LFCS - Installing and Managing Apache Web Server

Jarret B

Well-Known Member
Staff member
Joined
May 22, 2017
Messages
339
Reaction score
369
Credits
11,691
Having a Web Server is an important service to have running in a business.

Whether the server will be accessed internally or externally, it is a beneficial tool for anyone.

In this article, we will install the service, configure the service, set up log files, set up a named virtual host, and restrict access to web pages. We will also set up a proxy and restrict access to it.

The first step in setting up a Web Server is installing the service.

Installing Apache

Not only are we going to install Apache, but we are also installing the manual for the Web Service. We will look later at how the manual can come in handy.

In a terminal, issue the command 'sudo yum install httpd httpd-manual -y'. This should get your Apache services to be installed on CentOS. For Ubuntu, use the command 'sudo apt install apache2 apache2-doc -y'.

After the packages have been installed, we can use the command 'systemctl status httpd' to check the service.

A Ubuntu system should automatically start the service and enable it; but on CentOS, you need to start and enable the service to start when the system is booted. Use the commands:

NOTE: For the rest of the article, I will refer to the service as 'httpd', but for those using Ubuntu, use 'apache2' instead for the service name.

systemctl start httpd
systemctl enable httpd


Not only can you use the 'systemctl status httpd', but you can use 'netstat -lnt' to check that Port 80 is opened.

NOTE: Perform a 'sudo su' to go into an administrative mode with root privileges to perform the commands without needing 'sudo'.

For some tests, we will need to use a web browser. For Server1 and Server2, you can install a text-based browser, 'w3m'. For CentOS, you need the 'epel-release' repository enabled and use the command 'yum install w3m -y'. If using Ubuntu, use the command 'apt install w3m'. For Server2, I have installed a Graphical User Interface (GUI) and will be able to use a GUI Web Browser.

To test the Web Service, on Server1, use the command 'w3m http://127.0.0.1'. You should see a default page appear in the terminal and you know the service is working fine. You can open the server's IP Address in a GUI Browser on the network. The CentOS machine needs to have Port 80 unblocked with the command 'ufw allow 80/tcp'. When using 'w3m' press 'q' to quit the program.

Now we have a basic Web Service running, now we need to configure the service for a little more use.

Configure the Web Service

Every time we make a change in the configuration files for Apache, we can test the 'conf' files with the command 'apachectl configtest' on CentOS and Ubuntu. On Ubuntu, you can also use 'apache2 -t'.

CentOS stores all of the config files in the folder '/etc/httpd' and Ubuntu is in '/etc/apache2'. The Web Service Server Root directory.

For CentOS, let's edit the file '/etc/httpd/conf/httpd.conf'. Search for a line with 'ServerName'. Once you find it, there should be a line you can uncomment and change the Full Qualified Domain Name (FQDN) as needed. Leave Port 80 at the end of the line though. For Ubuntu, there is no line with 'ServerName', so add it as 'ServerName "server1.example.com:80"' to the file '/etc/apache2/apache2.conf'. You'll find a line with 'HostnameLookup off', change this to 'on'. Also, uncomment the line 'ServerRoot "/etc/apache2"'. Another line to change is '#DefaultRuntimeDir ${APACHE_RUN_DIR}' to 'DefaultRuntimeDir "/etc/apache2"'/

Once you make a change, you need to restart the service 'systemctl restart httpd', but you can test the config files first as we did before.

You can test that everything still works by opening the website with the browser.

The page popping up may be getting old, so let's change it to something simple. For both Operating Systems (OS), the default web page is stored at '/var/www/html/index.html'. On CentOS, the file may not exist so create it. Enter the lines from below into the file. If you know HTML, make the page what you want.

<h1> This is the Apache Server for LFCS! </h1>
<h2> Please enjoy this and read more at Linux.org. </h2>


Save the file and open it in your browser.

Virtual Host

A Virtual Host is running a second website on the same machine. Of course, there can be more than two, we could make as many as we want, but for demonstration, we will only have the main website and a second one.

The second website will be named 'linux.example.com'.

We will create a file that will be loaded when Apache starts that will set up the Virtual Host. For CentOS, the location is '/etc/httpd/conf.d/' and for Ubuntu, it is in /'etc'apache2/sites-available/'. Make sure you are in the appropriate folder to edit a file named 'server1.conf'. The name can be any valid name, I am just using 'server1' since the main Virtual Host will be 'server1.example.com'. In the file place the lines:

<VirtualHost *:80>
ServerName "server1.example.com"
DocumentRoot "/var/www/html"
</VirtualHost>


You can perform a test of the configuration files and then restart the Web Service.

Now that we have configured our main Web Service, we can add a virtual host. Copy the 'server1.conf' to 'linux.conf' and edit the new file. Change the lines as follows:

<VirtualHost *:80>
ServerName "linux.example.com"
DocumentRoot "/var/www/linux"
</VirtualHost>


If you perform a config test now, you will get an error that the folder '/var/www/linux' does not exist. Create the folder and try the test again.

