Scribd
Upload
38 views36 pages

Apache and Openssl Installation V3.0

Opensssl

Uploaded by

mohitpar128
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views36 pages

Apache and Openssl Installation V3.0

Opensssl

Uploaded by

mohitpar128
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 36

SYS Admin Documentation

Installation of Apache and Openssl

Document Version: 3.0

Copyright ©2024 Aurus Inc. All Rights Reserved. All information contained herein is confidential and proprietary to Aurus Inc... It
shall not be disclosed, duplicated, or used in part or in whole, for any purpose without prior written consent from Aurus Inc... Aurus Inc.
Reserves the right to make changes to specifications at any time and without notice. This information contained within is believed to be
accurate and reliable; however, no responsibility is assumed by Aurus Inc. For its use. All trademarks, service marks, and trade names
referenced in this material are the property of their respective owners. Information security is addressed in the execution of the Project.
This includes secure development techniques, secure coding, and secure code reviews.

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 1
SYS Admin Documentation
TABLE OF CONTENT

1. Document Overview .............................................................................................................. 4


1.1 About this Document ...................................................................................................... 4
1.2 Revision History .............................................................................................................. 4
1.3 Approver .......................................................................................................................... 4
2. Introduction ........................................................................................................................... 5
2.1 Overview.......................................................................................................................... 5
3. Installation of Openssl .......................................................................................................... 6
3.1 Install all require package .............................................................................................. 6
3.2 Get the latest version of openssl .................................................................................... 6
3.3 Extract the openssl tar file in /usr/local....................................................................... 6
3.4 Configure & make install the openssl ............................................................................ 6
3.5 Check Openssl version.................................................................................................... 7
4. Installation of apache ............................................................................................................ 8
4.1 Get the latest version of apache ..................................................................................... 8
4.2 Get the apr and apr-util tar files. ................................................................................... 8
4.3 Extract the httpd package on /usr/local....................................................................... 8
4.4 Extract the apr and apr-util file in /usr/local/httpd-2.4.48/scrlib ............................ 8
4.5 Configure the apache with following step .................................................................... 9
4.6 Start apache service and verify ..................................................................................... 9
5. Steps to Enable HTTP/2.0 on apache Web Server ............................................................ 10
5.1 Prerequisite ................................................................................................................... 10
5.2 Install below dependency packages using yum install command ............................ 11
5.3 Stop the apache service ................................................................................................ 11
5.4 OpenSSL Installation .................................................................................................... 11
5.4.1 Install all require package like gcc and pcre as follows: ........................................ 11
5.4.2 Get the latest version of openssl .............................................................................. 11
5.4.3 Extract the openssl tar file in /usr/local ................................................................. 12
5.4.4 Configure & make install the openssl ...................................................................... 12
5.4.5 Check Openssl version .............................................................................................. 12
5.5 nghttp2 Installation ...................................................................................................... 12
5.5.1 Extract the nghttp2 tar file in /usr/local ................................................................. 12

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 2
SYS Admin Documentation
5.5.2 Configure & make install the nghttp2 ...................................................................... 12
5.5.3 apr and apr-util Installation ..................................................................................... 14
5.6 httpd installation .......................................................................................................... 15
5.6.1 Extract the httpd package on /usr/local dir. ........................................................... 15
5.6.2 Extract the apr and apr-util file in/usr/local/httpd-2.4.58/srclib....................... 15
5.6.3 Configure the apache with following step. .............................................................. 15
5.6.4 Copy required old files backup. ................................................................................ 16
5.6.5 Make changes in httpd.conf and httpd-ssl.conf ...................................................... 16
5.7 Mod caucho Installation ............................................................................................... 17
5.7.1 Extract the resin tar file in /usr/local ...................................................................... 17
5.7.2 Change older backup path and configure with apache2 and run .......................... 17
5.7.3 Start apache service and verify ................................................................................. 18
6. Modsecurity Installation ..................................................................................................... 19
6.1 Modsecurity installation .............................................................................................. 19
6.2 Create directory for modsecurity ................................................................................ 19
6.3 Modsecurity package download .................................................................................. 19
6.4 Configure modsecurity package and make install ..................................................... 20
6.5 Copy modsecurity config recommended file to modsecurity directory ................... 20
6.6 coreruleset package setup ........................................................................................... 20
6.7 coreruleset config file setup......................................................................................... 21
7. Modsecurity Configuration ................................................................................................. 22
7.1 Enable modsecurity in httpd.conf ............................................................................... 22
7.2 Configure modsecurity parameters ............................................................................ 22
7.3 Configure coreruleset parameters .............................................................................. 24
8. HTTPD Config -Enabled the line on config file .................................................................. 27
9. SSL certificates Renewal ..................................................................................................... 35
9.1 SSL Certificate Renewal on web Server ...................................................................... 35
9.2 SSL certificates add on web ......................................................................................... 35
9.3 Restart the Apache service........................................................................................... 35

