{"id":1143,"date":"2014-08-11T21:02:04","date_gmt":"2014-08-11T19:02:04","guid":{"rendered":"http:\/\/blog.rabahi.net\/?page_id=1143"},"modified":"2016-12-25T11:59:24","modified_gmt":"2016-12-25T10:59:24","slug":"apache-security-survival-guide","status":"publish","type":"page","link":"https:\/\/blog.rabahi.net\/?page_id=1143","title":{"rendered":"Apache Security Survival Guide"},"content":{"rendered":"<div id=\"toc_container\" class=\"no_bullets\"><p class=\"toc_title\">Contents<\/p><ul class=\"toc_list\"><li><a href=\"#How_to_enable_htaccess\"><span class=\"toc_number toc_depth_1\">1<\/span> How to enable .htaccess ?<\/a><\/li><li><a href=\"#How_to_configure_security\"><span class=\"toc_number toc_depth_1\">2<\/span> How to configure security?<\/a><ul><li><a href=\"#Using_htpasswd\"><span class=\"toc_number toc_depth_2\">2.1<\/span> Using htpasswd<\/a><\/li><li><a href=\"#Using_LDAP\"><span class=\"toc_number toc_depth_2\">2.2<\/span> Using LDAP<\/a><\/li><\/ul><\/li><li><a href=\"#Apache_HTTP_Proxypass\"><span class=\"toc_number toc_depth_1\">3<\/span> Apache HTTP Proxypass<\/a><ul><li><a href=\"#Configuration\"><span class=\"toc_number toc_depth_2\">3.1<\/span> Configuration<\/a><\/li><li><a href=\"#Tests\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Tests<\/a><\/li><\/ul><\/li><li><a href=\"#Apache_HTTP_vhost\"><span class=\"toc_number toc_depth_1\">4<\/span> Apache HTTP vhost<\/a><ul><li><a href=\"#Configuration-2\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Configuration<\/a><\/li><li><a href=\"#Tests-2\"><span class=\"toc_number toc_depth_2\">4.2<\/span> Tests<\/a><\/li><\/ul><\/li><li><a href=\"#Apache_HTTP_redirect\"><span class=\"toc_number toc_depth_1\">5<\/span> Apache HTTP redirect<\/a><ul><li><a href=\"#Configuration-3\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Configuration<\/a><\/li><li><a href=\"#Tests-3\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Tests<\/a><\/li><\/ul><\/li><li><a href=\"#Security_throw_htaccess\"><span class=\"toc_number toc_depth_1\">6<\/span> Security throw .htaccess<\/a><ul><li><a href=\"#Using_ip\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Using ip<\/a><\/li><li><a href=\"#Listing_directory\"><span class=\"toc_number toc_depth_2\">6.2<\/span> Listing directory<\/a><\/li><li><a href=\"#Access-Control-Allow-Origin\"><span class=\"toc_number toc_depth_2\">6.3<\/span> Access-Control-Allow-Origin<\/a><\/li><li><a href=\"#Duplicate_content\"><span class=\"toc_number toc_depth_2\">6.4<\/span> Duplicate content<\/a><\/li><\/ul><\/li><\/ul><\/div>\n<h1><span id=\"How_to_enable_htaccess\">How to enable .htaccess ?<\/span><\/h1>\n<pre>\r\nIn httpd.conf, update value to AllowOverride All\r\n<\/pre>\n<h1><span id=\"How_to_configure_security\">How to configure security?<\/span><\/h1>\n<h2><span id=\"Using_htpasswd\">Using htpasswd<\/span><\/h2>\n<pre lang=\"xml\">\r\n<Location \"\/\">\r\n    AuthBasicProvider file\r\n    AuthType Basic\r\n    AuthName \"Authorization required\"\r\n    AuthUserFile \/etc\/httpd\/passwd\r\n    Require valid-user\r\n<\/Location>\r\n<\/pre>\n<p>To create password for user &#8216;myuser&#8217;:<\/p>\n<pre lang=\"bash\">\r\nhtpasswd -c \/etc\/httpd\/passwd myuser\r\n> New password: mypassword\r\n> Re-type new password: mypassword\r\n> Adding password for user myuser\r\n<\/pre>\n<h2><span id=\"Using_LDAP\">Using LDAP<\/span><\/h2>\n<p>You need to install mod_authnz_ldap.