Configure a Fedora Web Server
Tested with Fedora 8, 9, 10, 11, 12, 13.
I usually install Fedora without the graphical interface, and only with a minimal environment, and let ‘yum’ do the install…
As I usually use Drupal for my websites, I basically have the ‘yum’ installation tool do a complete web server installation with this single instruction:
You could similarly use:
(or)
yum install phpmyadmin
In all cases the final result is that you now have in place a complete Apache httpd server.
MySQL
Start the MySQL database server, as well as automatically at boot time:
service mysqld start
You’ll be asked to go through a script that lets you secure the MySQL installation. It’s a safe bet to use the default values.
Location of the script:
SE-Linux
SE-Linux is your best friend for the overall security of your system but can be very restricting sometimes. Check some values with this instruction:
You usually will need to enable your web server to connect to the network (some of your scripts might need to connect to the network) and send email (for the contact form). Enable if necessary like this:
setsebool -P httpd_can_sendmail on
Sometimes I run the database in another server, SE-Linux prevents the web server from accessing it by default. Here’s the enabling instruction:
There’s a good read about Apache and SE-Linux at this page: http://www.beginlinux.com/server_training/web-server/976-apache-and-selinux
Apache
It’s always a good idea to declare a default hostname:
nano /etc/sysconfig/network
HOSTNAME=myserver.com
To start the web server, and also automatically at boot time:
chkconfig —levels 235 httpd on
Some configuration steps I usually take:
- nano /etc/httpd/conf/httpd.conf
…..
DirectoryIndex index.html index.htm index.php
…..
#
# Use name-based virtual hosting.
#
NameVirtualHost *:80
Include /etc/httpd/vhosts.d/*.conf
And replace all ‘Indexes’ with ‘-Indexes’ as a safety measure.
- Then create the sub-directory where you’ll store the virtual host declarations:
mkdir /etc/httpd/vhosts.d
chcon -u system_u /etc/httpd/vhosts.d
- Restart the web server:
service httpd restart
- nano /etc/httpd/vhosts.d/example.com.conf (vhost sample)
<VirtualHost *:80>
ServerAdmin webmaster@example.com
ServerName www.example.com
ServerAlias example.com
DocumentRoot /var/www/example.com/drupal
</VirtualHost>
- Reload the web server (no need for a full restart):
service httpd reload
PHP
It’s a good idea to play it safe with PHP and don’t allow the short tags:
nano /etc/php.ini
short_open_tag = On
You’ll need to restart the web server to put it into effect.
Many websites need the adodb.php library to access MySQL:
Server Certificate
You’ll need to install the SSL module to use the encrypted https protocol:
The directory /etc/pki/tls is where the certificates are stored in Fedora, but some other distributions use /etc/ssl — which is easier to remember and used throughout all these series of articles — so I’m creation an alias here:
ln -s /etc/pki/tls ssl
We’ll suppose here that your certificate is $CERT with:
- the suffix .crt for the public certificate: $CERT.crt
- the suffix .key for the private key: $CERT.key
- (optional) the suffix .pem for the combination of both the public and private parts: $CERT.pem
You’ll find the instructions in this article that explain how to create a self-signed certificate.
Here are the instructions to replace the default certificates with the right protection level:
rm localhost.crt
ln -s /etc/ssl/certs/$CERT.crt localhost.crt
chmod 644 $CERT.*
chcon -u system_u -t cert_t $CERT.*
cd /etc/ssl/private/
rm localhost.key
ln -s /etc/ssl/private/$CERT.key localhost.key
ln -s /etc/ssl/private/$CERT.pem localhost.pem
chmod 400 $CERT.*
chcon -u system_u -t cert_t $CERT.*
You’ll need to restart httpd to take this into effect.