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 3
SYS Admin Documentation

1. Document Overview
1.1 About this Document
This document covers the Apache and Openssl installation, along with that HTTP2
installation.

1.2 Revision History

Version Author Date Description


1.0 Mahesh Salve 12/10/2023 Initial Draft

2.0 Sagar W. 08/03/2024 Updated apache version document

1.3 Approver

Version Approved By Date Comments


1.0 Siva P. 15/10/2023 Approved the document and cofig for apache.

2.0 Siva P.

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 4
SYS Admin Documentation

2. Introduction
2.1 Overview

Apache HTTP Server, commonly referred to as apache, is one of the most widely used open-
source web servers globally. Renowned for its stability, flexibility, and robustness, Apache
serves as the backbone for countless websites and applications. Apache’s modular
architecture allows you to extend and customize its functionality through modules, enabling
a tailored configuration to meet your specific requirements.
Apache provides robust security features, including access control, SSL/TLS support,
and customizable authentication mechanisms. With features such as multi-processing
modules and caching, Apache delivers optimal performance for serving dynamic and static
content. OpenSSL is a robust, open-source implementation of SSL and TLS protocols. Widely
utilized for secure communication over computer networks, OpenSSL provides a toolkit for
the implementation of secure networking protocols.
OpenSSL ensures the encryption of data in transit, safeguarding sensitive
information from unauthorized access. Certificate Management: With support for X.509
certificates OpenSSL facilitates the creation, signing, and management of digital certificates
for secure communication. OpenSSL supports a range of cryptographic protocols, including
SSL, TLS and DTLS, providing a versatile platform for secure data exchange.

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 5
SYS Admin Documentation

3. Installation of Openssl
3.1 Install all require package

 Install gcc, pcre package as below command.

[root@Testing_L1 local]# yum install gcc* pcre-devel* glibc-


devel* zlib* expat* openssl-devel* glibc-devel* -y

 When we install packages through Forman with the help of yum it gets installed
from centralized Forman server.

3.2 Get the latest version of openssl

 Download openssl latest version tar file from official site.


https://www.openssl.org/source/

[root@Testing_L1 local]# yum install gcc* pcre-devel* glibc-


devel* zlib* expat* openssl-devel* glibc-devel* -y

3.3 Extract the openssl tar file in /usr/local

[root@Testing_L1 local]# tar -xvzf openssl-3.1.4.tar.gz


[root@Testing_L1 local]# cd openssl-3.1.4

3.4 Configure & make install the openssl

# To configure
[root@Testing_L1 openssl-3.1.4]# ./config –prefix=/usr --
openssldir=/usr/local/openssl shared zlib

# To make
[root@Testing_L1 openssl-3.1.4]# make

# To make install
[root@Testing_L1 openssl-3.1.4]# make install

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 6
SYS Admin Documentation

3.5 Check Openssl version


 Here we can see in Openssl is confiugured properly. See in below status

# To see Openssl version


[root@Testing_L1 local]# openssl version
OpenSSL 3.1.4 24 Oct 2023

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 7
SYS Admin Documentation

4. Installation of apache
4.1 Get the latest version of apache

 Download apache latest version tar file from official site.

