Enable Apache Mod Rewrite(.htaccess) and Mod SSL

Posted under » Apache » Drupal » LAMP Security on 11 November 2014

In Ubuntu 14.04 - 18.04, it's surprisingly easy. Don't try to create a softlink.

In both instances, you need to restart Apache for the mods to come into effect. 

a2enmod rewrite

The command activates the module or—if it is already activated, displays the words, "Module rewrite already enabled"

For mod rewrite, the Apache config file must have this. 

	<Directory /var/www/drupal/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>

This however, could be a security risk since you are allowing index and followSymlinks. You close this risk by putting the .htaccess on the root folder. This is how it typically look like which was inspired by Drupal. 

# Don't show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
Options +FollowSymLinks

# Set the default handler.
DirectoryIndex index.php

# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
  php_value magic_quotes_gpc                0
  php_value register_globals                0
  php_value session.auto_start              0
  php_value mbstring.http_input             pass
  php_value mbstring.http_output            pass
  php_value mbstring.encoding_translation   0
</IfModule>

# Various rewrite rules.
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteRule ^whatyouseeurl$ 041.php
</IfModule>

Please see a >more detailed article.

You can also block certain pages with .htaccess. Eg block WordPress xmlrpc.php requests but allow access from certain IP. You can safeguard unauthorise access of certain files like images or txt files. 

<Files xmlrpc.php>
   order deny,allow
   deny from all
   allow from 123.123.123.123
</Files>

To install Apache MOD SSL, do this. 

a2enmod ssl

The Apache config for SSL sites is longish. Here I omit the common ones like directory. 

<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
  ServerName www.secure.sg
		ServerAdmin webmaster@secure.sg

		SSLEngine on

SSLCertificateFile /ssl/secure.sg.crt
SSLCertificateKeyFile /ssl/secure.sg.key
SSLCertificateChainFile /ssl/DigiCertCA.crt

		<FilesMatch "\.(cgi|shtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>

		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
</IfModule>

If you want to set up both https and http in one config, you can do this. 

<VirtualHost *:80>
ServerName loop.asia
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/lkycomsg

	<Directory /home/hanafi/www/lkycomsg/>
		Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Require all granted
    </Directory>

	ErrorLog ${APACHE_LOG_DIR}/error-lkycomsg.log
	CustomLog ${APACHE_LOG_DIR}/access-lkycomsg.log combined

</VirtualHost>

<IfModule mod_ssl.c>
 <VirtualHost _default_:443>
  ServerName loop.asia

  DocumentRoot /home/hanafi/www/loopcomsg

        ErrorLog ${APACHE_LOG_DIR}/error-lkycomsg-ssl.log
        CustomLog ${APACHE_LOG_DIR}/access-lkycomsg-ssl.log combined

  SSLEngine on

  SSLCertificateFile    /etc/apache2/ssl/lkycomsg.crt
  SSLCertificateKeyFile /etc/apache2/ssl/lkycomsg.key

  <FilesMatch "\.(cgi|phtml|php)$">
   SSLOptions +StdEnvVars
  </FilesMatch>

 </VirtualHost>
</IfModule>

See also how to enable Apache mod_rewrite and mod_headers in Ubuntu server.

 

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS data