Apache HTTP Server
俗称 Apache。他には httpd とか。
導入
CentOS 7
VirtualHost 運用
既定のホストを無効として厳密な名前の一致を求める
ホストのディレクトリは /var/www/vhosts/<FQDN>
ホスト設定は /etc/httpd/vhosts.d/<FQDN>.conf
無効にする場合は .conf.disabled
RHEL 8 待ち
code:bash
sudo yum -y install httpd mod_ssl
cat << '____________________' | sudo tee /etc/httpd/conf.d/z-server.conf
#---+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8
# Security
ServerTokens Prod
ServerSignature Off
ServerAdmin webmaster@example.com
# suppress default hosts
ServerName DISABLED
# protect default DocumentRoot
<Directory /var/www/html>
AllowOverride none
Require all denied
Redirect gone /
</Directory>
# for HTTP
<VirtualHost *:80>
</VirtualHost>
# for HTTPS
SSLStrictSNIVHostCheck on
# Define live hosts
IncludeOptional vhosts.d/*.conf
#---+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8
____________________
sudo mkdir /etc/httpd/vhosts.d
sudo mkdir /var/www/vhosts
# 一部設定は z-server.conf で止めるのが難しいので直接無効に
sudo sed -i.default d /etc/httpd/conf.d/autoindex.conf
sudo sed -i.default d /etc/httpd/conf.d/welcome.conf
# お好みで
sudo sed -ri.default \
-e 's/^LoadModule auth_(basic|digest)_module/#&/' \
-e 's/^LoadModule authn_(anon|dbd|dbm|file|socache)_module/#&/' \
-e 's/^LoadModule authz_(dbd|dbm|groupfile|host|owner|user)_module/#&/' \
-e 's/^LoadModule socache_(dbm|memcache)_module/#&/' \
-e 's/^LoadModule (access_compat|actions|allowmethods|autoindex|cache|cache_disk|data|dbd|dumpio|echo)_module/#&/' \
-e 's/^LoadModule (ext_filter|filter|include|info|negotiation|remoteip|reqtimeout|slotmem_plain)_module/#&/' \
-e 's/^LoadModule (status|substitute|suexec|unique_id|userdir|version|vhost_alias)_module/#&/' \
/etc/httpd/conf.modules.d/00-base.conf
sudo systemctl enable --now httpd
バーチャルホスト追加
code:/etc/httpd/vhosts.d/example.com.conf
#---+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8
Define HOST example.com
<VirtualHost *:80>
ServerName ${HOST}
DocumentRoot /var/www/vhosts/${HOST}/public
Redirect / https://${HOST}
</VirtualHost>
<VirtualHost *:443>
ServerName ${HOST}
DocumentRoot /var/www/vhosts/${HOST}/public
#Protocols h2 http/1.1
ErrorLog "logs/error-${HOST}.log"
CustomLog "logs/access-${HOST}.log" combined
<Directory /var/www/vhosts/${HOST}/public>
Options FollowSymLinks
DirectoryIndex index.html
AllowOverride All
Require all granted
</Directory>
<Location /.well-known/>
Require all granted
</Location>
RequestHeader unset Proxy
Header set Strict-Transport-Security "max-age=31104000"
SSLEngine on
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLOptions +StrictRequire
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
# ひとまずダミー
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
UnDefine HOST
#---+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8
お好みで Let's Encrypt
Certbot 使う場合上の ${HOST} は展開しておくこと
certbot の apache プラグインが定数に対応してない
%:s/${HOST}/example.com/
code:bash
sudo yum -y install python2-certbot-apache
sudo certbot --apache
アプリの設定は .htaccess で
code:.htaccess
# setifempty > 2.4.6
Header append X-Frame-Options ""
Header append X-XSS-Protection ""
Header append X-Content-Type-Options ""
Header append Referrer-Policy ""
Header edit X-Frame-Options "^$" "SAMEORIGIN"
Header edit X-XSS-Protection "^$" "1; mode=block"
Header edit X-Content-Type-Options "^$" "nosniff"
Header edit Referrer-Policy "^$" "same-origin"