4.2 Get the apr and apr-util tar files.

 Download apr and apr-util tar file from below URL


https://apr.apache.org/download.cgi

4.3 Extract the httpd package on /usr/local

[root@Testing_L1 ~]# cd /usr/local/


[root@Testing_L1 local]# tar -xvzf httpd-2.4.58.tar.gz

4.4 Extract the apr and apr-util file in /usr/local/httpd-2.4.48/scrlib

# Extracting apr
[root@Testing_L1 local]# tar -xvf apr-1.7.0.tar.gz -C httpd-
2.4.58/srclib/

# Extracting apt-util
[root@Testing_L1 local]# tar -xvf apr-util-1.6.1.tar.gz -C
httpd-2.4.58/srclib/

# Changing to the srclib directory in httpd


[root@Testing_L1 local]# cd httpd-2.4.58/srclib;ls

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 8
SYS Admin Documentation
4.5 Configure the apache with following step
# Configure apache
[root@Testing_L1 httpd-2.4.58]# ./configure –enable-module=so -
-prefix=/usr/local/apache --with-mpm=worker –with-included-apr
–with-ssl=/usr/local/openssl
# make
[root@Testing_L1 httpd-2.4.58]# make
# make install
[root@Testing_L1 httpd-2.4.58]# make install

4.6 Start apache service and verify

# To start apache service


MK: 192.168.XX.162
[root@Testing_L1 httpd-2.4.58]# /usr/local/apache/bin/apachectl
VW: 192.168.XX.113
start
TH: 192.168.xxx.175
VW-OC: 192.168.xxx.15
# To check process
[root@Testing_L1 httpd-2.4.58]# ps -ef | grep apache
[ root@Testing_Li ~]# ps -ef |grep apache
root 7307 1 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
daemon 7308 7307 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
daemon 7309 7307 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
daemon 7310 7307 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
root 7404 7244 0 03:54 pts/0 00:00:00 grep --color-auto
apache
[root@Testing_Li ~]#

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 9
SYS Admin Documentation

5. Steps to Enable HTTP/2.0 on apache Web Server


5.1 Prerequisite

 Copy required packages to target web server in /usr/local directory.


 openssl-3.1.4.tar.gz
o https://www.openssl.org/source/openssl-3.1.4.tar.gz
 nghttp2-1.57.0.tar.gz
o https://github.com/nghttp2/nghttp2/releases/download/v1.57.0/ng
http2-1.57.0.tar.gz
 apr-1.7.4.tar.gz
o https://dlcdn.apache.org//apr/apr-1.7.4.tar.gz
 apr-util-1.6.3.tar.gz
o https://dlcdn.apache.org//apr/apr-util-1.6.3.tar.gz
 httpd-2.4.58.tar.gz
o https://dlcdn.apache.org/httpd/httpd-2.4.58.tar.gz
 resin4.0.64.tar.gz
o https://caucho.com/download/resin-4.0.64.tar.gz

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 10
SYS Admin Documentation
5.2 Install below dependency packages using yum install command

[root@Testing_L1 local]# yum install zlib-devel


[root@Testing_L1 local]# yum install perl
[root@Testing_L1 local]# yum install gcc
[root@Testing_L1 local]# yum install gcc-c++
[root@Testing_L1 local]# yum install pcre-devel
[root@Testing_L1 local]# yum install libxml2-devel
[root@Testing_L1 local]# yum install openssl-devel
[root@Testing_L1 local]# yum install expat-devel
[root@Testing_L1 local]# yum install cmake
[root@Testing_L1 local]# yum install git
[root@Testing_L1 local]# yum install automake
[root@Testing_L1 local]# yum install autoconf libtool

5.3 Stop the apache service

 Go to existing /usr/local/ directory and take backup for existing apache folder and make
sure to stop apache service.

[root@Testing_L1 ~]# cd /usr/local/


[root@Testing_L1 local]# /usr/local/apache/bin/apachectl stop
[root@Testing_L1 local]# cp -r apache apache_bkp

5.4 OpenSSL Installation


5.4.1 Install all require package like gcc and pcre as follows:

[root@Testing_L1 local]# yum install gcc* pcre-devel* glibc-


devel* zlib* expat* openssl-devel* glibc-devel* -y

5.4.2 Get the latest version of openssl

 Download openssl latest version tar file from official site.

