Apache HTTP Server

From David's Wiki
Revision as of 02:43, 24 December 2020 by David (talk | contribs) (→‎Access Control)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
\( \newcommand{\P}[]{\unicode{xB6}} \newcommand{\AA}[]{\unicode{x212B}} \newcommand{\empty}[]{\emptyset} \newcommand{\O}[]{\emptyset} \newcommand{\Alpha}[]{Α} \newcommand{\Beta}[]{Β} \newcommand{\Epsilon}[]{Ε} \newcommand{\Iota}[]{Ι} \newcommand{\Kappa}[]{Κ} \newcommand{\Rho}[]{Ρ} \newcommand{\Tau}[]{Τ} \newcommand{\Zeta}[]{Ζ} \newcommand{\Mu}[]{\unicode{x039C}} \newcommand{\Chi}[]{Χ} \newcommand{\Eta}[]{\unicode{x0397}} \newcommand{\Nu}[]{\unicode{x039D}} \newcommand{\Omicron}[]{\unicode{x039F}} \DeclareMathOperator{\sgn}{sgn} \def\oiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x222F}\,}{\unicode{x222F}}{\unicode{x222F}}{\unicode{x222F}}}\,}\nolimits} \def\oiiint{\mathop{\vcenter{\mathchoice{\huge\unicode{x2230}\,}{\unicode{x2230}}{\unicode{x2230}}{\unicode{x2230}}}\,}\nolimits} \)

VirtualHost

A basic virtualhost looks like this

<VirtualHost *:80>
  ServerName my_server.com
  ServerSignature Off
  DocumentRoot "/www/example2"
</VirtualHost>
Full VirtualHost

The following virtual host has an HTTPS redirect and uses an LetsEncrypt ssl certificate

# contents of /etc/apache2/sites-available/davidl_me.conf
<VirtualHost *:80>
  ServerName www.davidl.me
  ServerAlias davidl.me
  ServerSignature Off

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName www.davidl.me
  ServerAlias davidl.me
  ServerSignature Off

  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/davidl_me/public

  ErrorLog ${APACHE_LOG_DIR}/davidlme_error.log
  CustomLog ${APACHE_LOG_DIR}/davidlme_access.log combined

  Include /etc/letsencrypt/options-ssl-apache.conf
  SSLCertificateFile /etc/letsencrypt/live/www.davidl.me/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/www.davidl.me/privkey.pem
</VirtualHost>
</IfModule>

<Directory /var/www/davidl_me/public>
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

Notes
  • You can have multiple server aliases in one line:
    E.g. ServerAlias cloud.davidl.me.local cloud.davidl.local

Compression

Redirects

Universal Redirect

RedirectMatch ^(.*)$ https://davidl.me/

HTTPS Redirect

<VirtualHost *:80>
  ServerName my_server.com
  ServerSignature Off

  RewriteEngine on
  RewriteCond %{HTTPS} !=on
  RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Proxying

mod_proxy documentation
mod_proxy_wstunnel documentation
General proxying to another server.
Note that this can be another service on the same machine (localhost), same network, or another network entirely.
This can be useful if you have a some entry point which handles HTTPS for another service on the same PC which does not handle HTTPS.

Requirements
  • mod_proxy
  • mod_proxy_wstunnel for websockets
  RewriteEngine on
  RewriteCond %{HTTP:Upgrade} =websocket
  RewriteRule /(.*)     ws://192.168.1.99/$1  [P,L]
  RewriteCond %{HTTP:Upgrade} !=websocket
  RewriteRule /(.*)     http://192.168.1.99/$1 [P,L]
  ProxyPreserveHost On
  ProxyRequests Off
  ProxyPass / http://192.168.1.99:80/
  ProxyPassReverse / http://192.168.1.99:80/

  # Proxy websockets
  ProxyPass "/ws2/"  "ws://echo.websocket.org/"
  ProxyPass "/wss2/" "wss://echo.websocket.org/"
Notes
  • If you're proxying to an https url (e.g. https://192.168.1.40/, you will need to add SSLProxyEngine on
    • Furthermore, your https url will need to have a valid certificate for the domain you're proxying.

.htaccess

.htaccess allows modifying selected Apache configurations on a per-folder basis.
To enable this feature, add AllowOverride All to your apache.conf for the directories you want to allow .htaccess files.

Headers

Enable mod_headers with sudo a2enmod headers.
Then you can add headers to your virtualhost:

<VirtualHost *:80>
  #...

  # Prevents caching by search engines (Google)
  Header set X-Robots-Tag: noindex
</VirtualHost>

Access Control

See Access Control.
See Require directivies.

Access restictions can be placed in .htaccess files or config files.
They should always be placed within a directory or location element.

To only allow lan access on a specific virtualhost:

<VirtualHost *:80>
  #...
  <Location />
    Require ip 192.168.1.1/24
  </Location>
</VirtualHost

Common restrictions:

  • Require all granted and Require all denied
  • Require local localhost only
Note
  • Allow, Deny, and Order are deprecated. They still work but you shouldn't add them to new code.

HTTP2

Guide
Test website