Next, Apache is going to be installed and tuned based on the kind of service which will be offered (static data), taking out those unnecessary modules, adjusting the parameters of Apache according to the content served and modifying those variables which affect the security of the web server.
[root@server ~]# yum install httpd [root@server ~]# cat /etc/httpd/conf/httpd.conf ... # Remove the information about the server version ServerTokens Prod ... # Do not cache the web pages ExpiresActive Off ... # Number of second before receiving and sending a time out Timeout 20 ... # Not allow persistent connections KeepAlive Off ... # prefork MPM <IfModule prefork.c> StartServers 50 MinSpareServers 35 MaxSpareServers 70 ServerLimit 512 MaxClients 512 MaxRequestsPerChild 4000 </IfModule> ... # Name used by the server to identify itself ServerName localhost ... # Protect the root directory <Directory /> Options -FollowSymLinks Order deny,allow Deny from all </Directory> # Default charset for all content served AddDefaultCharset ISO-8859-15 ...
In the configuration file, it can be observed that the ISO-8859-15 standard has been used as charset to offer the data by the web server. That is because with UTF-8, accents are represented with strange characters by Firefox.
Make sure that the welcome.conf file has got the following lines to allow to index the content and not the welcome page.
[root@server ~]# cat /etc/httpd/conf.d/welcome.conf <LocationMatch "^/+$"> Options Indexes ErrorDocument 403 /error/noindex.html </LocationMatch>
Finally, a virtual host will be created in order to serve the log files.
[root@server ~]# cat /etc/httpd/conf.d/logserver.conf NameVirtualHost 192.168.1.10:80 <VirtualHost 192.168.1.10:80> ServerName server.local DocumentRoot /mnt/shared/logs ErrorLog /var/log/httpd/logserver-error_log CustomLog /var/log/httpd/logserver-access_log common <Directory "/mnt/shared/logs"> Options Indexes AllowOverride None EnableSendfile Off Order allow,deny Allow from all </Directory> </VirtualHost>
It is important to highlight the EnableSendfile directive (enabled by default), allowing Apache to use the sendfile support included in the Linux kernel. Through this feature, Apache will not read the static files, but the kernel will offer them directly. But it happens that when Apache serves data from NFS or Samba and network outages take place, the connection can turn into an unstable state. So for this case, it is much better to deactivate it.
Now you have to run Apache and make it automatically start during the booting of the machine.
[root@server ~]# service httpd restart [root@server ~]# chkconfig httpd on
In order to secure the web server, iptables will be configured with the following settings.
[root@server ~]# cat /etc/sysconfig/iptables *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport ssh -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport http -j ACCEPT -A RH-Firewall-1-INPUT -p icmp -j ACCEPT -A RH-Firewall-1-INPUT -j LOG -A RH-Firewall-1-INPUT -j REJECT COMMIT [root@server ~]# service iptables restart [root@server ~]# chkconfig iptables on
Lastly, the backup for the logs will be scheduled through cron by running a task with rsync every 15 minutes.
[root@server ~]# yum install rsync [root@server ~]# cat /etc/crontab ... */15 * * * * /usr/bin/rsync -altgvb /mnt/shared/logs/nfs /backup/logs/nfs */15 * * * * /usr/bin/rsync -altgvb /mnt/shared/logs/samba /backup/logs/samba