diff --git a/reveal/httpd.html b/reveal/httpd.html index 6eb329c..604c130 100644 --- a/reveal/httpd.html +++ b/reveal/httpd.html @@ -46,77 +46,107 @@
+# apt install apache2-mpm-itk \
+ libapache2-mod-evasive apachetop libwww-perl
+
+ /etc/apache2/ -|-- apache2.conf -| `-- ports.conf -|-- mods-enabled -| |-- *.load -| `-- *.conf -|-- conf-enabled -| `-- *.conf -`-- sites-enabled - `-- *.conf +├── apache2.conf +├── conf-available +│ └── *.conf +├── conf-enabled +│ └── *.conf -> ../conf-available/*.conf +├── envvars +├── magic +├── mods-available +│ ├── *.conf +│ └── *.load +├── mods-enabled +│ ├── *.conf -> ../mods-available/*.conf +│ └── *.load -> ../mods-available/*.load +├── ports.conf +├── sites-available +│ └── *.conf +└── sites-enabled + └── *.conf -> ../sites-available/*.conf ++
+ # a2enmod rewrite expires headers rewrite cgi
+
+
+ ServerTokens Prod
+ Timeout 10
+ KeepAliveTimeout 2
+ MaxKeepAliveRequests 10
+ ServerLimit 250
+ #MaxClients 250
+ MaxRequestWorkers 250
+ StartServers 50
+ MinSpareServers 20
+ MaxSpareServers 30
+ MaxRequestsPerChild 100
+
+ AllowOverride None
+ Require all granted
+
+
+ SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
+
+
+ # grep umask /etc/apache2/envvars
umask 007
+
+
+<VirtualHost *:80>
ServerName www.example.com
ServerAlias example.com
DocumentRoot /home/example/www/
-
+ <Directory /home/example/www/>
Options SymLinksIfOwnerMatch
AllowOverride AuthConfig Limit FileInfo Indexes
-
-
- ScriptAlias /cgi-foo /usr/lib/cgi-bin/
-
- Options ExecCGI -MultiViews
- AllowOverride None
-
- AuthType Basic
- AuthName "Restricted"
- AuthUserFile /home/example/.htpasswd
- require valid-user
-
- Deny from all
- Include ipaddr_whitelist.conf
- Allow from 192.0.2.43
- Satisfy any
-
+ </Directory>
AssignUserID www-example example
MaxClientsVHost 150
@@ -129,45 +159,92 @@ Exemple d’un VirtualHost basé sur un nom de domaine via /etc/apache2/sites-av
UseCanonicalName On
RewriteCond %{HTTP_HOST} !^www.example.com$
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
+</VirtualHost>
+
-
# adduser example
# adduser --ingroup example www-example
-# mkdir /home/example/{www,log,awstats} && chown example: /home/example/{www,log,awstats}
+# mkdir /home/example/{www,log,awstats}
+# chown example: /home/example/{www,log,awstats}
# a2ensite example
+
+
# chmod 750 /home/example
+
+
# echo "umask 027" >> /etc/profile
# find /home/example -type f -user www-example -exec chmod 660 {} \;
# find /home/example -type d -user www-example -exec chmod 770 {} \;
+
+ Ne jamais forcer les droits
récursivement sur toute l’arborescence.
Si la restriction en écriture pour Apache est impossible :
+
# a2enmod ssl
+
+
+# openssl req -newkey rsa:2048 -sha256 -nodes \
+ -keyout private.key -out demande.csr
+# openssl x509 -req -days 3650 -sha256 -in demande.csr \
+ -signkey private.key -out certificate.crt
+# mv private.key /etc/ssl/private/
+# chown root:ssl-cert /etc/ssl/private/private.key
+# chmod 640 /etc/ssl/private/private.key
+# mv certificate.crt /etc/ssl/certs
+# chown root:root /etc/ssl/certs/certificate.crt
+# chmod 644 /etc/ssl/certs/certificate.crt
+
+
+<VirtualHost *:80 *:443>
ServerName secure.example.com
ServerAlias www.example.com example.com
@@ -175,16 +252,19 @@ ssl
SSLProtocol all -SSLv2 -SSLv3
SSLCertificateKeyFile /etc/ssl/private/private.key
SSLCertificateFile /etc/ssl/certs/certificate.crt
- #SSLCertificateChainFile /etc/ssl/certs/certificates_chain.pem
+ # SSLCertificateChainFile /etc/ssl/certs/certificates_chain.pem
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R=permanent]
-
CustomLog log/global_access.log vhost_combined
CustomLog log/access.log combined
@@ -192,18 +272,24 @@ SetEnvIf User-Agent "Foo" dontlog
CustomLog log/access.log combined env=!dontlog
ErrorLog log/error.log
+
+
+ AuthType Basic
+ AuthName "Restricted"
+ AuthUserFile /foo/.htpasswd
+ AuthGroupFile /dev/null
+ require valid-user
+
+
RedirectPermanent / http://new.example.com
RedirectMatch ^/(.*)$ http://new.example.com/$1
@@ -222,55 +308,102 @@ RewriteRule ^/FoO.tXt /sub/ [L,R,NC]
# empêcher des requêtes POST sur une URL particulière
RewriteCond %{REQUEST_METHOD} POST
RewriteRule ^/foo.txt [L,F]
+
+Limite les accès, notamment les dénis de service
+
+<IfModule mod_evasive20.c>
+ DOSHashTableSize 3097
+ DOSPageCount 5
+ DOSSiteCount 30
+ DOSPageInterval 3
+ DOSSiteInterval 1
+ DOSBlockingPeriod 60
+ DOSEmailNotify security@example.com
+</IfModule>
+
+
+ $ apachetop -f access.log -T 3600 -q
+
+
+<IfModule mod_status.c>
+ ExtendedStatus On
+ <Location /server-status-XXXX>
SetHandler server-status
Deny from all
Include ipaddr_whitelist.conf
Allow from 192.0.2.43
Allow from 127.0.0.1
-