Initial configuration required from installation of Apache on CentOS to startup
Publication date:December 8, 2020
INFOMARTION > Initial configuration required from installation of Apache on CentOS to startup
summary
This section describes the initial setup procedure required from the installation of Apache on CentOS to the startup of Apache.
The versions are as follows
CentOS Version | 7.6 (1810) |
---|---|
Apache Version | 2.4.6 |
Table of Contents
1. install
This section describes the setup of Apache from installation to startup.
1-1. Apache Installation
Perform the Apache installation using the yum command.
[username@hostname ~]$ su -
[root@hostname ~]# yum -y install httpd
1-2. Startup confirmation (http access)
We will simply check if we can access it. apachectl command can be used after installing Apache (httpd) with yum command. Try to start Apache using this one.
[root@hostname ~]# apachectl start
[root@hostname ~]# apachectl status
* httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2020-12-06 17:08:12 JST; 1s ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 1303 (httpd)
Status: "Processing requests..."
CGroup: /system.slice/httpd.service
|-1303 /usr/sbin/httpd -DFOREGROUND
|-1304 /usr/sbin/httpd -DFOREGROUND
|-1305 /usr/sbin/httpd -DFOREGROUND
|-1306 /usr/sbin/httpd -DFOREGROUND
|-1307 /usr/sbin/httpd -DFOREGROUND
`-1308 /usr/sbin/httpd -DFOREGROUND
Dec 06 17:08:11 localhost.localdomain systemd[1]: Starting The Apache HTTP Server...
Dec 06 17:08:12 localhost.localdomain httpd[1303]: AH00558: httpd: Could not reliably determ...ge
Dec 06 17:08:12 localhost.localdomain systemd[1]: Started The Apache HTTP Server.
Hint: Some lines were ellipsized, use -l to show in full.
If the "apachectl status" command returns "Active: active (running)", the system has started successfully.
Next, access Apache from a browser and set the http permission since the default value of CentOS7 firewall (iptables for CentOS6 and earlier) only allows ssh access. I would like to add https permission settings as well. Also add a "permanent" option to make the settings permanent.
[root@hostname ~]# firewall-cmd --permanent --add-service=http
[root@hostname ~]# firewall-cmd --permanent --add-service=https
[root@hostname ~]# firewall-cmd --reload
[root@hostname ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
If "http" and "https" are added to "services", it is OK. Access the site from a browser. In my case, the IP address of the server is 192.168.50.10, so I access "http://192.168.50.10". It is OK if the following page is displayed.
Once the system is successfully started, stop it.
[root@hostname ~]# apachectl stop
2. basic setting
2-1. Create log file output folder
To manage logs under /var/log/, create a httpd directory under /var/log/ as a folder for Apache logs.
The permissions should be set to 755, so that Apache can write, but other users can only read. If other users can write, the logs can be tampered with.
mkdir /var/log/httpd" is unnecessary if a directory with the same name has already been created.
[root@hostname ~]# mkdir /var/log/httpd
[root@hostname ~]# chmod 755 /var/log/httpd
The latter step is to change the Apache log output destination setting.
This procedure is only for creating a folder for the logs to be stored.
2-2. Domain Settings
Modify the domain settings listed in httpd.conf. Apache settings are basically consolidated in httpd.conf, so if you want to change the settings, modify httpd.conf. Domain settings are not required for local environments (not open to the public on the Internet).
[root@hostname ~]# vi /etc/httpd/conf/httpd.conf
Uncomment out and enable the ServerName setting. Set the domain name to match your environment.
#ServerName www.example.com:80
ServerName domainname:80
2-3. Activate SSL modules and configuration files
Enable SSL to allow access over https; SSL settings are related to SEO, and http is not good for security in the first place, so unless you have to use http, go with https.
Install the ssl module with yum.
[root@hostname ~]# yum -y install mod_ssl
When you install with yum, the ssl module is automatically enabled, so you only need to install it. A configuration file is also automatically created. (/etc/httpd/conf.d/ssl.conf is automatically created.)
2-4. Change log output path
Change the destination of the Apache log output to the log file output folder you just created; only the ssl configuration file will be changed, as it will be configured in a subsequent step to be accessed only via ssl (https).
[root@hostname ~]# vi /etc/httpd/conf.d/ssl.conf
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
~omission~
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
ErrorLog /var/log/httpd/ssl_error_log
TransferLog /var/log/httpd/ssl_access_log
~omission~
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
The above modification changes the log output destination to the "/var/log/httpd" directory.
The "%t, %h," etc., are the log format settings. The following is a list of formats that may be used frequently for reference.
