Apache cheat sheet
0 likes140 views
The Apache HTTP Server, commonly called Apache, is a free and open-source cross-platform web server software released under the terms of the Apache License 2.0. The document provides a cheat sheet of useful commands and configurations for Apache including listing virtual hosts and modules, rewriting URLs, authentication, log rotation, data privacy, and security mitigations.
![ApacheCheatSheet
TheApacheHTTPServer,colloquiallycalledApache,isafreeandopen-source
cross-platformwebserversoftware,releasedunderthetermsofApacheLicense2.0.
bylam
Misc
ListVHostPrecedence
apache2ctl -S
Listactivemodules
apache2ctl -M
RewriteonFilePattern
RewriteCond %{REQUEST_F
ILENAME} (.*).(html|ht
m)$
RewriteonUserAgent
RewriteCond %{HTTP_USER
_AGENT} (iPhone|iPad)
Rewriteandaddenvironment
variabletorequest(for
examplepassalongremote
user)
RewriteRule .* - [E=PRO
XY_USER:%{LA-U:REMOTE_U
SER}]
Since2.0.49Apachehasan
exceptionhooktohandle
crashes.
EnableExceptionHook on
htaccessdoesn'twork:
AllowOverride All
environmentvariablesvia
.htaccess:
SetEnv VARNAME somevalu
e
Authentication
Skipauthenticationforcertain
URIs
Require expr %{REQUEST_
URI} =~ m#<some pattern
>#
LogRotation
PipeCustomLogtoascript:
LoadModule logio_modul
e modules/mod_logio.so
<IfModule mod_logio.c>
CustomLog "| so
me-script.sh" "%h %l %
u %t "%r" %>s %b "%
{Referer}i" "%{User-a
gent}i""
</IfModule>
DologrotationusingApaches
logrotatescript:
CustomLog "|/usr/local/
apache/bin/rotatelogs /
var/log/access_log 8640
0" common
Performlogrotationwith
cronolog:
CustomLog "|/usr/local/
sbin/cronolog /logs/%m-
%d-%Y-access.log" combi
ned
DataPrivacy
Alternativestoavoidtracking
usersbyIP:
CompletelyremoveIPs:
Replace%hinyou
LogFormatwith"-",this
ensuresalllogreading
toolscanstillparsethe
logs
Truncate/replacetheIPs
duringlogrotation.
UseapipedCustomLog
andreplacetheIPad-
hoc.HereisasimpleIPv4
onlyexamplewithsed
CustomLog"|$/bin/sed
's/^([^.].[^.].[^.].)[0-9][0-9]
(.*)$/1.02/'
>>logs/accesslog"
truncatedip
TruncatetheIPusing
rewriterules,by
extractingallbutthelast
octectoftheIPusing
RewriteCondregexand
savetheresultwiththe
lastoctectsetto0inan
envvariableina
RewriteRule,finallyuse
theenvvariableinthe
LogFormat
#Note:alsoneedsaIPv6
Mitigatingsecurity
issues
HideServerName
ServerSignature Off
ServerTokens Prod
DisableSSLv2andSSLv3
SSLProtocol all -SSLv2
-SSLv3
DHdowngrade
openssl dhparam -out dh
params.pem 2048
](https://image.slidesharecdn.com/apachecheatsheet-200609154744/85/Apache-cheat-sheet-1-320.jpg)
![CheatSheetMaker.com SimpleCheatSheet.com
patternRewriteCond%
{REMOTEADDR}
^(d+.d+.d+.)d+$
RewriteRule"^/.*""/$1"
[E=truncatedip:%1]
LogFormat"%
{ENV:truncatedip}%l%u
%t"%r"%>s%b…"
truncatedip
andloaditfromApache
config
SSLOpenSSLConfCmd DHPar
ameters "{path to dhpar
ams.pem}"
SaneCiphers
SSLCipherSuite
ECDHE-RSA-AES128-GCM-S
HA256:ECDHE-ECDSA-AES12
8-GCM-SHA256:ECDHE-RSA-
AES256-GCM-SHA384:ECDHE
-ECDSA-AES256-GCM-SHA38
4:DHE-RSA-AES128-GCM-SH
A256:DHE-DSS-AES128-GCM
-SHA256:kEDH+AESGCM:ECD
HE-RSA-AES128-SHA256:EC
DHE-ECDSA-AES128-SHA25
6:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:
ECDHE-RSA-AES256-SHA38
4:ECDHE-ECDSA-AES256-SH
A384:ECDHE-RSA-AES256-S
HA:ECDHE-ECDSA-AES256-S
HA:DHE-RSA-AES128-SHA25
6:DHE-RSA-AES128-SHA:DH
E-DSS-AES128-SHA256:DHE
-RSA-AES256-SHA256:DHE-
DSS-AES256-SHA:DHE-RSA-
AES256-SHA:AES128-GCM-S
HA256:AES256-GCM-SHA38
4:AES128-SHA256:AES256-