<br \/>\nThen add a location directive:<\/p>\n<pre lang=\"xml\">\r\n<Location \"\/\">\r\n    AuthBasicProvider ldap\r\n    AuthType Basic\r\n    AuthName \"Authorization required\"\r\n    AuthzLDAPAuthoritative off\r\n    AuthLDAPURL \"ldaps:\/\/ldap.example.com\/dc=example,dc=com?uid?sub\"\r\n    AuthLDAPBindDN \"cn=myldaplogin,ou=someOU,dc=example,dc=com\"\r\n    AuthLDAPBindPassword \"myldappassword\"\r\n    Require valid-user\r\n<\/Location>\r\n<\/pre>\n<h1><span id=\"Apache_HTTP_Proxypass\">Apache HTTP Proxypass<\/span><\/h1>\n<h2><span id=\"Configuration\">Configuration<\/span><\/h2>\n<p>You can allow a local url without exposing all your http server.<br \/>\nSo you can make public only the local url you choose.<\/p>\n<p>* First, open &#8221;httpd.conf&#8221;<br \/>\n* Then, enable &#8221;mod_proxy&#8221; and &#8221;mod_proxy_http&#8221;<br \/>\n* Finally add the file \/etc\/httpd\/conf.d\/czproxyPass.conf with the following content:<\/p>\n<pre lang=\"xml\">\r\n  ## Virtual Hosts:\r\n  NameVirtualHost *:80\r\n\r\n  # My local application 1\r\n  <VirtualHost *:80>\r\n    ServerName myservername1.com\r\n    ProxyPreserveHost On\r\n    Proxypass \/my-web-application1 http:\/\/localhost:8080\/my-web-application1\r\n    Proxypassreverse \/my-web-application1 http:\/\/localhost:8080\/my-web-application1\r\n    RedirectMatch permanent ^\/$ \/my-web-application1\r\n  <\/VirtualHost>\r\n\r\n  # My local application 2\r\n  <VirtualHost *:80>\r\n    ServerName myservername2.com\r\n    ProxyPreserveHost On\r\n    Proxypass \/my-web-application2 http:\/\/localhost:8080\/my-web-application2\r\n    Proxypassreverse \/my-web-application2 http:\/\/localhost:8080\/my-web-application2\r\n    RedirectMatch permanent ^\/$ \/my-web-application2\r\n  <\/VirtualHost>\r\n<\/pre>\n<h2><span id=\"Tests\">Tests<\/span><\/h2>\n<p>Try to access to:<\/p>\n<ul>\n<li>http:\/\/myservername1.com\/my-web-application1<\/li>\n<li>http:\/\/myservername1.com (you should be redirect to http:\/\/myservername1.com\/my-web-application1)<\/li>\n<li>http:\/\/myservername2.com\/my-web-application2<\/li>\n<li>http:\/\/myservername2.com (you should be redirect to http:\/\/myservername1.com\/my-web-application2)<\/li>\n<\/ul>\n<h1><span id=\"Apache_HTTP_vhost\">Apache HTTP vhost<\/span><\/h1>\n<p>You can have a single server with many directories that represent your applications.<br \/>\nTo mount them, you can use the vhost configuration.<\/p>\n<h2><span id=\"Configuration-2\">Configuration<\/span><\/h2>\n<pre lang=\"xml\">\r\nNameVirtualHost *:80\r\n\r\n#myservername1.com: \r\n<VirtualHost *:80>\r\nServerName myservername1.com\r\nDocumentRoot \/var\/www\/vhost\/myservername1.com\r\n<\/VirtualHost>\r\n\r\n#myservername2.com: \r\n<VirtualHost *:80>\r\nServerName myservername2.com\r\nDocumentRoot \/var\/www\/vhost\/myservername2.com\r\n<\/VirtualHost>\r\n<\/pre>\n<h2><span id=\"Tests-2\">Tests<\/span><\/h2>\n<p>Try to access to:<\/p>\n<ul>\n<li>http:\/\/myservername1.com (you should see the content of \/var\/www\/vhost\/myservername1.com)<\/li>\n<li>http:\/\/myservername2.com (you should see the content of \/var\/www\/vhost\/myservername2.com)<\/li>\n<\/ul>\n<h1><span id=\"Apache_HTTP_redirect\">Apache HTTP redirect<\/span><\/h1>\n<p>For many reasons, you decided to move you website to a new url.<br \/>\nYou do not want your users to change their favorites.