We specified a different location for the base HTML files than for the main web server. Place a file in the new folder called 'index.html' and include something like the following:

<h1> Welcome to the new Linux Virtual Host </h1>
<p> ------------------------------------------------ </p>
<p> This is the new Virtual Host we created for linux.example.com. </p>


At this point, the Virtual Server cannot be resolved, but we can quickly add it to the '/etc/hosts' file as:

192.168.32.101linux.example.comlinux

Change your name and IP Address as needed.

Ubuntu requires an extra step. Run the command 'a2ensite linux', and change the name as needed. This creates a symbolic link for the Virtual Host. Just be sure to restart the 'apache2' service.

So, now we can create a Virtual Host. Let's look at restricting access to a location.

Restricting Access

Let's go back and edit the 'server1.conf' file on CentOS systems. Change the file to look the following:

<VirtualHost *:80>
ServerName "servera.example.com"
DocumentRoot "/var/www/html"
<Directory "/var/www/html">
AllowOverride none
</Directory>
<Location /status>
SetHandler server-status
</Location>
</VirtualHost>


Save the file, test it and restart the service.

You can now open the page 'server1.example.com/status' to see statistics about the Apache service.

For Ubuntu, just open the page 'server1.example.com/server-status'. On Ubuntu, this can be opened by the local host only. The ability is automatically enabled in the file '/etc/apache2/mods-enabled/status.conf'. There is a line that is 'Require local'. The line can be changed to include the subnet address to allow access by all systems on the subnet, as shown in 'Require ip 192.168.32.0/24'. Now, you should be able to access the status page from Server2.

NOTE: I mentioned earlier that you can access the Apache Documentation from a browser. Open the address 'server1.example.com/manual'.

For CentOS, we can edit the 'server1.conf' file and add a line below 'SetHandler server-status':

Requires ip 127.0.0.1 192.168.32.0/24

Save the changes, test them, and restart the service. You can now check the Apache status from any system on the subnet. You can limit the access by changing the IP Addresses as needed.

There are other ways to restrict access though.

Restrict Access by Username

We can require a user who accesses a page to provide a username and password to get access.

Instead of looking at the 'server-status', let's look at the 'linux' Virtual Host we set up. We can set up a password file and let the server use it to verify users.

We need to edit the 'linux.conf' file. Under 'DocumentRoot', add:

<Directory "/var/www/linux">
Require valid-user
AuthType Basic
AuthName "Linux Privileged Site"
AuthBasicProvider file
AuthUserFile "/etc/httpd/conf.d/linux"
</Directory>


For Ubuntu, the 'AuthUserFile' should be 'AuthUserFile "/etc/apache2/sites-avalable/linux"'. Also, change the filename as needed for the Virtual Host you created.

Save and exit the editor. Test the config files and restart the service as usual.

Now, we need to create the password file. Switch to the folder for the 'AuthUserFile' location and run the command 'htpasswd -c linux <username>'. Change 'linux' as you need, just make sure it's the same filename as specified in the config file. The '-c' parameter is only used for the first user added to the password file since it tells the command to create the file. After that, just run 'htpasswd linux <username>'. After entering the command, you will be prompted for a password and then you'll need to verify the password.

Once you have this all completed, open 'linux.example.com' and you should be prompted for a password.

NOTE: If you use Firefox, it will not ask for a password a second time, even if you do not save the password. To fix this, go to the address line and type in 'about:config'. Click on 'Accept the Risk and Continue'. In 'Search Preferences', type in 'keyword.enabled' and change its value to 'false'. Close Firefox and reopen it. Open 'linux.example.com' and you should be prompted for the password.

HTTPS

As well as using usernames and passwords, we can use a secure connection with certificates.

On CentOS, you need to run the command 'yum install mod_ssl' to get the SSL module installed for Apache. If you list the files in '/etc/httpd/conf.d/', there should be a file named 'ssl.conf' that was added.

We need to create the private and public keys. Use the command:

openssl req -new -nodes -x509 -keyout linux.key -out linux.crt

For both OS, the public key is the 'linux.key' and the private key is 'linux.crt'. Run the command in the folder '/etc/httpd/conf.d' on CentOS and '/etc/apache2/sites-available' on Ubuntu.

After running it, you will be prompted for the Country Name, so enter yours and press Enter. The next prompt is for the State or Province name. Next, you will be asked for the Default Locality, then the Organization Name, Organization Unit Name, and Common Name. You can leave all entries blank and you only need to enter the Common Name. For our example, the Common Name is 'linux.example.com'. If you mess it up, rerun the command.

You need to remove privileges for all users, except root should have read permissions. Use the command 'chmod 400 linux.crt linux.key'. Use the command 'ls -l' to see that the permissions are read-only for the owner.

For Ubuntu, there's nothing to install, it should all be there. The following instructions are for CentOS, the Ubuntu instructions follow the CentOS instructions.

Currently, we do not need the 'ssl.conf' file, so just move it to 'ssl.bak' or some other name, but do keep it in case you need it later.

