The idea behind this setup is that nginx will listen on port 80 for incoming connections, identify whether the client requests a static file or a dynamic webpage. In case of a static file it will deliver the file itself. In case of a dynamic request it will forward that request to the Apache server.

So let’s get started. First we need to download and unzip the lates stabel version of nginx. Currently this is verions 0.6.32. Compilation and installation is a done with the usual steps:

./configure
make
make install

This will install nginx in the directory /usr/local/nginx. I usually like to have all my configuration files under /etc, so let’s copy the configuration folder over:

cp -r /usr/local/nginx/conf /etc/nginx

The sample configuration file nginx.conf is well suited as a starting point. I would recommend to uncomment / change the following settings in the main section:

user www-data www-data;
worker_processes 2;
pid /var/run/nginx.pid;

In the http-section you could alter the following settings:

tcp_noauth on;
gzip on;

The English nginx wiki contains a very good documentation on these settings.

Nginx has full support for name based virtual hosts and you need to create a server-section in the config for every virtual host that is configured in Apache. But first create a new configuration file /etc/nginx/proxy.conf which contains the basic proxy settings as found in the nginx wiki:

proxy_redirect          off;
proxy_set_header        Host            $host;
proxy_set_header        X-Real-IP       $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size    10m;
client_body_buffer_size 128k;
proxy_connect_timeout   90;
proxy_send_timeout      90;
proxy_read_timeout      90;
proxy_buffers           32 4k;

These settings will be reused in every virtual host. The default virtual host is used as fallback in case no specific configuration for that virtual host can be found. To configure this default host, replace the server-section in the file /etc/nginx.conf with the following block:

server {
    listen       XXX.XXX.XXX.XXX:80 default;
    server_name  _;
    access_log /var/log/nginx/default.access.log main;
 
    location / {
        proxy_pass http://127.0.0.1:80;
        include /etc/nginx/proxy.conf;
   }
}

Replace XXX.XXX.XXX.XXX with the extern IP address of the server. The above configuration is a pure proxy configuration which will pass all the traffic to the Apache server that is listening on 127.0.0.1:80.

To be flexible in the virtual host configuration, I like to maintain one configuration file per virtual host in a separate directory. We can include all configuration files from a certain directory into the nginx configuration by adding the following line after the server-section:

include /etc/nginx/sites-enabled/*;

So every time you want to setup a new virtual host, you just need to add a new configuration file to the directory /etc/nginx/sites-enabled. Here is a template for that file:

server {
    listen XXX.XXX.XXX.XXX:80;
    server_name foobar.com www.foobar.com;
 
    location / {
        proxy_pass http://127.0.0.1:80;
        include /etc/nginx/proxy.conf;
    }
 
    location ~* ^.+.(jpe?g|gif|png|ico|css|zip|tgz|gz|rar|bz2|doc|xls|exe|pdf|ppt|txt|tar|mid|midi|wav|bmp|rtf|js|swf|avi|mp3)$ {
        expires 30d;
        root /var/www/foobar.com/htdocs;
    }
}

This configuration will setup the virtual host foobar.com. You can define all alias addresses with the configuration directive server_name. All requests that match one of the above file extensions will be delivered directly by nginx from the directory /var/www/foobar.com/htdocs. All other requests are forwarded to the Apache server.

Before nginx can be started we need to make sure that Apache only listens on the address 127.0.0.1 for requests and not on the external IP address. In Debian this is done in /etc/apache2/ports.conf. Change this file to:

Listen 127.0.0.1:80

Also make sure, that the VirtualHost directives in the Apache configuration files do not include an IP address. They should look like this:

<VirtualHost *:80>
    ServerName foobar.com
...
</VirtualHost>

The directive NameVirtualHost should look like this (also without an IP address):

NameVirtualHost *:80

Now you can restart Apache:

/etc/init.d/apache2 restart

And start nginx:

/usr/local/nginx/sbin/nginx -c /etc/nginx/nginx.conf

You can reload the nginx configuration without stopping nginx:

kill -HUP `cat /var/run/nginx.pid`

On my server some quick benchmarks have shown that nginx can deliver static content up to 10 times faster than Apache. The amazing thing is that not only did it deliver the content faster, there was nearly no impact on CPU or memory. With combining Apache and nginx we can have the best of both worlds, nginx for static files and Apache for dynamic content.