<br \/>\nYou can rewrite url.<\/p>\n<h2><span id=\"Configuration-3\">Configuration<\/span><\/h2>\n<pre lang=\"xml\">\r\n#myservername1.com:  \r\n<VirtualHost *:80>\r\nServerName myservername1.com\r\nOptions +FollowSymlinks\r\nRewriteEngine On\r\nRedirectMatch permanent ^\/(.*)$ http:\/\/myNEWservername1.com\/$1\r\n<\/VirtualHost>\r\n\r\n#myservername2.com:  \r\n<VirtualHost *:80>\r\nServerName myservername2.com\r\nOptions +FollowSymlinks\r\nRewriteEngine On\r\nRedirectMatch permanent ^\/(.*)$ http:\/\/myNEWservername2.com\/$1\r\n<\/VirtualHost>\r\n<\/pre>\n<h2><span id=\"Tests-3\">Tests<\/span><\/h2>\n<p>Try to access to:<\/p>\n<ul>\n<li>http:\/\/myservername1.com (you should redirected to http:\/\/myNEWservername1.com)<\/li>\n<li>http:\/\/myservername1.com\/dir1\/dir2 (you should redirected to http:\/\/myNEWservername1.com\/dir1\/dir2)<\/li>\n<li>http:\/\/myservername2.com (you should redirected to http:\/\/myNEWservername2.com)<\/li>\n<li>http:\/\/myservername2.com\/dir1\/dir2 (you should redirected to http:\/\/myNEWservername2.com\/dir1\/dir2)<\/li>\n<\/ul>\n<h1><span id=\"Security_throw_htaccess\">Security throw .htaccess<\/span><\/h1>\n<h2><span id=\"Using_ip\">Using ip<\/span><\/h2>\n<pre lang=\"xml\">\r\nOrder Allow,Deny\r\nAllow from 11.22.33.44\r\n<\/pre>\n<h2><span id=\"Listing_directory\">Listing directory<\/span><\/h2>\n<p>To disable listing set &#8220;-Indexes&#8221;. To enable listing set &#8220;+Indexes&#8221;.<\/p>\n<pre lang=\"xml\">\r\nOptions -Indexes\r\n<\/pre>\n<h2><span id=\"Access-Control-Allow-Origin\">Access-Control-Allow-Origin<\/span><\/h2>\n<p>If server MY-SERVER-A want to use resource on a server MY-SERVER-B, you might have a COR (Cross Origin Request) issue.<br \/>\nYou need, on the server MY-SERVER-B a this line to the .htaccess:<\/p>\n<pre lang=\"xml\">\r\nHeader add Access-Control-Allow-Origin \"http:\/\/MY-SERVER-A\"\r\n<\/pre>\n<h2><span id=\"Duplicate_content\">Duplicate content<\/span><\/h2>\n<p>If you want automatically redirect from http to https, add this to your .htaccess:<\/p>\n<pre lang=\"xml\">\r\nRewriteEngine On\r\nRewriteCond %{HTTPS} off\r\nRewriteRule (.*) https:\/\/%{HTTP_HOST}%{REQUEST_URI}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Contents1 How to enable .htaccess ?2 How to configure security?2.1 Using htpasswd2.2 Using LDAP3 Apache HTTP Proxypass3.1 Configuration3.2 Tests4 Apache HTTP vhost4.1 Configuration4.2 Tests5 Apache HTTP redirect5.1 Configuration5.2 Tests6 Security throw .htaccess6.1 Using ip6.2 Listing directory6.3 Access-Control-Allow-Origin6.4 Duplicate content How to enable .htaccess ? In httpd.conf, update value to AllowOverride All How to configure security? [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":484,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"footnotes":""},"class_list":["post-1143","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1143","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1143"}],"version-history":[{"count":3,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1143\/revisions"}],"predecessor-version":[{"id":1827,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/1143\/revisions\/1827"}],"up":[{"embeddable":true,"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=\/wp\/v2\/pages\/484"}],"wp:attachment":[{"href":"https:\/\/blog.rabahi.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}