Next, Apache is going to be installed and tuned based on the kind of service which will be offered (static data), taking out those unnecessary modules, adjusting the parameters of Apache according to the content served and modifying those variables which affect the security of the web server.
[root@server ~]# yum install httpd
[root@server ~]# cat /etc/httpd/conf/httpd.conf
...
# Remove the information about the server version
ServerTokens Prod
...
# Do not cache the web pages
ExpiresActive Off
...
# Number of second before receiving and sending a time out
Timeout 20
...
# Not allow persistent connections
KeepAlive Off
...
# prefork MPM
<IfModule prefork.c>
StartServers 50
MinSpareServers 35
MaxSpareServers 70
ServerLimit 512
MaxClients 512
MaxRequestsPerChild 4000
</IfModule>
...
# Name used by the server to identify itself
ServerName localhost
...
# Protect the root directory
<Directory />
Options -FollowSymLinks
Order deny,allow
Deny from all
</Directory>
# Default charset for all content served
AddDefaultCharset ISO-8859-15
...
In the configuration file, it can be observed that the ISO-8859-15 standard has been used as charset to offer the data by the web server. That is because with UTF-8, accents are represented with strange characters by Firefox.
Make sure that the welcome.conf file has got the following lines to allow to index the content and not the welcome page.
[root@server ~]# cat /etc/httpd/conf.d/welcome.conf
<LocationMatch "^/+$">
Options Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
Finally, a virtual host will be created in order to serve the log files.
[root@server ~]# cat /etc/httpd/conf.d/logserver.conf
NameVirtualHost 192.168.1.10:80
<VirtualHost 192.168.1.10:80>
ServerName server.local
DocumentRoot /mnt/shared/logs
ErrorLog /var/log/httpd/logserver-error_log
CustomLog /var/log/httpd/logserver-access_log common
<Directory "/mnt/shared/logs">
Options Indexes
AllowOverride None
EnableSendfile Off
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
It is important to highlight the EnableSendfile directive (enabled by default), allowing Apache to use the sendfile support included in the Linux kernel. Through this feature, Apache will not read the static files, but the kernel will offer them directly. But it happens that when Apache serves data from NFS or Samba and network outages take place, the connection can turn into an unstable state. So for this case, it is much better to deactivate it.
Now you have to run Apache and make it automatically start during the booting of the machine.
[root@server ~]# service httpd restart
[root@server ~]# chkconfig httpd on
In order to secure the web server, iptables will be configured with the following settings.
[root@server ~]# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport ssh -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport http -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j REJECT
COMMIT
[root@server ~]# service iptables restart
[root@server ~]# chkconfig iptables on
Lastly, the backup for the logs will be scheduled through cron by running a task with rsync every 15 minutes.
[root@server ~]# yum install rsync
[root@server ~]# cat /etc/crontab
...
*/15 * * * * /usr/bin/rsync -altgvb /mnt/shared/logs/nfs /backup/logs/nfs
*/15 * * * * /usr/bin/rsync -altgvb /mnt/shared/logs/samba /backup/logs/samba
No comments:
Post a Comment