APC ist installed using the PHP Extension Community Library (PECL). Using PECL ist similar to using the PEAR Library. Before you can install APC via PECL, make sure that you have the following packages installed:

aptitude install php5-dev php5-gd

Downloading compiling and installation of APC using PECL ist a breeze. Just run from the command line:

pecl install APC

Now all you need to do is to add the following line to your php.ini file which you should find in /etc/php5/apache2/:

extension=apc.so

Once you restart Apache, caching will be enabled with default settings of APC. By default APC will use 30 MB memory to cache your PHP files. It is a good idea to tailor this setting to your server. This can be done with the following line in php.ini:

apc.shm_size=30

The first step is to activate the dav_fs module:

a2enmod dav_fs

The rest of the configuration needs to be done inside one of your virtual host configuration files. Please note that it is recommended to enable the WebDAV service in an SSL secured virtual host, because Windows seems to have issues connecting to WebDAV services which are not secured via SSL.

In the first Apache tutorial we have created the virtual host foobar.org. To add the WebDAV service to that virtual host, open the configuration file /etc/apache2/sites-available/foobar.org and add a new Directory-directive into the SSL-enabled VirtualHost:

<virtualhost *:443>
        SSLEngine On
        ....
        <Directory /srv/www/vhosts/foobar.org/httpsdocs/webdav>
                DAV On
                AllowOverride AuthConfig
                AuthType Basic
                AuthName "WebDAV Login"
                AuthUserFile /srv/www/vhosts/foobar.org/webdav-users
                Require valid-user
        </Directory>
</VirtualHost>

The above configuration defines a new subdirectory in the foobar.org SSL webspace which has the WebDAV module activated and is secured via a basic login mechanism. So if you try to access the address https://www.foobar.org/webdav you will be prompted for a login and password. The logins are stored in the file /srv/www/vhosts/foobar.org/webdav-users. We need to create this file and define a valid user:

htpasswd -c /srv/www/vhosts/foobar.org/webdav-users username

Where username ist the login you would like to use. You will be prompted for a password and the user will be created in the specified file.

Now create the webdav directory and make it writeable for the Apache server:

mkdir /srv/www/vhosts/foobar.org/httpsdocs/webdav
chown www-data.www.data /srv/www/vhosts/foobar.org/httpsdocs/webdav
chmod g+w /srv/www/vhosts/foobar.org/httpsdocs/webdav

That’s it. After restarting your Apache server, you can now mount the above directory via WebDAV with the address https://www.foobar.org/webdav and use it as an external file store.

If you want to restrict only write access to the WebDAV directory and allow read-only access to anybody, replace Require valid-user with:

<LimitExcept GET>
        Require valid-user
</LimitExcept>

This change will only require a login when uploading, modifying or deleting files in the WebDAV directory. You could also enable directory browsing with the following configuration setting:

Options Indexes

Should you use mod_security you also need to disable some rules which would block WebDAV traffic. This is best done inside of the above Directory-directive:

<IfModule mod_security2.c>
        SecRuleRemoveById 960032 960038 960904
</IfModule>

Please note that the rule ids may change depending on the mod_security version you use. So if WebDAV does not seem to work, take a look at the mod_security audition log to see which rules are blocking your traffic.

