Apache webserver installation and configuration with bindings in RHEL linux
The Apache HTTP Server, commonly referred to as Apache, is an open-source web server software that delivers web content over the internet. It is one of the most widely used web server applications, known for its reliability, flexibility, and performance. Apache can serve static and dynamic content, such as HTML web pages, images, and scripts written in languages like PHP or Python. It supports various features like virtual hosting, SSL/TLS encryption, and URL rewriting, making it highly customizable and suitable for a wide range of web hosting environments.
The package of apache web server is httpd
, to install it:
yum install httpd*
rpm -qa | grep httpd
Configuring the apache server :
#the main configuration file of apache is
vim /etc/httpd/conf/httpd.conf
#now start and enable the service and check if it is running
systemctl start httpd
systemctl enable httpd
systemctl status httpd
#allow the port 80 on firewall if exists (OPTIONAL)
vim /etc/sysconfig/iptables
-A INPUT -p tcp --dport 80 -j ACCEPT
systemctl restart iptables
#the location of all the websites is
cd /var/www/html
#to see if the apache is running or not go to browser and go to the system
#ip a demo testing page will load if no index page is found on /var/www/html
#apache user is used to run httpd service all the files under /var/www/html
#should have owner "apache"
Paste any html template data inside /var/www/html and change it’s ownership
chown -vfR apache:apache /var/www/html/*
#if the css/js is not loading properly
vim /etc/httpd/conf/httpd.conf #go to line 306 or search for 'AddType'
AddType text/css .css
#than restart the service
systemctl restart httpd
Bindings
We can bind out website in 4 particular ways :
- IP
- Name
- Port number
- Type
First, we need to disable selinux
if active
vim /etc/sysconfig/selinux
SELINUX=disabled
#disabling for port binding as selinux forces to use common ports only 80,443
Binding the website :
#To see if the syntax is working properly
httpd -t
vim /etc/httpd/conf/httpd.conf
ServerRoot="/etc/httpd" #were the main httpd files are located
Listen 80 #all ip addresses of server will run the website on port 80
#default configuration
Listen 192.168.246.21:80 #only specified ip with port 80 will run the site
Listen 192.168.246.21:8080 #only specified ip with port 8080 will run
#remember allow port no. in firewall
user <username> #the user by which apache will run
group <groupname> #the group by which apache will run
ServerAdmin <user@localhost> #the user who will receive problem reports
DocumentRoot "/var/www/html" #location of web-pages
DirectoryIndex index.html #which index page will be used by default
ErrorLog "logs/error_log" #where the errors will be stored
ScriptAlias /cgi-bin/ "/var/www/cgi-bin" #location where scripts of server
#will be located
AddType text/css .css #you can add a type for the browser to understand
#example : apk
(* In the /etc/httpd/conf/httpd.conf file we can define user and group from which the service will run — do not define root there because if the server is compromised than the attacker will get the root shell without having to do privelage escalation)
Binding with IP
To bind a website with IP add this block :
vim /etc/httpd/conf/httpd.conf
<Virtualhost *>
DocumentRoot /var/www/html/site1/
DirectoryIndex index.html
</virtualhost>
#the website in site1 directory will be binded to every ip (*) of the server
#binding particular sites to respective IP's :
<Virtualhost 192.168.1.21>
DocumentRoot /var/www/html/site1/
DirectoryIndex index.html
</virtualhost>
<Virtualhost 192.168.1.22>
DocumentRoot /var/www/html/site2/
DirectoryIndex index.html
</virtualhost>
<Virtualhost 192.168.1.23>
DocumentRoot /var/www/html/site3/
DirectoryIndex index.html
</virtualhost>
#here we have binded three different sites to 3 distinct ip's
Binding with Port
#binding particular sites to respective ports
<Virtualhost *:80> #all ip with port 80 can run site 1
DocumentRoot /var/www/html/site1/
DirectoryIndex index.html
</virtualhost>
<Virtualhost 192.168.1.21:80> #this ip with port 80 can run site 2
DocumentRoot /var/www/html/site2/
DirectoryIndex index.html
</virtualhost>
Listen 81
<Virtualhost 192.168.1.22:81> #this ip with port 81 can run site 3
DocumentRoot /var/www/html/site3/
DirectoryIndex index.html
</virtualhost>
Binding with Domain-Name
To bind multiplte websites with multiple name we need to create multiple zones
vim /etc/named.rfc1912.zones
#add the zone of new domain
zone "infosec.local" IN { #<domain-name.local>
type master;
file "forward.infosec.local"; #<forward.domain-name.local>
allow-update { none; };
};
cd /var/named
vim forward.infosec.local
$TTL 1D
@ IN SOA ns1.userx.local. root.userx.local. (
1001 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns1.hell.local.
