Apache2 Configuration

The first time I tried Apache, I didn't really care about security or configuration tuning, because it runs fine right off the bat, just drop your website in /www and you're live. Since my site is exposed now, I've decided to compile some of my configurations to avoid mistakes in the future if I ever try to run it again. I was mainly confused by Virtual Hosts, but it didn't take long to figure them out, because Apache documentation is amazing. Let's start with installation, either use apt-get or download it from here, if you want new or beta releases.

Installation

As on any other Ubuntu environment, use apt-get to download and install Apache2.

Otherwise:

Initial Configuration

Edit ports you want your server to listen on and don't forget to backup your config files:

Comment out whole SSL section if you don't use it, leave the rest intact. Now if you're hosting only one website, you can drop all its files to /var/www directory and you are set.

In case machine's root directory is exposed through website, disable browsing it. Edit apache2.conf if you're running Debian/Ubuntu, otherwise httpd.conf:

And add:

Adding Virtual Hosts

If you own few websites or domains you should probably use Virtual Hosts, it's a way of hosting multiple websites of multiple domains on one machine. To add this functionality, you need to create files that represent your websites in /etc/apache2/sites-available directory. Adding .htaccess files all over your site is a bad practice (if you have root access), so you will also add browsing rules in these files aswell.

Obviously change example.com to your own domain name, also depending on what language your website is written in, under DirectoryIndex you may add or remove index file types, and everything in this file must remain between VirtualHost tags.

Now that general options are set, insert these lines, where -Indexes stops people from browsing your directories. -MultiViews disables automatic extensions, and the rest are pretty much default settings.

To secure your cgi-bin directory insert:

This way you don't need to place CGI scripts inside website's root and avoid revealing the source code.

If you want to change error pages, like Not Found 404 add these lines:

And put error pages in /var/www/www.example.com/htdocs/errorpages directory. Lastly insert these to enable logging:

If you have seperate users managing different websites, then change permissions:

Now that everything is set, you need to enable your virtual host:

And disable default one:

301 Permanent Redirect

If you want to permanently redirect some domain to another, create a new file:

And append:

When redirecting the whole site (domain), pay attention to '/' between RedirectPermanent and new site's link. If you want to redirect just a part of the old-site, add .htaccess file to that directory with one of the following lines inside it:

And don't forget to:

Stop Hotlinking

It's a practice when one site steals bandwidth from the other by linking to image, video or any other file directly. This can be stopped by allowing access to these files only by trusted domains. Open up apache2.conf (or httpd.conf if running something else besides Debian/Ubuntu):

Add:

Add more desirable file types under FilesMatch. To test if it works, visit altlab.com.

Server-status

If you want to track current connections to your server, you can use little apache module called 'mod_status'. To enable it, add the following lines to virtual host configuration file or apache2.conf/httpd.conf:

I also included 'Allow from 192.168.1.0/24' to only allow access from LAN subnet, you can add this to any <Directory> configuration and any other IP address, subnet or domain.

Now you just navigate to example.com/server-status and you're set.

References