If the key is password protected, here’s how to avoid the prompting:
- nano /etc/httpd/conf.d/ssl.conf
#SSLPassPhraseDialog builtin
SSLPassPhraseDialog exec:/etc/httpd/conf.d/autokey
- nano /etc/httpd/conf.d/autokey
#!/bin/sh
echo <your passphrase>
- Set the permissions:
chmod 500 /etc/httpd/conf.d/autokey
chown apache:apache /etc/httpd/conf.d/autokey
Apache SSL
I usually put secure websites in this directory:
chcon -u system_u /var/www/www-secure
nano /etc/httpd/conf.d/ssl.conf
ServerName ssl.example.com
DocumentRoot "/var/www/www-secure"
PhpMyAdmin
We’ll install PhpMyAdmin in the secure section and access it like this: https://ssl.example.com/phpmyadmin
- Method 1:
cd /var/www/www-secure
ln -s /usr/share/phpMyAdmin phpmyadmin
- Method 2:
Fedora provides an Apache configuration file for PhpMyAdmin, which you’ll modify to set the alias ‘phpmyadmin’ and forbid its use by anyone if not accessed via https: - Method 2 – Step 1 – nano /etc/httpd/conf.d/phpMyAdmin.conf
#Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
<Directory /usr/share/phpMyAdmin/>
order deny,allow
deny from all
#allow from 127.0.0.1
</Directory>
Now we’ll authorize its use via SSL:
- Method 2 – Step 2 – nano /etc/httpd/conf.d/ssl.conf
<Directory /usr/share/phpMyAdmin/>
allow from all
</Directory>
<Directory /usr/share/phpMyAdmin/setup/>
allow from all
</Directory>
Restart the server and check:
https://ssl.example.com/phpmyadmin should respond.
http://ssl.example.com/phpmyadmin should not respond.
Drupal
I install Drupal website manually via Git — see the Drupal articles — but I like to use the ‘yum’ tool to automatically get all dependencies installed:
Drupal gets installed at this location: /usr/share/drupal/
An Apache configuration file is created as well, which I modify to allow the clean URLs to work without using individual .htaccess files:
nano /etc/httpd/conf.d/drupal.conf
RewriteEngine On
RewriteBase /
# Rewrite current-style URLs of the form ‘index.php?q=x’.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^\/var\/www\/.\/drupal\/(.)$ index.php?q=$1 [L,QSA]
</Directory>
- Some SELinux tune-ups:
yum install policycoreutils-python
cd /var/www/*/drupal
Allow Drupal to write in the directory ‘files’:
chcon -R -t httpd_sys_content_rw_t files
Allow Drupal go generate a sitemap file:
chcon -t httpd_sys_content_rw_t sitemap.xml
WordPress
Similarly to Drupal, I use:
Then, nano /etc/httpd/conf.d/wordpress.conf
# on WordPress without using .htaccess files
<Directory /var/www/*/wordpress*>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
</Directory>
To receive emails from contact forms, I install the mail server Postfix. Verify that removing sendmail (usually installed by default) is not removing other programs you need:
Install Postfix
[/linux]
yum install postfix
[/linux]
nano /etc/postfix/main.cf
Otherwise the default mydestination = $myhostname, localhost.$mydomain, localhost will make this server receive emails from website to xxx@$myhostname, which we don’t want — This postfix server shouldn’t receive emails destined to xxx@$myhostname, it should rather forward them to the email server that takes care of this address.
You also want to receive the messages sent to root. To build the file /etc/aliases run this:
nano /etc/aliases
root: your@email.com
Start the server now, and automatically at boot time:
chkconfig postfix on
Perl
Here’s how to execute scripts from a specific virtual host location:
nano /etc/httpd/vhosts.d/example.com.conf
AddHandler cgi-script cgi pl
Options ExecCGI
</Directory>
Adding some Perl libraries directly with yum (I need these libraries for http://vcardprocessor.com):
yum install perl-MIME-tools (MIME:Entity is there)
If a Perl module is not available via RPM, then I use CPAN:
yum install perl-CPAN
o conf init
o conf init urllist
o conf commit
exit
Install module Net:UPS
(or)
perl -MCPAN -e ‘install Net::UPS’
PhpLdapAdmin
cd /var/www/www-secure
ln -s /usr/share/phpldapadmin/htdocs phpldapadminTW
(or)
nano /etc/httpd/conf.d/phpldapadmin.conf (and then write the related directory in /etc/httpd/conf.d/ssl.conf)
#Alias /ldapadmin /usr/share/phpldapadmin/htdocs
<Directory /usr/share/phpldapadmin/htdocs>
Order Deny,Allow
Deny from all
#Allow from 127.0.0.1
#Allow from ::1
</Directory>
Configuration:
nano /etc/phpldapadmin/config.php
$ldapservers->SetValue($i,‘server’,‘host’,‘directory.example.com’);
$ldapservers->SetValue($i,‘login’,‘dn’,‘cn=Directory Manager’);
$ldapservers->SetValue($i,‘server’,‘sasl_realm’,"EXAMPLE.COM);
Add new comment