Web Server Management¶

Prerequisites¶

• Apache HTTPD installed
• Firewall port 80/443 open

Quick Reference¶

Procedure: Create a Virtual Host¶

When to use: Hosting multiple websites on a single server (e.g., site1.com and site2.com).

Steps:

1. Create a config file in /etc/httpd/conf.d/ (e.g., mysite.conf):

   <VirtualHost *:80>
       ServerName mysite.example.com
       DocumentRoot /var/www/html/mysite
       ErrorLog /var/log/httpd/mysite-error.log
       CustomLog /var/log/httpd/mysite-access.log combined
   </VirtualHost>
   

2. Create the document root:

   mkdir -p /var/www/html/mysite
   echo "<h1>Hello World</h1>" > /var/www/html/mysite/index.html
   

3. Reload Apache:

   systemctl reload httpd
   

Troubleshooting:

• "403 Forbidden": Check directory permissions (chmod 755) and SELinux context (httpd_sys_content_t).

Procedure: Test Apache Configuration¶

When to use: Before restarting Apache, to ensure syntax errors don't bring down the service.

Steps:

1. Run the config test:

   apachectl configtest
   

   Expected output: Syntax OK

Troubleshooting:

• "Could not reliably determine the server's fully qualified domain name": Add ServerName localhost to /etc/httpd/conf/httpd.conf (warning only).

Procedure: Enable/Disable Modules¶

When to use: Adding functionality like SSL, proxying, or PHP.

Steps:

1. List loaded modules:

   httpd -M
   

2. Enable a module (CentOS/RHEL):

   • Most modules are enabled by installing their package (e.g., mod_ssl).
   • Edit files in /etc/httpd/conf.modules.d/.

3. Enable a module (Debian/Ubuntu style - just for reference):

   a2enmod ssl
   systemctl restart apache2
   

Troubleshooting:

• "Module not found": Install the RPM package (e.g., dnf install mod_ssl).

Procedure: Set Up a Reverse Proxy¶

When to use: Forwarding traffic from Apache to a backend app (like Node.js, Python, or a container) running on a local port (e.g., 8080).

Steps:

1. Edit your VirtualHost config:

   <VirtualHost *:80>
       ServerName app.example.com
   
       ProxyPreserveHost On
       ProxyPass / http://localhost:8080/
       ProxyPassReverse / http://localhost:8080/
   </VirtualHost>
   

2. Allow Apache to connect to network ports (SELinux):

   setsebool -P httpd_can_network_connect 1
   

3. Reload Apache.

Troubleshooting:

• "503 Service Unavailable": The backend app on port 8080 is not running.
• "Permission denied": SELinux blocked the connection. Run the setsebool command.

Procedure: Configure Forensic Logging¶

When to use: Detailed debugging of HTTP headers for security analysis.

Steps:

1. Load the module (if not loaded):

   • On CentOS/RHEL, the module is already installed with httpd but commented out. Uncomment LoadModule log_forensic_module modules/mod_log_forensic.so in /etc/httpd/conf.modules.d/00-optional.conf.
   • On other distributions, ensure the LoadModule line is present in the Apache configuration.

2. Add the directive to your VirtualHost or global config:

   <IfModule log_forensic_module>
       ForensicLog /var/log/httpd/forensic_log
   </IfModule>
   

3. Reload Apache.

Troubleshooting:

• Logs are empty: Ensure traffic is hitting the server.
• Logs are hard to read: They use + for start of request and - for end, with full headers.

Procedure: Configure Bearer Token Authorization¶

When to use: Restricting access to a virtual host so that only clients providing a valid Authorization: Bearer <token> header can reach the backend.

Steps:

1. In the virtual host configuration, use mod_rewrite to check the Authorization header and deny requests that don't carry the correct token:

   <VirtualHost *:80>
       ServerName app.example.sysadm.ee
   
       RewriteEngine On
       RewriteCond %{HTTP:Authorization} !^Bearer\ YOUR_TOKEN_HERE$
       RewriteRule .* - [F,L]
   
       ProxyPreserveHost On
       ProxyPass / http://localhost:5000/
       ProxyPassReverse / http://localhost:5000/
   </VirtualHost>
   

   Replace YOUR_TOKEN_HERE with the actual token value.

2. Reload Apache:

   systemctl reload httpd
   

How it works:

• RewriteCond checks whether the Authorization header matches the expected Bearer <token> value.
• If it does not match, RewriteRule .* - [F,L] returns HTTP 403 Forbidden and stops processing.
• If it matches, the request passes through to the ProxyPass backend normally.

Troubleshooting:

• "403 on every request": Double-check the token value and make sure there is a space between Bearer and the token in the RewriteCond pattern (escaped as \ in the regex).
• Apache may strip the Authorization header before it reaches mod_rewrite if mod_proxy is involved. If needed, add RequestHeader set Authorization "%{HTTP_AUTHORIZATION}e" env=HTTP_AUTHORIZATION or use CGIPassAuth On.

Procedure: Configure ModSecurity Rules¶

When to use: Protecting web apps from attacks like SQL injection and XSS.

Steps:

1. Install ModSecurity:

   dnf install mod_security
   

2. Enable the rule engine in /etc/httpd/conf.d/mod_security.conf:

   SecRuleEngine On
   

3. Add custom rules in /etc/httpd/modsecurity.d/local_rules/modsecurity_localrules.conf:

   # Default action: deny and log with HTTP 406
   SecDefaultAction "phase:2,deny,log,status:406"
   
   # Block requests containing 'etc/passwd' in the URI
   SecRule REQUEST_URI "etc/passwd" "id:'500001'"
   
   # Block directory traversal attempts
   SecRule REQUEST_URI "\.\./" "id:'500002'"
   
   # Block script injection in arguments
   SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"
   

4. Restart Apache.

Troubleshooting:

• Valid requests blocked (False Positives): Check /var/log/httpd/modsec_audit.log or the Apache error log. You may need to tune rules or set SecRuleEngine DetectionOnly temporarily.
• See Concepts: Web Application Security for background on WAF rules and the OWASP Core Rule Set.

Related Documentation¶

• Technologies: Apache HTTPD
• Concepts: HTTP, Virtual Hosting, Reverse Proxy, Web Application Security