Next, edit the 'linux.conf' file. And make it look like:

<VirtualHost *:80>
ServerName "linux.example.com"
DocumentRoot "/var/www/linux"
<Directory "/var/www/linux">
Require valid-user
AuthType Basic
AuthName "Linux Privileged Site"
AuthBasicProvider file
AuthUserFile "/etc/httpd/conf.d/linux"
</Directory>
</VirtualHost>
Listen 443
<VirtualHost *:443>
ServerName "linux.example.com"
DocumentRoot "/var/www/linux"
SSLEngine on
SSLCertificateKeyFile "/var/httpd/conf.d/linux.key"
SSLCertificateFile "/var/httpd/conf.d/linux.crt"
<Directory "/var/www/linux">
Require valid-user
AuthType Basic
AuthName "Linux Privileged Site"
AuthBasicProvider file
AuthUserFile "/etc/httpd/conf.d/linux"
</Directory>
</VirtualHost>


You can see that we just copied the initial section and added it as an SSL section. This works fine on CentOS, but not for Ubuntu.

Save the files, perform a config test and restart the service. Once you connect to 'https://linux.example.com' with 'w3m', you will be asked to accept a self-signed certificate. Click 'y' for yes. You should be prompted for your username and password as before.

Now, for HTTPS on Ubuntu.

To enable SSL on Ubuntu, use the command 'a2enmod ssl'.

Next, edit the 'linux.conf' file. And make it look like:

<VirtualHost *:80>
ServerName "linux.example.com"
DocumentRoot "/var/www/linux"
<Directory "/var/www/linux">
Require valid-user
AuthType Basic
AuthName "Linux Privileged Site"
AuthBasicProvider file
AuthUserFile "/etc/apache2/sites-available/linux"
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName "linux.example.com"
DocumentRoot "/var/www/linux"
SSLEngine on
SSLCertificateKeyFile "/var/apache2/sites-available/linux.key"
SSLCertificateFile "/var/apache2/sites-available linux.crt"
<Directory "/var/www/linux">
Require valid-user
AuthType Basic
AuthName "Linux Privileged Site"
AuthBasicProvider file
AuthUserFile "/etc/apache2/sites-available/linux"
</Directory>

</VirtualHost>

Save the file, exit the editor, test the config and restart the service. You should be able to connect to 'https://linux.example.com'.

From a GUI Browser, you'll get a warning about 'Warning: Potential Security Risk Ahead'. Click on 'Advanced', then click on 'Accept the Risk and Continue'. The certificate is self-signed, which causes this problem. You should then be prompted for your username and password.

You can see in Figure 1, that the connection is secured.

Figure 1.JPG

FIGURE 1

These procedures show how to enable SSL to perform HTTP Secured connections.

Web Proxy

A Proxy is a server that is used as a pass-through. This means that if we want to access the Internet, we send requests to a central server that in turn gets the information and sends it back to the requester.

Let's say Server1 is a Proxy Server, which we will do in a bit. A user is sitting at a system on the network named 'PC1'. The user opens a browser and goes to the website 'www.linux.org'. Now, 'PC1' will send a request for the page to 'Serve1'. At that point, 'Server1' sends a request for the web page to the Internet. Once the page is returned, 'Server1' will send the page to 'PC1'. The user at 'PC1' will be shown the requested page.

Why should this be done in a business? Proxies allow a central location to be managed to lock out certain sites. There are many websites that employees should not be visiting during business hours. There is also the ability to scan any downloaded files for viruses.

So, how do we set up a Web Proxy Server? A good Web Proxy is Squid, so let's install it.

For CentOS, the command is 'yum install squid' and Ubuntu is 'apt install squid'.

Once installed, we are ready to configure the Proxy Server.

For both OS, we will be looking at the folder '/etc/squid'. The file is named 'squid.conf' and we need to edit the file.

After opening the file, you need to find the lines 'acl localnet src'. On Ubuntu, the lines are commented out, but on CentOS, the lines are enabled.

You need to uncomment the networks you want to access the Proxy Server on Ubuntu, but on CentOS, you should comment out the networks you do not want to use the Proxy.

There is also a list of Ports that are allowed to pass through the Proxy Server, such as HTTP, FTP, HTTPS and so on. You can not only limit networks but also ports.

At this point, the service needs to start and enabling on CentOS:

systemctl start squid
systemctl enable squid


For Ubuntu, the service is already started and enabled, so just restart it:

systemctl restart squid

Next, you need to go to each system and perform the command:

sudo touch /etc/profile.d/http_proxy.sh

Edit the file and add the line:

export HTTP_PROXY=http://server1.example.com:3128

On Server1, you also need to open the port with the command:

ufw allow 3128/tcp

From Server2, you can open the site 'w3m http://server1.example.com'. To verify, on server1, perform the command 'cat /var/log/squid/access.log'. It should display access from the IP Address of Server2.

Conclusion

Web Servers are very important since the Internet is widely used these days.

Knowing how to create and manage a Web Server is an important skill. Be sure to practice this quite a bit.
 

Members online


Top