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 11
SYS Admin Documentation
 https://www.openssl.org/source/

5.4.3 Extract the openssl tar file in /usr/local

[root@Testing_L1 local]# tar -xvzf openssl- 3.1.4.tar.gz


[root@Testing_L1 local]# cd openssl- 3.1.4

5.4.4 Configure & make install the openssl

# To configure
[root@Testing_L1 openssl- 3.1.4]# ./config –prefix=/usr --
openssldir=/usr/local/openssl shared zlib
# To make
[root@Testing_L1 openssl- 3.1.4]# make
# To make install
[root@Testing_L1 openssl- 3.1.4]# make install

5.4.5 Check Openssl version

 Here we can see in Openssl is configured properly. See in below status

# To see Openssl version


[root@Testing_L1 local]# openssl version
OpenSSL 3.1.4 24 Oct 2023

5.5 nghttp2 Installation

5.5.1 Extract the nghttp2 tar file in /usr/local

[root@Testing_L1 local]# tar -xvzf nghttp2-1.57.0.tar.gz


[root@Testing_L1 local]# cd nghttp2-1.57.0

5.5.2 Configure & make install the nghttp2

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 12
SYS Admin Documentation
# To Configure
[root@Testing_L1 nghttp2-1.57.0]# ./config

# To make
[root@Testing_L1 nghttp2-1.57.0]# make

# To make install
[root@Testing_L1 nghttp2-1.57.0]# make install

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 13
SYS Admin Documentation
5.5.3 apr and apr-util Installation

 Extract and make install the apr and apr-util package.

# Extract apr
[root@Testing_L1 local]# tar -xvzf apr-1.7.4.tar.gz

# Configure apr
[root@Testing_L1 apr-1.7.4]# ./configure

# apr make
[root@Testing_L1 apr-1.7.4]# make

# apr make install


[root@Testing_L1 apr-1.7.4]# make install

# Extract apr-util
[root@Testing_L1 local]# tar -xvzf apr-util-1.6.3.tar.gz

# Configure apr-util
[root@Testing_L1 apr-util-1.6.3]# ./configure

#apr-util make
[root@Testing_L1 apr-util-1.6.3]# make

# apr-util make install


[root@Testing_L1 apr-util-1.6.3]# make install

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 14
SYS Admin Documentation
5.6 httpd installation

5.6.1 Extract the httpd package on /usr/local dir.

[root@Testing_L1 ~]# cd /usr/local/


[root@Testing_L1 local]# tar -xvzf httpd-2.4.58.tar.gz

5.6.2 Extract the apr and apr-util file in/usr/local/httpd-2.4.58/srclib

# Extracting apr
[root@Testing_L1 local]# tar -xvf apr-1.7.4.tar.gz -C httpd-
2.4.58/srclib/

# Extracting apt-util
[root@Testing_L1 local]# tar -xvf apr-util-1.6.3.tar.gz -C
httpd-2.4.58/srclib/

# Changing to the srclib directory in httpd


[root@Testing_L1 local]# cd httpd-2.4.58/srclib;ls

5.6.3 Configure the apache with following step.

# Configure apache
[root@Testing_L1 httpd-2.4.58]# ./configure --enable-module=so -
-prefix=/usr/local/apache --with-pcre=/usr/bin/pcre-config --
with-mpm=worker --with-included-apr –with ssl=/usr/local/openssl
--enable-http2 --with-nghttp2=/usr/local/nghttp2

# make & install


[root@Testing_L1 httpd-2.4.58]# make && make install

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 15
SYS Admin Documentation
5.6.4 Copy required old files backup.