To be always up to date with mod_security I prefer to compile it myself. To do this we need to install some missing development files:

apt-get install libxml2-dev apache2-prefork-dev

Now we can go ahead and grab the latest sources from http://www.modsecurity.org (in this case version 2.1.2) and unpack them in your home directory:

tar -xvzf modsecurity-apache_2.1.2.tar.gz
cd modsecurity-apache_2.1.2/apache2

We need to define the location of our Apache home directory in the Makefile. Find the line top_dir = and set it to top_dir = /usr/share/apache2. Now you should be able to compile and install the module:

make
make install

Before we activate mod_security, we need to setup filtering rules. The current release of mod_security comes bundled with a sophisticated set of rules, which is called the core rule set. We can use these configuration files as starting point for our customized set. We will store the csutomized mod_security rules in /etc/apache2/mod_security:

mkdir /etc/apache2/mod_security
cp ~/modsecurity-apache_2.1.2/rules/*.conf /etc/apache2/mod_security/
cp ~/modsecurity-apache_2.1.2/rules/blocking/*.conf /etc/apache2/mod_security/

As you can see, first we copy the standard rule set to our new directory and next we overwrite some of the configuration files with config files which include versions of the rules which will block the traffic matching the rule.

Most of the configuration will be done in the file /etc/apache2/mod_security/modsecurity_crs_10_config.conf. So open this file and make the following modifications:

SecRuleEngine DetectionOnly
SecResponseBodyAccess Off
SecDefaultAction "phase:2,log,deny,status:500"
#SecServerSignature "Apache/2.2.0 (Fedora)"
SecAuditLog /var/log/apache2/modsec_audit.log
SecAuditLogRelevantStatus "^(?:5|4\d[^4])"
SecDebugLog /var/log/apache2/modsec_debug.log

The above configuration sets the path to the logfiles and most important it will start the module in detection mode. This means that the configured rules will not block an access, but log only. Without this logging step you will likely break some of your applications.

Now we need to activate the module and load all security rules. To do this we will create a file /etc/apache2/mods-available/security2.load which will load the mod_security module. It has the following contents:

LoadModule security2_module /usr/lib/apache2/modules/mod_security2.so

We also need a configuration file which will load all of our security rules. The files is named /etc/apache2/mods-available/security2.conf:

<IfModule mod_security2.c>
    Include /etc/apache2/mod_security/*.conf
</IfModule>

Now we can enable mod_security:

a2enmod security2
/etc/init.d/apache2 restart

After restarting the server, browse all your applications and try to simulate normal use. You could also leave the server for a couple of hours. In the meantime mod_security will log all requests that it would block into the file /var/log/apache2/modsec_audit.log. So, take a look at the logfile and identify all rules which are false positives. Meaning that these rules should not trigger for your applications to work. Example of a message:

--bf9af342-H--
Message: Warning. Pattern match "(?:\\b(?:\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\.asa|httpd\\.conf|boot\\.ini)\\b|\\/etc\\/)" at ARGS:content. [id "950005"] [msg "Remote File Access Attempt. Matched signature </etc/>"] [severity "CRITICAL"]
Stopwatch: 1187386802219993 629097 (117984* 168889 -)
Producer: ModSecurity v2.1.2 (Apache 2.x)
Server: Apache
 
--bf9af342-Z--

Each rule has a unique id. In the above example the id is 950005. If we want to remove the rule with this id, we need to create a file /etc/apache2/mod_security/modsecurity_crs_99_customrules.conf:

SecRuleRemoveById 950005

You can also specify multiple rule ids or put the above configuration setting in any other Apache configuration file, for example inside a Location-directive so that the whitelisting will only apply to a specific URL-Location. You should disable the rules in a small context to keep the general ruleset strong.

When you are happy with the configuration you need to change in /etc/apache2/modsecurity_crs_10_config.conf the line:

SecRuleEngine On

which will set mod_security into active mode and now really block malicious requests.

Again we will start with installing all needed software components:

apt-get install apache2 libapache2-mod-php5 php5-cli php5-common mysql-common mysql-server mysql-client

Please choose a secure password for the database installation. The Debian configuration for the MySQL server is fine and does not pose any security issues, as it will only accept connections from the localhost, so only local applications can access the database.