infosec.local. IN A 192.168.246.21
www IN CNAME infosec.local.
ns1 IN A 192.168.246.22
router IN A 192.168.246.1
kali IN A 192.168.246.8
vim /etc/httpd/conf/httpd.conf
<Virtualhost 192.168.1.21:80>
ServerName hell.local
DocumentRoot /var/www/html/site3/
DirectoryIndex index.html
ServerAlias www.hell.local
</virtualhost>
<Virtualhost 192.168.1.21:80>
ServerName infosec.local
DocumentRoot /var/www/html/site3/
DirectoryIndex index.html
ServerAlias www.infosec.local
</virtualhost>
Binding with Type
To run a website on https →
#first install mod_ssl package
yum install mod_ssl.x86_64
rpm -qa | grep mod_ssl
vim /etc/httpd/conf.d/ssl.conf
Listen 443 https #on which port the service will run
SSLCertificateFile /etc/pki/tls/certs/localhost.crt #certificate file
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #key file
vim /etc/httpd/conf/httpd.conf
<Virtualhost 192.168.1.21:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
DocumentRoot /var/www/html/site3/
DirectoryIndex index.html
</virtualhost>
systemctl restart httpd
#allow port 443 in firewall if exists
To create own SSL certificate →
cd /opt/
mkdir ssl
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365
#two files will be generated key.pem and cert.pem
cp -v /opt/ssl/cert.pem /etc/pki/tls/certs/cert.pem
cp -v /opt/ssl/key.pem /etc/pki/tls/private/key.pem
#now give the location of these new keys in bindings
<Virtualhost 192.168.1.21:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.pem
DocumentRoot /var/www/html/site4/
DirectoryIndex index.html
</virtualhost>
systemctl restart httpd
#give password
#binding other https websites with alias names
<Virtualhost 192.168.1.21:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.pem
ServerName hell.local
DocumentRoot /var/www/html/site3/
DirectoryIndex index.html
ServerAlias www.hell.local
</virtualhost>
<Virtualhost 192.168.1.21:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/cert.pem
SSLCertificateKeyFile /etc/pki/tls/private/key.pem
ServerName infosec.local
DocumentRoot /var/www/html/site2/
DirectoryIndex index.html
ServerAlias www.infosec.local
</virtualhost>
Another method in which password will be required only once while restarting httpd.service →
cd /opt/ssl
openssl genrsa -out ca.key #generating private key
openssl req -new -key ca.key -out ca.csr #generates cert request from prv. key
openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
#generates certificate form request file
#now copy ca.crt and ca .key to their location :
cp -v /opt/ssl/ca.crt /etc/pki/tls/certs/ca.crt
cp -v /opt/ssl/ca.key /etc/pki/tls/private/ca.key
#add thier entry in httpd.conf file
vim /etc/httpd/conf/httpd.conf
<Virtualhost 192.168.1.21:443>
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/ca.crt
SSLCertificateKeyFile /etc/pki/tls/private/ca.key
DocumentRoot /var/www/html/site2/
DirectoryIndex index.html
</virtualhost>
systemctl restart httpd
#now it will not ask for password