# Copy httpd.conf file


[root@Testing_L1 httpd-2.4.58]# cp -r
/usr/local/apache_bkp/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf

# Copy ssl folder


[root@Testing_L1 httpd-2.4.58]# cp -r
/usr/local/apache_bkp/conf/ssl /usr/local/apache2/conf/

# Copy httpd-ssl.conf file


[root@Testing_L1 httpd-2.4.58]# cp -r
/usr/local/apache_bkp/conf/extra/httpd-ssl.conf
/usr/local/apache2/conf/extra/httpd-ssl.conf

# Copy htdocs folder


[root@Testing_L1 httpd-2.4.58]# cp -r
/usr/local/apache_bkp/htdocs /usr/local/apache2/

# rename test-cgi file as test-cgi.org


[root@Testing_L1 httpd-2.4.58]# mv /usr/local/apache_bkp/cgi-
bin/test-cgi /usr/local/apache2/cgi-bin/test-cgi.org

5.6.5 Make changes in httpd.conf and httpd-ssl.conf

 Next you need to enable HTTP/2. This involved adding the following line to your
apache config.

[root@Testing_L1 local]# vi /usr/local/apache/conf/httpd.conf


###############Enable HTTP2.0#################
LoadModule http2_module modules/mod_http2.so
Protocols h2 h2c http/1.1
<IfModule http2_module>
LogLevel http2:info
</IfModule>
 Then cross check httpd-ssl.conf file for below parameters SSLCertificateFile,
SSLCertificateKeyFile, SSLCACertificateFile present on given path.

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 16
SYS Admin Documentation
5.7 Mod caucho Installation

5.7.1 Extract the resin tar file in /usr/local

# Change to /usr/local/ directory


[root@Testing_L1 ~]# cd /usr/local/

# Extract resin4.0.64 package


[root@Testing_L1 local]# tar -xvzf resin4.0.64.tar.gz

5.7.2 Change older backup path and configure with apache2 and run

# Change to /usr/local/resin4.0.64 directory


[root@Testing_L1 local]# cd resin4.0.64

#change backup path in script


[root@Testing_L1 resin4.0.64]# vi resinInstall.sh

#run the script


[root@Testing_L1 resin4.0.64]# sh resinInstall.sh

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 17
SYS Admin Documentation
5.7.3 Start apache service and verify

# To start apache service


[root@Testing_L1 ~]# /usr/local/apache/bin/apachectl start

# To check process
[root@Testing_L1 ~]# ps -ef | grep apache
[ root@Testing_Li ~]# ps -ef |grep apache
root 7307 1 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
daemon 7308 7307 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
daemon 7309 7307 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
daemon 7310 7307 0 03:54 ? 00:00:00
/usr/local/apache/bin/httpd -k start
root 7404 7244 0 03:54 pts/0 00:00:00 grep --color-auto
apache
[root@Testing_Li ~]#

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 18
SYS Admin Documentation

6. Modsecurity Installation
6.1 Modsecurity installation

 The package xz-devel by libxml2 as its dependency so install both the packages.

[root@Testing_L1 local]# rpm -ivh /usr/local/xz-devel-5.2.2-


2.el7_9.x86_64.rpm
[root@Testing_L1 local]# rpm -ivh /usr/local/libxml2-devel-2.9.1-
6.el7_9.6.x86_64.rpm

6.2 Create directory for modsecurity

 We will create modsecurity directory in /usr/local/apache/conf/ directory.

[root@Testing_L1 local]# cd /usr/local/apache/conf


[root@Testing_L1 conf]# mkdir modsecurity

6.3 Modsecurity package download

 Download and extract modsecurity tar file from github repo.

# Download modsecurity tar fie


[root@Testing_L1 modsecurity]#wget
https://github.com/SpiderLabs/ModSecurity/releases/download/v2.9.7
/modsecurity-2.9.7.tar.gz
# Extract modsecurity tar file
[root@Testing_L1 modsecurity]# tar -xvf modsecurity-2.9.7.tar.gz
# change to modsecurity-2.9.7 directory
[root@Testing_L1 modsecurity]# cd modsecurity-2.9.7/

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 19
SYS Admin Documentation
6.4 Configure modsecurity package and make install

6.5 Copy modsecurity config recommended file to modsecurity directory


# Switch to the modsecurity directory
[root@Testing_L1 modsecurity-2.9.7]# cd
/usr/local/apache/conf/modsecurity/

#copy modsecurity.conf-recommended file as modsecurity.conf


[root@Testing_L1 modsecurity]# cp -rf modsecurity-
2.9.7/modsecurity.conf-recommended
/usr/local/apache/conf/modesecurity/modsecurity.conf

6.6 coreruleset package setup

 Download and extract coreruleset tar file from below github repo.

