The Apache web server is the most popular and powerful web server in the world. It is also one of the most secure web servers in the world. This Project is an effort to develop and maintain an open-source HTTP server for modern operating systems with UNIX and Windows platforms. The main goal is to provide a secure, efficient and extensible server that provides HTTP services in sync with the current HTTP standards.
The Apache HTTP Server ("httpd") was launched in 1995 and it has been the most used web server on the Internet since April 1996. It celebrated its 21st birthday as a project in February 2016 and in 2009, it became the first web server application to serve more than 100 million websites. The Apache HTTP Server is a project of The Apache Software Foundation. When Apache is running, its process name is sometimes httpd, which is short for "HTTP daemon."
Apache supports compiled modules which extend the core functionality of the web server which can range from server-side programming language support to authentication schemes. The language interfaces support Perl, Python, Tcl, and PHP. Apache had authentication modules which include mod_access, mod_auth, mod_digest, and mod_auth_digest, the successor to mod_digest. Also it contains features of Secure Sockets Layer and Transport Layer Security support (mod_ssl), a proxy module (mod_proxy), a URL rewriting module (mod_rewrite), custom log files (mod_log_config), and filtering support (mod_include and mod_ext_filter).
It also supports compression methods which include the external extension module, mod_gzip, implemented to help with reduction of the size (weight) of Web pages served over HTTP. ModSecurity is an open source intrusion detection and prevention engine for Web applications. The logs can be analyzed through a Web browser using free scripts, such as AWStats/W3Perl or Visitors.
It has many additional features such as configurable error messages, DBMS-based authentication databases, and content negotiation. It is also supported by several graphical user interfaces (GUIs).
In this tutorial, we we'll learn how to set up the Apache web server and how to secure it with SSL in Centos-7.
- A server running CentOS v. 7
- A static IP Address for your server
- A non-root user account with sudo privilege set up on your server
Let's start make sure that your Centos-7 server is fully up to date. You can update your server by running the following command:
sudo yum update -y
Install the Apache Web Server
This section will talk you through the process of preparing your server for Apache, setting up Apache, and testing the installation in Centos-7.
You can install Apache by running the following command:
sudo yum install httpd -y
By default SELinux is enabled in CentOS 7. It is recommended to disable it first. You can disable SELinux by editing the /etc/selinux/config file:
sudo nano /etc/selinux/config
Change the line from SELINUX=enforcing to SELINUX=disabled
Save and close the file, then restart your machine for the changes to take effect.
Allow Apache Through the Firewall
Next, you will need to allow the default Apache port 80 (HTTP) and 443 (HTTPS) using FirewallD. You can do this by running the following commands:
sudo firewall-cmd --permanent --add-port=80/tcp
sudo firewall-cmd --permanent --add-port=443/tcp
Reload the firewall service for the changes to take effect.
sudo firewall-cmd –reload
Create a Test Page
In CentOS7, the default Apache DocumentRoot path is /var/www/html/. However, there is no index.html file in this directory. You will need to create one.
sudo nano /var/www/html/index.html
Add the following content:
<title>Welcome to Apache</title>
<h1>Apache Web server is running</h1>
Save and close the file, then restart the Apache service to reflect the changes:
sudo systemctl start httpd
You can configure the Apache service to start on boot by running the following command:
sudo systemctl enable httpd
Now, open your favourite web browser and type the URL http://server-ip-address. You should see the following page:
Configure Apache to Support SSL
SSL (Secure Socket Layer protocol) was created by Netscape to secure transactions between web servers and browsers.
SSL is an essential part of creating a secure Apache site. SSL certificates allow you encrypt all the traffic sent to and from your Apache web site to prevent others from viewing all of the traffic. It uses public key cryptography to establish a secure connection. This means that anything encrypted with a public key (the SSL certificate) can only be decrypted with the private key.
A Self-signed Certificate is signed by its owner. It is generally used for testing local servers and development environment. Although self-signed certificates provide the same level of security between website and browser, most web browsers will always display a security alert message that the website certificate is self-signed and cannot be trusted, as it is not signed by the certificate authority.
Commercial Certificates are an authorised certificate issued by a trusted certificate authority. Signed certificates are mostly used in a production environment.
In order to set up the self-signed certificate, you will need to install mod_ssl Apache module in your system.
You can install mod_ssl by running the following command:
sudo yum install mod_ssl
Generate a Self-signed Certificate
First, you need to generate a private key ca.key with 2048-bit encryption.
You can do this by running the following command:
sudo openssl genrsa -out ca.key 2048
You should see the following output:
Generating RSA private key, 2048 bit long modulus ...............+++ ....+++ e is 65537 (0x10001)
Then generate the certificate signing request ca.csr using the following command.
sudo openssl req -new -key ca.key -out ca.csr
Fill in all required information as shown below:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:IN State or Province Name (full name) :Hitesh Jethva Locality Name (eg, city) [Default City]:Ahmedabad Organization Name (eg, company) [Default Company Ltd]:Hostpresto Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :Hitesh Email Address :email@example.com
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Finally, generate a self-signed certificate ca.crt of X509 type valid for 365 keys.
sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
You should see the following output:
Signature ok subject=/C=IN/ST=Hitesh Jethva/L=Ahmedabad/O=Hostpresto/OU=IT/CN=Hitesh/emailAddressfirstname.lastname@example.org Getting Private key
After creating the certificate, you need to copy all of the certificate files to the necessary directories.
You can do this by running the following commands:
sudo cp ca.crt /etc/pki/tls/certs/
sudo cp ca.key /etc/pki/tls/private/
sudo cp ca.csr /etc/pki/tls/private/
Configure Apache to use the SSL Certificate
Now, all the certificates are ready. The next thing to do is to set up Apache to display the new certificates.
You can do this by editing the SSL config file:
sudo nano /etc/httpd/conf.d/ssl.conf
Find the section that begins with . Uncomment the DocumentRoot and ServerName line and replace example.com with your server's IP address. Next, find the SSLCertificateFile and SSLCertificateKeyFile lines and update them with the new location of the certificates.
DocumentRoot "/var/www/html" ServerName server-ip-address:443
SSLEngine on SSLCertificateFile /etc/pki/tls/certs/ca.crt SSLCertificateKeyFile /etc/pki/tls/private/ca.key
After making these changes, restart Apache service for the changes to take effect.
sudo systemctl restart httpd
Test Apache (HTTPS) Server
To verify that the secure Apache HTTPS web server is working, open your web browser and type the URL https://server-ip-address. An error should appear on your browser, and you must manually accept the certificate. The error message shows up because we are using a self-signed certificate instead of certificate signed by a certificate authority that the browser trusts, and the browser is unable to verify the identity of the server that you are trying to connect to. Once you add an exception to the browser's identity verification, you should see a Ubuntu test page for your newly secure site.
In this tutorial, you learned how to install Apache Web server in Centos-7 and how to secure it through SSL. If you want to host a public site with SSL support, then you need to purchase an SSL certificate from a trusted certificate authority.