= ld be used to look up vulnerabilities on the particular version of Apache y= ou are running.
If you visit a page that does not exist you will invoke a 404 error resu= lting in a page Not Found similar to below,
Not Found
The requested URL /invalidpage.html was not found on this server.
Apache/2.4.18 (Ubuntu) Server at www.bonsaiframework.com P= ort 80
=20Edit /etc/apache2/conf-available/security.conf,
set Se= rverTokens Prod - This turns off all the extra header information = sent by Apache.
set Serv= erSignatures Off - Removes footer information from default apache = pages. For example, page not found.
Older versions of Apache use /etc/apache2/conf.d/security
Restart Apache to take effect and verify by invoking a 404 again.
Less loaded, less vulnerabilities and you will also get performance incr= eases too.
I found that you can save about 3MB of memory if the status apache module is disabled. Here's how to = disable interactively,
sudo a2= dismod Your choices are: alias auth_basic authn_file authz_default authz_groupfile= authz_host authz_user autoindex cgid deflate dir env filter jk mime negotiation proxy proxy_ht= tp rewrite setenvif status substitute Which module(s) do you want to disable (wildcards ok)?=20 NOTE: make sure you only disable the following one ONLY!!! type: status Module status disabled. To activate the new configuration, you need to run: service apache2 restart sudo service apache2 restart=20
Will flush this out some more ...
...
.. these instructions need to be improved, and there is nothing here abo= ut removing logs.
1. stop apache:
sudo service apache2 stop
sudo /etc/init.d/apache2 stop
2. remove:
sudo apt-get remove apache2
sudo apt-get purge apache2
http:/= /cloudservers.mosso.com/index.php/Ubuntu_-_Apache_configuration#Security_Se= ttings - Rackspace wiki on hardening Apache Web Server.
Apache Web Server Hardening Guide - https://geekflare.com/apache-web-server-hardening-security/