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 20
SYS Admin Documentation
# Download coreruleset tar fie
[root@Testing_L1 modsecurity-2.9.7]# wget
https://github.com/coreruleset/coreruleset/archive/coreruleset-
3.3.4.tar.gz

# Extract coreruleset tar file


[root@Testing_L1 modsecurity-2.9.7]# tar -xvf coreruleset-
3.3.4.tar.gz

6.7 coreruleset config file setup

 Rename extracted coreruleset-3.3.4 file as name coreruleset and copy its configuration
file.

# Rename coreruleset
[root@Testing_L1 modsecurity-2.9.7]# mv coreruleset-3.3.4
coreruleset

# change to coreruleset directory


[root@Testing_L1 modsecurity-2.9.7]# cd coreruleset

# copy crs-setup.conf.example file as crs-setup.conf


[root@Testing_L1 coreruleset]# cp -rf crs-setup.conf.example crs-
setup.conf

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 21
SYS Admin Documentation

7. Modsecurity Configuration
7.1 Enable modsecurity in httpd.conf

 Add below block of line at the bottom of the httpd.conf file to enable modsecurity on the
webserver.

[root@Testing_L1 modsecurity]# vi /usr/local/apache/conf/httpd.conf


##################Mod_Sec#################
LoadModuleunique_id_module modules/mod_unique_id.so
LoadModule security2_module modules/mod_security2.so

<IfModule security2_module>
Include "/usr/local/apache/conf/modsecurity/modsecurity.conf"
Include "/usr/local/apache/conf/modsecurity/coreruleset/crs-
setup.conf"
Include
"/usr/local/apache/conf/modsecurity/coreruleset/rules/*.conf"
</IfModule>

7.2 Configure modsecurity parameters

 Now we have to make configuration changes as below

[root@Testing_L1 modsecurity]
# vi /usr/local/apache/conf/modsecurity/modsecurity.conf

SecRuleEngine On

SecRule REQUEST_HEADERS:Content-Type "text/plain"


id:123,phase:1,t:none,nolog,allow

 Add below rule to avoid js error

SecRule REQUEST_HEADERS:Content-Type "text/plain"


id:123,phase:1,t:none,nolog,allow

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 22
SYS Admin Documentation
 Comment default rule and add a rule.

#SecRule REQBODY_ERROR "!@eq 0" \


"id:'200002',
phase:2,t:none,log,deny,status:400,msg:'Failed to parse request
body.',logdata:'% {reqbody_error_msg}',severity:2"

SecRule REQBODY_ERROR "!@eq 0" \”id:'200002',


phase:2,nolog,ctl:requestBodyAccess=off"

 Set SetDebugLog, SecAuditLogStorageDir and SecAuditLog location as below

SecDebugLog /usr/local/apache/logs/modsec_debug.log

SecDebugLogLevel 3

SecAuditLogStorageDir /usr/local/apache/logs

SecAuditLogType Serial

SecAuditLog /usr/local/apache/logs/modsec_audit.log

 Comment below line to load unicode map file

#SecUnicodeMapFile unicode.mapping 20127

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 23
SYS Admin Documentation
7.3 Configure coreruleset parameters

 Comment below lines as per requirement we can edit this in crs-setup.conf file

[root@Testing_L1 coreruleset]# vi
/usr/local/apache/conf/modsecurity/coreruleset/crs-setup.conf

SecAction \
"id:900700,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.dos_burst_time_slice=60',\
setvar:'tx.dos_counter_threshold=100',\
setvar:'tx.dos_block_timeout=30'"

 Add below rules to match ip from a txt file

SecRule REMOTE_ADDR "@ipMatchFromFile ips.txt"


"id:1002,phase:1,nolog,pass,ctl:ruleRemoveById=981231"

