How to install APACHE Web Server on RHEL 7 - nomorespice/rhel7-howto GitHub Wiki

The Apache HTTP Server ("httpd") was launched in 1995 and it has been the most popular web server on the Internet since April 1996. This procedure will guide you through the installation process on a Red Hat Enterprise Linux 7 server.

This document assumes that:

  • you installed the RHEL 7 x64 Operating System according to How to install RHEL 7 via kickstart
  • you are performing these tasks as root
  • you are performing these tasks in order, as some tasks require others to be completed first

Add and disable the EPEL repository and install required software

yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum-config-manager --disable epel
yum -y install httpd mod_ssl mod_security openssl php php-mysql php-gd php-mbstring

Replace the default /etc/httpd/conf/httpd.conf file

Be sure to replace the HOSTNAME and admin EMAIL contact.

mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
/bin/cat << EOT >/etc/httpd/conf/httpd.conf
ServerTokens ProductOnly 
ServerSignature Off 
ServerRoot "/etc/httpd" 
Include conf.modules.d/*.conf 
User apache 
Group apache 
ServerAdmin EMAIL 
ServerName HOSTNAME.EXAMPLE.COM 
<Directory /> 
    AllowOverride None 
    Require all denied 
    <LimitExcept GET POST OPTIONS> 
        Require all denied 
    </LimitExcept> 
</Directory> 
DocumentRoot "/var/www/html" 
<Directory "/var/www"> 
    AllowOverride None 
    Require all granted 
</Directory> 
<Directory "/var/www/html"> 
    AddType text/html .shtml 
    AddOutputFilter INCLUDES .shtml 
    Options None 
    AllowOverride None 
    Require all granted 
</Directory> 
<IfModule dir_module> 
    DirectoryIndex index.html index.php 
</IfModule> 
<FilesMatch "^\.ht"> 
    Require all denied 
</FilesMatch> 
<Files ".ht*"> 
    Require all denied 
</Files> 
ErrorLog "logs/error_log" 
LogLevel notice core:info 
<IfModule log_config_module> 
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined   
    LogFormat "%h %l %u %t \"%r\" %>s %b" common 
    <IfModule logio_module> 
        LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio 
    </IfModule> 
    CustomLog "logs/access_log" combined 
</IfModule> 
<IfModule alias_module> 
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" 
</IfModule> 
<Directory "/var/www/cgi-bin"> 
    AllowOverride None 
    Options None 
    Require all granted 
</Directory> 
<IfModule mime_module> 
    TypesConfig /etc/mime.types 
    AddType application/x-compress .Z 
    AddType application/x-gzip .gz .tgz 
    AddType text/html .shtml 
    AddOutputFilter INCLUDES .shtml 
</IfModule> 
AddDefaultCharset UTF-8 
<IfModule mime_magic_module> 
    MIMEMagicFile conf/magic 
</IfModule> 
EnableSendfile on 
IncludeOptional conf.d/*.conf 
RewriteEngine on 
RewriteCond %{HTTP_HOST} !^HOSTNAME\.EXAMPLE\.COM [NC] 
RewriteCond %{THE_REQUEST} !HTTP/1\.1$ 
RewriteCond %{REQUEST_URI} !^/error [NC] 
RewriteRule ^.(.*) - [L,F] 
Header unset ETag 
FileETag None 
Header always append X-Frame-Options SAMEORIGIN 
TraceEnable off 
TimeOut 10 
KeepAlive On 
MaxKeepAliveRequests 100 
KeepAliveTimeout 15 
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 
LimitRequestline 512 
LimitRequestFields 100 
LimitRequestFieldsize 1024 
LimitRequestBody 102400
EOT

Replace the default /etc/httpd/conf.d/ssl.conf file

Be sure to replace IPADDRESS and HOSTNAME.

mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig
/bin/cat << EOT >/etc/httpd/conf.d/ssl.conf
Listen [IPADDRESS]:443 https 
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog 
SSLSessionCache shmcb:/run/httpd/sslcache(512000) 
SSLSessionCacheTimeout 300 
SSLRandomSeed startup file:/dev/urandom 256 
SSLRandomSeed connect builtin 
SSLCryptoDevice builtin
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
<VirtualHost _default_:443> 
ServerName HOSTNAME.EXAMPLE.COM:443 
ErrorLog logs/ssl_error_log 
TransferLog logs/ssl_access_log 
LogLevel warn 
SSLInsecureRenegotiation off 
SSLCompression off 
Header always set Strict-Transport-Security "max-age=600" 
SSLEngine on 
SSLProtocol -ALL +TLSv1.2 
SSLHonorCipherOrder On 
SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!MD5:!RC4:!aNULL:!3DES:!IDEA 
SSLCertificateFile /etc/letsencrypt/live/HOSTNAME.EXAMPLE.COM/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/HOSTNAME.EXAMPLE.COM/privkey.pem 
<Files ~ "\.(cgi|shtml|phtml|php3?)$"> 
    SSLOptions +StdEnvVars 
</Files> 
<Directory "/var/www/cgi-bin"> 
    SSLOptions +StdEnvVars 
</Directory> 
CustomLog logs/ssl_request_log \ 
    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 
</VirtualHost>
EOT

Install the cerbot software package to download the Let's Encypt SSL certificate

This process requires a TXT resource record be created in your hosted DNS domain

  • Be sure to replace HOSTNAME.EXAMPLE.COM with your host FQDN
yum -y --enablerepo=epel install certbot
certbot certonly --manual -d HOSTNAME.EXAMPLE.COM --preferred-challenges dns

Disable un-necessary modules

/bin/sed -i 's/LoadModule/#LoadModule/g' /etc/httpd/conf.modules.d/00-dav.conf
/bin/sed -i 's/LoadModule status_module/#LoadModule status_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule autoindex_module/#LoadModule autoindex_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule/#LoadModule/g' /etc/httpd/conf.modules.d/00-proxy.conf
/bin/sed -i 's/LoadModule userdir_module/#LoadModule userdir_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule info_module/#LoadModule info_module/g' /etc/httpd/conf.modules.d/00-base.conf

Disable Options directive in /etc/httpd/conf.d/userdir.conf

/bin/sed -i 's/Options.*/Options None/' /etc/httpd/conf.d/userdir.conf

Disable /etc/httpd/conf.d/autoindex.conf

/bin/mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.orig

Add weekly rotation to the httpd log files and keep 13 weeks of history

/bin/sed -i "/notifempty/ i \ \ \ \ weekly" /etc/logrotate.d/httpd
/bin/sed -i "/weekly/ i \ \ \ \ rotate 13" /etc/logrotate.d/httpd

Enable and start the httpd service

systemctl enable httpd
systemctl start httpd
⚠️ **GitHub.com Fallback** ⚠️