The PHP configuration file can use some tweaks to increase the security. Make sure, that you have the following settings in /etc/php5/apache2/php.ini:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink
expose_php = Off
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off

The above settings will close some script injection vulnerabilities and disable some insecure function calls. The rest of the configuration file can be set to your own preferences.

For the Apache configuration we first need a custom certificate to enable SSL encryption:

openssl req -new -x509 -days 4312 -nodes -keyout /etc/apache2/web.pem -out /etc/apache2/web.pem

When filling out the certificate details, make sure that you enter your domain name in the field “Common Name”. The above command will create a self signed certificate file.

Now you need to configure the Apache server to listen on both port 80 and port 443. This is done in the configuration file /etc/apache2/ports.conf:

Listen 80
Listen 443

Enable the SSL Apache module:

a2enmod ssl

Now we need to enable the name based virtual host support. Open /etc/apache2/sites-available/default and make sure that the file starts with the following lines:

NameVirtualHost *:80
NameVirtualHost *:443
<virtualhost *:80>

Now we are all set to creating our virtual hosts. We only need to decide where these hosts will be stored. In this example I choose the path /srv/www/vhosts as the base path for the virtual hosts and each host will get its own directory named after the domain name (ie. mydomain.com) with the subdirectories httpdocs for non-ssl webpages, httpsdocs for ssl webpages and logs for the access and error log.

Let’s create a new virtual host foobar.org. First we create the directories:

mkdir /srv/www/vhosts/foobar.org
mkdir /srv/www/vhosts/foobar.org/httpdocs
mkdir /srv/www/vhosts/foobar.org/httpsdocs
mkdir /srv/www/vhosts/foobar.org/logs

Now we will define the virtual host inside apache. Create a new configuration file /etc/apache2/sites-available/foobar.org with the following contents:

<virtualhost *:80>
        SSLEngine Off
        ServerName foobar.org:80
        ServerAlias www.foobar.org
        UseCanonicalName Off
        ServerAdmin your@email.com
        DocumentRoot /srv/www/vhosts/foobar.org/httpdocs
        CustomLog /srv/www/vhosts/foobar.org/logs/access_log combined
        ErrorLog /srv/www/vhosts/foobar.org/logs/error_log
        <directory /srv/www/vhosts/foobar.org/httpdocs>
                Order Deny,Allow
                Allow from all
                Options -Indexes
        </directory>
</virtualhost>
 
<virtualhost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/web.pem
        ServerName foobar.org:443
        ServerAlias www.foobar.org
        UseCanonicalName Off
        ServerAdmin your@email.com
        DocumentRoot /srv/www/vhosts/foobar.org/httpsdocs
        CustomLog /srv/www/vhosts/foobar.org/logs/access_log combined
        ErrorLog /srv/www/vhosts/foobar.org/logs/error_log
        <directory /srv/www/vhosts/foobar.org/httpsdocs>
                Order Deny,Allow
                Allow from all
                Options -Indexes
        </directory>
</virtualhost>

The above configuration defines an non-ssl site which will point to the httpdocs folder and an ssl site with points to the httpsdocs folder. Of course you could configure the same DocumentRoot for both sites so that ssl and non-ssl content would be the same.

The last step to enable the new site is to declare it as an active site and reload the apache configuration:

a2ensite foobar.org
/etc/init.d/apache2 reload

Now you should be able to access your new site with ssl and non-ssl. And you will also be able to run PHP scripts inside your web space.

The logfiles for different virtual hosts are now stored in separate directories. We therefore need to adapt the logrotate configuration to include the new logfiles in the log rotation. So open the configuration file /etc/logrotate.d/apache2 and change the first line to:

/var/log/apache2/*.log /srv/www/vhosts/*/logs/*_log {

In the next article we will take a look at securing the Apache server with mod_security.