SecRule REMOTE_ADDR "@ipMatchFromFile ips.txt"


"id:1001,phase:1,nolog,allow,ctl:ruleEngine=off"

 Add a file ips.txt to enter ip for whitelisting

[root@Testing_L1 modsecurity-2.9.7]# touch


/usr/local/apache/conf/modsecurity/coreruleset/ips.txt

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 24
SYS Admin Documentation
 Comment below line to avoid unnecessary logs.

vi /usr/local/apache/conf/modsecurity/coreruleset/rules/REQUEST-
920-PROTOCOL-ENFORCEMENT.conf

#SecRule REQUEST_HEADERS:Host "@rx ^[\d.:]+$" \


"id:920350,\
phase:2,\
block,\
t:none,\
msg:'Host header is a numeric IP address',\
logdata:'%{MATCHED_VAR}',\
tag:'application-multi',\
tag:'language-multi',\
tag:'platform-multi',\
tag:'attack-protocol',\
tag:'paranoia-level/1',\
tag:'OWASP_CRS',\
tag:'capec/1000/210/272',\
tag:'PCI/6.5.10',\
ver:'OWASP_CRS/3.3.4',\
severity:'WARNING',\
setvar:'tx.anomaly_score_pl1=+%{tx.warning_anomaly_score}'"

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 25
SYS Admin Documentation
 After adding the above changes we have to stop start apache service to enable
modsecurity.

#for syntax apache config check


[root@Testing_L1 modsecurity]# /usr/local/apache/bin/apachectl -t

#stop apache service


[root@Testing_L1 modsecurity]# /usr/local/apache/bin/apachectl stop

#start apache service


[root@Testing_L1 modsecurity]# /usr/local/apache/bin/apachectl start

 Now we have to check mod security is enabled or not in error log of apache.

[root@Testing_L1 modsecurity]# tail -f


/usr/local/apache/logs/error_log

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 26
SYS Admin Documentation

8. HTTPD Config -Enabled the line on config file


 Add below standard parameters in httpd.conf file. Mention ServerRoot path to specifies
where the subdirectories, conf and logs can be found.

[root@Testing_L1 local]#vi /usr/local/apache/conf/httpd.conf


ServerRoot "/usr/local/apache"
Listen 80
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 27
SYS Admin Documentation

 User/Group: The name (or #number) of the user/group to run httpd as.

<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

 Add or change ServerName as below and Set allow deny directory

###change server name as per server type###


ServerName ms17.auruspay.com:80

###Deny access to entirety of your server filesystem###


<Directory />
<limit TRACK>
deny from all
</limit>
AllowOverride none
Require all denied
</Directory>

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 28
SYS Admin Documentation
 Add Document Root and other parameters as below.

###Document:The directory out of which you will serve your


documents###
DocumentRoot "/usr/local/apache/htdocs"
<Directory "/usr/local/apache/htdocs">
Options -Indexes

###AllowOverride controls what directives may be placed in .htaccess files###


AllowOverride None

###Controls who can get stuff from this server###


Require all granted
</Directory>

###DirectoryIndex:sets the file that apache will serve if a


directory is requested###
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>

###The following line prevent .htaccess file from being viewed by


web client###
<Files ".ht*">
Require all denied
</Files>

###The location of the error log file###


ErrorLog "logs/error_log"
LogLevel warn

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 29
SYS Admin Documentation
 Add below lines for modifying LogFormat in apache.

###Modifying LogFormat and enabling module for same###


<IfModule log_config_module>
LogFormat "%h %t %{X-Forwarded-
For}i %{uuid}o %{AurusRequestID}i %{AurusResponseID}o
{Connection}i %{Connection}o %l %u \"%r\" %>s %b \"%{Referer}i\"
\"%D %{User-Agent}i\"" combined
LogFormat "%h %{X-Forwarded-
For}i %{uuid}o %{AurusRequestID}i %{AurusResponseID}o %l %u %t
\"%r\" %>s %b %D" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\" %I %O" combinedio
</IfModule>

