Securing Apache - Debian/Ubuntu

Step 2b - Apache Website Configuration for HTTP & HTTPS

Creating the Apache Website Files for HTTP & HTTPS

There are a number of considerations you will have to account for in the https configuration file. A great guide for options and other considerations

Creating the HTTP Web site file

Change the Blue EXAMPLE to whatever is appropriate for your needs

nano /etc/apache2/sites-available/EXAMPLE_com.conf

<VirtualHost *:80>
    ServerName EXAMPLE.com
    ServerAlias www.EXAMPLE.com
    DocumentRoot /var/www/html/EXAMPLE
    DirectoryIndex index.html
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined
</VirtualHost>

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)

Creating the HTTPS Web site file

Change the Blue EXAMPLE to whatever is appropriate for your needs

nano /etc/apache2/sites-available/EXAMPLE_com_ssl.conf

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin host@EXAMPLE.com    <--- Change this to whatever email address for your domain
        ServerName EXAMPLE.com    <--- Change this to the web site name you want to use
        ServerAlias www.EXAMPLE.com    <--- Change this to www or add any other alias for the site
        DocumentRoot /var/www/html/EXAMPLE    <--- Change this to the directory where the web site files are located
        DirectoryIndex index.html    <--- Change this if you wish to have another name for the default page
        LogLevel info ssl:warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
        SSLEngine on
        SSLCertificateFile        /etc/apache2/ssl/www_EXAMPLE_com.crt    <--- Change this to the Self Signed or the Certificate Authority Signed Certificate
        SSLCertificateKeyFile /etc/apache2/ssl/rsa_EXAMPLE.key  or   ec_EXAMPLE.key    <--- Change this to the key you generated for the site
        SSLCertificateChainFile /etc/apache2/ssl/EXAMPLE_CA.crt    <--- Change this to the Certificate Authority Chain file you created
        SSLCACertificatePath /etc/ssl/certs/
        #SSLCACertificateFile /etc/apache2/ssl/
        #SSLCARevocationPath /etc/apache2/ssl.crl/
        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
        #SSLVerifyClient require
        #SSLVerifyDepth 10
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>

        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

       <Directory />        <--- Protect our system files if you do not add this locally, you can add it globally (all sites) in the next section Step2c
               Require all denied
               AllowOverride None
               Options None
       </Directory>


        <Directory /var/www/html/EXAMPLE/>    <--- Change to the directory of where the web sites files are located

Enter options of what to allow to execute or not (Optional permissions for directories below)

(Optional permissions for directories)

Use the (-) sign before the option to disable and use the (+) sign to enable the option

Example:

        <Directory /var/www/html/EXAMPLE>
              Options +Includes -Indexes -ExecCGI +FollowSymLinks       <--- Enables Server Side Includes (SSI), disables Indexing, disable executing CGI scripts and enables Following Symlinks
              AllowOverride None
              Order allow,deny
              IndexIgnore *.mp3       <--- Hide certain files types from public view if allowing listing - Requires Indexes
              Allow from all      <--- Allow from 10.10.0.0/24 To only allow certain networks
       </Directory>

Options All – All options are enabled (except MultiViews). If you don’t specify Options directive, this is the default value.      <--- Never use!!!
Options ExecCGI – Execute CGI scripts (uses mod_cgi)
Options FollowSymLinks – If you have symbolic links in this directory, it will be followed.
Options Includes – Allow server side includes (uses mod_include)
Options Includes NOEXEC – Allow server side includes without the ability to execute a command or cgi.
Options Indexes – Disable directory listing
Options MultiViews – Allow content negotiated multiviews (uses mod_negotiation)
Options SymLinksIfOwnerMatch – Similar to FollowSymLinks. But, this will follow only when the owner is same between the link and the original directory to which it is linked.

(Optional)

Protecting our content from being displayed on someone else's website (Think twice about this before implementing: Internet systems, probably not, Intranet systems, probably.)

    SetEnvIf Referer "^https://EXAMPLE\.com/" local_referal     <--- Protecting our content from being displayed on someone else's website
    SetEnvIf Referer "^$" local_referal

Protect the directories you desire    <--- Protecting the directories of the content you do not want displayed on someone else's website

        <Directory "/var/www/html/EXAMPLE/images">
                Require env local_referal
        </Directory>

        <Directory "/var/www/html/EXAMPLE/documents">
                Require env local_referal
        </Directory>

...................
    </VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Close and exit the file

ctrl + o   (Save)
ctrl + x   (Exit)