C1 - Devops

C-DEV-110

Apache Web server

Host your stuff !

1.2
 Apache Web server
repository name: apache
repository rights: ramassage-tek

• The totality of your source files, except all useless files (binary, temp files, obj
files,...), must be included in your delivery.

FOREWORD
In order to interact your back-end PHP code with your front-end, you start a build-in web server with the
command “php -S localhost:8000”.

What does it do ? It redirects the HTTP requests that you web browser (such as Google Chrome) are per-
forming when you access an URL such as www.google.fr or in this case “localhost:8000”

But this built-in web server that comes with PHP is only suitable to do basic web development. It can’t be
used to expose your website to the internet as it can’t handle much concurrent HTTP requests.

The is why in “productione environment” you have to use a dedicated HTTP web server such as “Apache”
(or the alternative “Nginx”).

There is nothing to submit in your repository for today.

Tip: since there is nothing to submit, you are strongly advised to ask questions

This subject is deliberately light, try to understand precisely all the aspects of a web
server presented here. This can only be done through documentation and by experi-
mentation.

1
PREREQUISITES
First of all, be sure you understand :
- IP addresses (local IP vs public IP)
- HTTP requests, if it is still unclear, try to take a look of the “curl” command in your terminal and install the
software “postman” (https://www.postman.com) which gives you a nice user interface to do the same
- DNS, try the “ping” command in your terminal

2
APACHE

WHY APACHE ?

Apache is the most common HTTP server. It is designed to accept many modules thanks to which it can be
used with many programming languages such as Perl, PHP, Python, Ruby

APACHE INSTALLATION

Type the following to proceed with the installation process.

Step 1: Update and Upgrade the apt tool to ensure we are working with the latest and greatest.
∇ Terminal - + x
∼/C-DEV-110> sudo apt update && upgrade

Step 2: Install Apache and select Y when prompted.

∇ Terminal - + x
∼/C-DEV-110> sudo apt install apache2

Step 3: Now that we have installed Apache we have to start the service.
∇ Terminal - + x
∼/C-DEV-110> systemctl start apache2

Step 4: Enabling Apache will automatically start the web server whenever the server is turned on.
∇ Terminal - + x
∼/C-DEV-110> systemctl enable apache2

Verify Apache by visiting the server’s IP or hostname; you’ll see Apache’s default page.

3
Step 5: As you want to use Apache with your PHP code you also need to install and enable Apache PHP
module.
∇ Terminal - + x
∼/C-DEV-110> sudo apt install libapache2-mod-php

CONFIGURATION

All Apache configuration files are store in Apache /etc/apache2/ :

• apache2.conf: General configuration (formerly known as httpd.conf)
• mods-available/: Available modules
• mods-enabled/: Enabled modules
• sites-available/: Available sites (there is a default config that can be used a template)
• sites-enabled/: Enabled sites

MODS
In order to enable the modules, use a2enmod (Apache 2 Enable Module, see http://manpages.ubuntu.com/manpages/trusty
followed by the name of the module.

As an exemple, there is a mod called “rewrite” that enable you to “rewrite URLs”. This is what’s happening
when you use “short link” service like https://bitly.com

To enable this mod, use the command “a2enmod” (Apache 2 Enable Mod)
∇ Terminal - + x
∼/C-DEV-110> sudo a2enmod rewrite

To disable a module, use a2dismod.

SITES
You need to create a configuration file for each website (check sites-available for template)
In order to activate a site, use the command a2ensite (Apache 2 Enable Site):

4
∇ Terminal - + x
∼/C-DEV-110> sudo a2ensite <configName>

To disable a site, use the command a2dissite.

NEVER modify the content of ‘mods-enabled’ and ‘sites-enabled’ !

TEST

As there is default site already activated, try to open your browser and enter ‘localhost’ in URL. You’ll see
this page:

5
BASIC HTML WEB SITE
DEFINITION

If you take a look of the default site configuration, the web site folder “DocumentRoot” is defined as :
/var/www/html/
As you can have multiple website on the same server, you need to create this configuration for each web
site.
Go to this folder and take a look.
When you want to access your web site on your browser, type localhost:80. 80 is the default port for all
webpage on the internet but it is hidden by your web browser as it is the same for every web site (when
you go to www.google.fr in fact you access to www.google.fr:80)
The default “DocumentRoot” localisation (“/var/www/html/”) is write-protected by your Linux (except for
sudo user). You will need to specify your own foldier for each of your website.

CONFIGURATION

So, go to your apache configuration folder:

∇ Terminal - + x
∼/C-DEV-110> cd /etc/apache2/sites-available

Then, we will copy the default Apache configuration usually named 000-default.conf and create a new
configuration.