###The location and format of the access logfile###


CustomLog "logs/access_log" common

###Mention script alis path also enable module for same###


</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/usr/local/apache/cgi-bin/"
</IfModule>

###Allow running cgi scripts from /cgi-bin directory & also enable
module for same###
<IfModule cgid_module>
</IfModule>
<Directory “/usr/local/apache/cgi-bin”>
AllowOverride None
Options None
Required all granted
</Directory>

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 30
SYS Admin Documentation
<IfModule header_module>
RequestHeader unset Proxy early
</IfModule>

###TypesConfig points to the file containing the list of mappings


from filename extension to MIME-type###
<IfModule mime_module>
TypesConfig conf/mime.types
AddType application/x-compress.Z
AddType application/x-gzip.gz.tgz
</IfModule>

###Customizable error responses###


ErrorDocument 404 "Page Not Found"

Include conf/extra/httpd-mpm.conf
Include conf/extra/httpd-userdir.conf

<IfModule proxy_html_module>
Include conf/extra/proxy-html.conf
</IfModule>

###Path of ssl conf file & enable module for same###


Include conf/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

###mod_caucho resin configuration###


LoadModule caucho_module /usr/local/apache/modules/mod_caucho.so
ResinConfigServer 172.xx.xx.196 6802
CauchoConfigCacheDirectory /tmp
CauchoStatus yes

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 31
SYS Admin Documentation

###X-Frame Parameters###
Header append X-FRAME-OPTIONS "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-Content-Type-Options nosniff
Header set Content-Security-Policy "default-src 'self';"

###MPM Workers parameter for better performance###


ServerLimit 200
StartServers 10
MinSpareThreads 500
MaxSpareThreads 1000
ThreadLimit 100
ThreadsPerChild 50
MaxClients 10000
MaxRequestsPerChild 10000

###PCI Changes###
TraceEnable Off
FileETag None
UserDir Disabled
ServerTokens ProductOnly
ServerSignature Off
UserDir Disabled

###Option method block###


<Location />
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
</Location>

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 32
SYS Admin Documentation

###For block options###


<Location />
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>

###resin documentary-root for forbidden category###


<Location /resin-doc>
Order deny,allow
Deny from all
</Location>

<Location /resin-admin>
Order deny,allow
Deny from all
</Location>

<Location ~ "/*.jsp">
Order deny,allow
Deny from all
</Location>

###Compress JS###
<Location />
SetInputFilter DEFLATE
SetOutputFilter DEFLATE
</Location>

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 33
SYS Admin Documentation

###Allow/Deny loaction for caucho-status###


<Location /caucho-status>
Order deny,allow
Deny from all
allow from 103.210.200.34
allow from 10.80.10.0/24
allow from 10.20.10.0/24
allow from 10.30.10.0/24allow from 10.40.10.0/24
allow from 150.129.131.50
</Location>

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 34
SYS Admin Documentation

9. SSL certificates Renewal


9.1 SSL Certificate Renewal on web Server

 First Copy the required certificate and bundle files from local system to servers.
 After that take the backup of the existing

[root@Testing_L1 local]# cp-r /usr/local/apache/conf/extra/httpd-


ssl.conf httpd-ssl.conf_bak
[root@Testing_L1 local]#

9.2 SSL certificates add on web

 Configure the <VirtualHost> block for the SSL-enabled site

<VirtualHost 192.xxx.xx.1:443>
DocumentRoot /usr/local/apache/htdocs
ServerName www.servername.com
SSLEngine on
SSLCertificateFile
"/usr/local/apache/conf/ssl/11Mar2024/558c5b36f41d3b53.crt"
SSLCertificateKeyFile
"/usr/local/apache/conf/ssl/11Mar2024/*.auruspay.com.key
SSLCertificateChainFile
"/usr/local/apache/conf/ssl/11Mar2024/gd_bundle-g2-g1.crt"
</VirtualHost>

9.3 Restart the Apache service

[root@Testing_L1 local]# /usr/local/apache/bin/apachectl retstart

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 35
SYS Admin Documentation

Version 2.0 Copyright ©2024 Aurus Inc. All Rights Reserved Page 36

You might also like