You're reading from Linux Networking Cookbook
One of the powerful things that Linux on servers allows you to do is to create scalable web applications with little to no software costs. We're going to discuss setting up web applications on Linux using Apache HTTPD and NGINX (pronounced Engine-X), securing those servers and look at some of the limitations for scaling.
Apache HTTPD, commonly referred to as just Apache, is the number one web server software in the world. As of November 2015, it is estimated to host roughly half of all websites live on the Internet. It was initially created as a set of patches to the NCSA HTTPD server in 1995. In fact, the name Apache was a play on the fact that it was a patchy server. These days Apache HTTPD is a very robust, flexible, and feature packed web server option.
NGINX is a newer offering, with the initial release having come out in October of 2004. While less feature filled than Apache, it can often handle a larger load while utilizing less memory than Apache does. It can also be used...
These days, installing Apache with TLS is easier than ever, although the specific process can vary from distribution to distribution due to differences in configuration layout. Let's look at two of the current major examples.
Let's start installing and configuring on Ubuntu 14.04:
Install the package:
sudo apt-get install apache2
Enable the SSL modules and stock SSL configuration:
sudo a2enmod ssl sudo a2ensite default-ssl
Add the appropriate SSL certs to the machine. The private key file should be delivered to
/etc/ssl/private
while the public certificate and relevant intermediate certs should be delivered to/etc/ssl/certs
.Update the Apache configuration to point to the correct certs. Edit
/etc/apache2/sites-enabled/default-ssl.conf
in the editor of your choice and update theSSLCertificateFile
andSSLCertificateKeyFile
variables to point to your new cert and key. If you're hosting your own internal CA, you'll want to uncommentSSLCertificateChainFile...
Apache2 offers a variety of Multi-Processing Modules (MPM) for defining how the daemon will handle scaling. The default is typically prefork, which is a simple MPM which uses separate processes for handling each request. Scaling can be improved by using the Worker MPM or the newer Event MPM, which utilize threading in addition to processes in order to improve performance.
Configuring the worker MPM on Ubuntu 14.04.
Ubuntu 14.04 uses the multi-threaded Event MPM by default, but it may be disabled automatically if any non-threadsafe modules such as mod_php
are enabled.
To determine which MPM is in use, execute a2query –M
in order to determine what is configured.
You may then swap out the existing MPM with:
a2dismod mpm_$(a2query –M) a2enmod mpm_worker service apache2 restart
PHP is a very common programming language to use on Apache webserver, largely due to its ease of use. Luckily this also equates to being very easy to install on most distributions as well.
Setting up PHP on Ubuntu 14.04:
Install PHP's apache module:
sudo apt-get install libapache2-mod-php5
Ubuntu's package should enable the module by default, but you can test it to be sure by running
a2query -m php5
. If it is not enabled, it may be enabled by running a2enmod php5.
Setting up PHP on CentOS 7:
Install PHP, including the Apache module.
sudo yum install php
CentOS also enables the module by default. In order to confirm that it is installed, look for
/etc/httpd/conf.modules.d/10-php.conf
. If you have difficulties executing PHP code, you may need to restart the Apache service withservice httpd restart
.
Now that you're able to execute the PHP code, you're also ready for people to attempt to exploit your PHP code. While PHP code can certainly be secure, it often appeals to new developers who have not yet learned secure coding practices. In a situation like this, it can be helpful to have some additional protection in the form of a Web Application Firewall.
Mod_Security
is an open source
Web Application Firewall (WAF) for Apache. It is able to interpret full HTTP requests and responses in order to detect and block attempts at performing various HTTP attacks like SQL injection, cross site scripting and others.
The first thing you need to do is to install and enable the module in detection mode:
Installing on Ubuntu 14.04:
Install the package:
sudo apt-get install libapache2-mod-security2
Setup the
mod_security
configuration file:sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Restart the service...
While we've covered Apache's HTTPD server so far in this chapter, there are other options available for use on Linux platforms as well. One popular offering is nginx (pronounced engine-x), which works well as a lightweight, fast, multithreaded offering.
We're going to look at how to set it up as a TLS webserver.
Installing on Ubuntu 14.04:
Install the software:
sudo apt-get install nginx
Configure the server for TLS by uncommenting the HTTPS server section of
/etc/nginx/sites-available/default
while populating thessl_certificate
,ssl_certificate_key
andssl_ciphers
variables.Restart the daemon:
sudo service nginx restart
On CentOS 7, nginx is not included in the default repos, but is available in the Extra Packages for Enterprise Linux (EPEL) repository.
Install the EPEL repo:
sudo yum install epel-release
Install the
nginx
package:yum install nginx
Configure the server for TLS by adding an https server section to
/etc/nginx/nginx...
As we mentioned is an earlier chapter, linking modules into a multi-threaded HTTP server requires that the code in the module be thread safe. Nginx works around this by utilizing the fastcgi
protocol to interact with interpreters rather than linking them directly into the process. This does not have quite the performance of the more native approach, but you can limit what content runs through the processor.
Configuring on Ubuntu 14.04:
Install the PHP FastCGI wrapper:
sudo apt-get install php5-fpm
Modify php's configuration file to disable
cgi.fix_pathinfo
, this setting opens the door to security vulnerabilities by allowing PHP to guess at what your request was intending to request:sed 's/.*cgi.fix_pathinfo=.*/cgi.fix_pathinfo=0/g' /etc/php5/fpm/php.ini service php5-fpm restart
Configure
nginx
to talk to the php5-fpm daemon (default is/etc/nginx/sites-available/default
) within the relevant server definitions:location ~ \.php$ { try_files...