NEVER modify the default configuration

∇ Terminal - + x
∼/C-DEV-110> sudo cp 000-default.conf dev-and-go.conf

Now modify this new configuration (you need “sudo emacs” as it is write-protected) such as :
∇ Terminal - + x
< VirtualHost *:80 >
ServerName dev - and - go . fr
ServerAlias www . dev - and - go . fr
ServerAdmin contact@dev - and - go . fr
DocumentRoot SPECIFY YOUR HTML FOLDER
ErrorLog $ { APACHE_LOG_DIR }/ dev - and - go . log
CustomLog $ { APACHE_LOG_DIR }/ dev - and - go . log combined
</ VirtualHost >

To enable your new configuration :

∇ Terminal - + x
∼/C-DEV-110> sudo a2ensite dev-and-go

6
∇ Terminal - + x
∼/C-DEV-110> sudo systemctl reload apache2

LOCAL DNS
You also have to edit /etc/hosts which is a local DNS lookup table and add the following lines (you must be
root to edit this file):

• 127.0.0.1 dev-and-go.fr
• 127.0.0.1 www.dev-and-go.fr

You can now access your web site with both URL dev-and-go.fr or www.dev-and-go.fr in you web browser.
If you encounter a 403 Forbidden HTTP Error, please verify the permissions on your folders and all apache
config files.

7
EXERCICE : LET’S MAKE MY_SHOP A TRUE WEBSITE
STEP 1
For now, you only created a website with basic HTML. Try to do the same with the PHP mod activated and
your PHP code for my_shop.

STEP 2
Now make it accessible to every one. By default, Apache only “listen” to local HTTP request.
Find your public IP, and edit the configuration file to Listen it (see : https://httpd.apache.org/docs/2.4/bind.html)
Now, you need to go to your router configuration (192.168.1.1) and open port 80 in TCP (shorturl.at/wzIJV)

Call assistants if to verify your configuration

STEP 3 - OPTIONNAL
If you want to go further, you may buy a domain name on https://www.ovh.com/fr/domaines/ and configure
it with your public IP address.

STEP 4 - OPTIONNAL
Now, you need to make you website secure with the HTTPS protocol. Take a look to https://letsencrypt.org
to do so.
Congratulation, you now have your own web site accessible to every one !

8
APACHE SECURITY
With default or wrongly-configured apache config, you are prone to be be victim of cyber attacks.
We are now going to see how to set minimum security.

SERVER INFORMATION

When your server encounters an error, and cannot process the request, Apache will by default, give infor-
mation about the server’s type and version. In your browser, try to access a page that does not exist on your
server, such as http://localhost/doesnt_exists.

• Go to folder: /etc/apache2
• Edit the file: conf-available/security.conf
• Locate the line: ServerTokens, and change it’s value to: Prod
• Locate the line: ServerSignature, and change it’s value to: Off
• Restart Apache

Refresh the page that does not exist.

DISABLE DIRECTORY LISTING

By default, when a file is not interpreted, apache displays the list of folders and files of the requested URL,
allowing any visitor to access a part, if not all, of your files and folders.

9
To avoid this behavior, edit the file /etc/apache2/apache2.conf and transform Options Indexes FollowSymLinks
into Options -Indexes -FollowSymLinks.
/etc/apache2/apache2.conf
Here are some explanations about the available options :

• ‘Options’
• ‘Indexes’ : Allow Apache to list the files on the current directory if no index file was found
• ‘FollowSymLinks’ : Allow Apache to follow symbolic links
• ‘AllowOverride’ : Indicates which directives can be override in the .htaccess file
• ‘Require all granted’ : Indicates which ip or host can access the resource (here, everyone can access
the directory)

MODS

mod-security
mod-security acts as a firewall and prevents brute-force attacks.
To install it:
∇ Terminal - + x
∼/C-DEV-110> sudo apt install libapache2-mod-security2 -y
∼/C-DEV-110> sudo systemctl restart apache2

mod-evasive
mod-evasive avoids “DDOS” and “HTTP bruteforce” attacks.
To install it:
∇ Terminal - + x
∼/C-DEV-110> sudo apt install libapache2-mod-evasive -y
∼/C-DEV-110> sudo systemctl restart apache2

10
 LIMIT HTTP REQUEST SIZE

In order to prevent the storage of your server from being parasitized by large user files, it is often appropriate
to limit the file upload size of your server.
To do this, edit the global configuration file of your server or vhost and add the directive LimitRequestBody.
For example:
∇ Terminal - + x
< Directory " / home / YOUR_LOGIN / Rendu " >
LimitRequestBody 10485760
</ Directory >

DISABLE TRACE HTTP REQUEST

Trace HTTP Request is enabled by default. It can allow a hacker to steal your cookies.
If this behavior is not desired (most of the time), disable it by modifying /etc/apache2/apache2.conf and by
adding TraceEnable off.

INSTALL A FIREWALL & PROTECT PORT SCANS

There is a pre-existing firewall on Ubuntu: ufw.

https://doc.ubuntu-fr.org/ufw

Once installed it manages traffic to and from your server, allowing you to finely manage your server’s ports
and their functions. The objective is not to allow attackers to take advantage of open (allow) and unpro-
tected (vulnerabilities) ports.
Enable this firewall with the default configuration and configure it to accept ssh, ftp, and web server con-
nections.
Try to remove port accesses that you think are unnecessary.

11