SHA256:AES128-SHA:AES25
6-SHA:AES:CAMELLIA:DES-
CBC3-SHA:!aNULL:!eNUL
L:!EXPORT:!DES:!RC4:!MD
5:!PSK:!aECDH:!EDH-DSS-
DES-CBC3-SHA:!EDH-RSA-D
ES-CBC3-SHA:!KRB5-DES-C
BC3-SHA
SSLHonorCipherOrder
on
](https://image.slidesharecdn.com/apachecheatsheet-200609154744/85/Apache-cheat-sheet-2-320.jpg)
Apache cheat sheet
- 1. ApacheCheatSheet TheApacheHTTPServer,colloquiallycalledApache,isafreeandopen-source cross-platformwebserversoftware,releasedunderthetermsofApacheLicense2.0. bylam Misc ListVHostPrecedence apache2ctl -S Listactivemodules apache2ctl -M RewriteonFilePattern RewriteCond %{REQUEST_F ILENAME} (.*).(html|ht m)$ RewriteonUserAgent RewriteCond %{HTTP_USER _AGENT} (iPhone|iPad) Rewriteandaddenvironment variabletorequest(for examplepassalongremote user) RewriteRule .* - [E=PRO XY_USER:%{LA-U:REMOTE_U SER}] Since2.0.49Apachehasan exceptionhooktohandle crashes. EnableExceptionHook on htaccessdoesn'twork: AllowOverride All environmentvariablesvia .htaccess: SetEnv VARNAME somevalu e Authentication Skipauthenticationforcertain URIs Require expr %{REQUEST_ URI} =~ m#<some pattern ># LogRotation PipeCustomLogtoascript: LoadModule logio_modul e modules/mod_logio.so <IfModule mod_logio.c> CustomLog "| so me-script.sh" "%h %l % u %t "%r" %>s %b "% {Referer}i" "%{User-a gent}i"" </IfModule> DologrotationusingApaches logrotatescript: CustomLog "|/usr/local/ apache/bin/rotatelogs / var/log/access_log 8640 0" common Performlogrotationwith cronolog: CustomLog "|/usr/local/ sbin/cronolog /logs/%m- %d-%Y-access.log" combi ned DataPrivacy Alternativestoavoidtracking usersbyIP: CompletelyremoveIPs: Replace%hinyou LogFormatwith"-",this ensuresalllogreading toolscanstillparsethe logs Truncate/replacetheIPs duringlogrotation. UseapipedCustomLog andreplacetheIPad- hoc.HereisasimpleIPv4 onlyexamplewithsed CustomLog"|$/bin/sed 's/^([^.].[^.].[^.].)[0-9][0-9] (.*)$/1.02/' >>logs/accesslog" truncatedip TruncatetheIPusing rewriterules,by extractingallbutthelast octectoftheIPusing RewriteCondregexand savetheresultwiththe lastoctectsetto0inan envvariableina RewriteRule,finallyuse theenvvariableinthe LogFormat #Note:alsoneedsaIPv6 Mitigatingsecurity issues HideServerName ServerSignature Off ServerTokens Prod DisableSSLv2andSSLv3 SSLProtocol all -SSLv2 -SSLv3 DHdowngrade openssl dhparam -out dh params.pem 2048
- 2. CheatSheetMaker.com SimpleCheatSheet.com patternRewriteCond% {REMOTEADDR} ^(d+.d+.d+.)d+$ RewriteRule"^/.*""/$1" [E=truncatedip:%1] LogFormat"% {ENV:truncatedip}%l%u %t"%r"%>s%b…" truncatedip andloaditfromApache config SSLOpenSSLConfCmd DHPar ameters "{path to dhpar ams.pem}" SaneCiphers SSLCipherSuite ECDHE-RSA-AES128-GCM-S HA256:ECDHE-ECDSA-AES12 8-GCM-SHA256:ECDHE-RSA- AES256-GCM-SHA384:ECDHE -ECDSA-AES256-GCM-SHA38 4:DHE-RSA-AES128-GCM-SH A256:DHE-DSS-AES128-GCM -SHA256:kEDH+AESGCM:ECD HE-RSA-AES128-SHA256:EC DHE-ECDSA-AES128-SHA25 6:ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA: ECDHE-RSA-AES256-SHA38 4:ECDHE-ECDSA-AES256-SH A384:ECDHE-RSA-AES256-S HA:ECDHE-ECDSA-AES256-S HA:DHE-RSA-AES128-SHA25 6:DHE-RSA-AES128-SHA:DH E-DSS-AES128-SHA256:DHE -RSA-AES256-SHA256:DHE- DSS-AES256-SHA:DHE-RSA- AES256-SHA:AES128-GCM-S HA256:AES256-GCM-SHA38 4:AES128-SHA256:AES256- SHA256:AES128-SHA:AES25 6-SHA:AES:CAMELLIA:DES- CBC3-SHA:!aNULL:!eNUL L:!EXPORT:!DES:!RC4:!MD 5:!PSK:!aECDH:!EDH-DSS- DES-CBC3-SHA:!EDH-RSA-D ES-CBC3-SHA:!KRB5-DES-C BC3-SHA SSLHonorCipherOrder on