【reference】
・%T:Time taken to process request (seconds)
・%h:Client hostname or IP address, attempting to resolve hostname only if HostnameLookups is set to On
・%r:First line of the request
・%b:The number of bytes in the response (excluding HTTP headers), in CLF format, i.e. - if none of the bytes were sent
・%D:Time taken to process request (microseconds)
・%>s:HTTP Status
2-5. SSL Certificate Creation
This is the procedure for creating a certificate. Self-certification is fine for private use. For public servers, do not use a self certificate.
There is no difference in security between regular certificates and self-certificates. It is the difference between a certificate that a third party can judge to be reliable or not. (With a self-certified certificate, the bar in the URL will be red.) So, for servers that are to be made public (servers that are viewed by third parties), issue a regular certificate.
The default certificate settings for Apache are "/etc/pki/tls/certs/localhost.crt" and "/etc/pki/tls/private/localhost.key".
SSLCertificateFile" and "SSLCertificateKeyFile" in "/etc/httpd/conf.d/ssl.conf" will show the settings.
【For self-certification】
To create a self-certificate, execute the following command, which must be executed as the root user.
When you run "openssl req -new -key /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.crt" you will be asked for several responses, all of which are fine with Enter. The information will be who is issuing the certificate (what country they live in, what is their email address, etc.). If you want to issue a regular certificate, enter the correct information and set it up.
[root@hostname ~]# openssl genrsa > /etc/pki/tls/private/localhost.key
[root@hostname ~]# openssl req -new -key /etc/pki/tls/private/localhost.key > /etc/pki/tls/certs/localhost.csr
[root@hostname ~]# openssl x509 -req -signkey /etc/pki/tls/private/localhost.key < /etc/pki/tls/certs/localhost.csr > /etc/pki/tls/certs/localhost.crt
【For regular certificates】
To create a regular certificate, execute the following command, which should be executed as the root user.
[root@hostname ~]# openssl genrsa -out /etc/pki/tls/private/localhost.key 2048
[root@hostname ~]# openssl req -new -key /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.csr
In the case of a normal certificate, this is not all that is required to complete the process. The created "server.csr" must be handed to a certification authority to have a server certificate issued, and then the server certificate issued must be installed.
2-6. always-on SSL
It is not good for security if the site is accessed via http, so add a setting to redirect to https when access comes in via http.
Although it is possible to prohibit access via http, it is recommended to set up a redirect for usability reasons.
[root@hostname ~]# vi /etc/httpd/conf/httpd.conf
Please add the following at the end
<IfModule rewrite_module>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
This setting can be changed so that accesses that come in at http are handled at https.
I have stated that this setting does not work if you come over https (RewriteCond %{HTTPS} off).
Please remember to include this setting because without it, https accesses will be redirected as well, resulting in an endless loop.
2-7. Startup confirmation (https access)
Now that the various settings are complete, check to see if the site can be accessed via https. First, start the system.
[root@hostname ~]# apachectl start
Access the site from a browser, the same as for http access, but in my case, the IP address of the server is 192.168.50.10, so I access "http://192.168.50.10".
The URL is changed from "http://192.168.50.10" to "https://192.168.50.10" because the http redirect setting is included.
Now that it has been successfully started, Apache is stopped.
[root@hostname ~]# apachectl stop
2-8. Automatic startup setting
Lastly, although it is not required, it is a pain to have to start Apache every time the server is restarted, so we will configure the systemctl command to automatically start Apache when the server is started. If you are not using CentOS7, you will need to use the service command.
Create the "apache.service" file and describe the necessary settings.
[root@hostname ~]# touch /etc/systemd/system/apache.service
[root@hostname ~]# vi /etc/systemd/system/apache.service
The following information is provided
[Unit]
#Description.
Description=Apache
#Control before and after execution
#Before=xxx.service
#After=xxx.service
[Service]
#User and group designation
User=root
Group=root
#Once activated, set the status to Activated.
Type=oneshot
RemainAfterExit=yes
#Start, stop, reload
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl stop
ExecReload=/usr/sbin/apachectl restart
[Install]
#runlevel3 equivalent setting
WantedBy=multi-user.target
After the description is finished, register it with the systemctl command.
[root@hostname ~]# systemctl enable apache
[root@hostname ~]# systemctl is-enabled apache
enabled
[root@hostname ~]# systemctl list-unit-files --type=service | grep apache
apache.service enabled
[root@hostname ~]# systemctl daemon-reload
3. summary
We have described the initial configuration required when Apache is installed.
Basically, Apache works to some extent with the default settings, but if you actually customize it, please refer to the log output destination settings and SSL settings, which you should change when you operate the system.
Thank you for taking the time to read this to the end.
■INFORMATION
Please click here to go to the top page of INFORMATION.
■PROFILE
Please click here to view the profile.
■For inquiries, please contact