How to install APACHE Web Server on RHEL 8 - nomorespice/rhel8-howto GitHub Wiki
The Apache HTTP Server ("httpd") was launched in 1995 and it has been the most popular web server on the Internet since April 1996. This procedure will guide you through the installation process on a Red Hat Enterprise Linux 8 server.
This document assumes that:
- you installed the RHEL 8 x64 Operating System according to How to install RHEL 8 via kickstart
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
yum-config-manager --disable epel
dnf -y install httpd httpd-tools mod_ssl mod_security openssl
dnf -y install mariadb-server mariadb
systemctl enable --now mariadb
mysql_secure_installation
dnf -y install php php-fpm php-mysqlnd php-opcache php-gd php-xml php-mbstring
systemctl enable --now php-fpm
Be sure to replace the HOSTNAME and admin EMAIL contact.
mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
/bin/cat <<\EOT >/etc/httpd/conf/httpd.conf
ServerTokens ProductOnly
ServerSignature Off
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin EMAIL
ServerName HOSTNAME
<Directory />
AllowOverride None
Require all denied
<LimitExcept GET POST OPTIONS>
Require all denied
</LimitExcept>
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
Options None
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel notice core:info
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
RewriteEngine on
RewriteCond %{HTTP_HOST} !^HOSTNAME\.EXAMPLE\.COM [NC]
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteCond %{REQUEST_URI} !^/error [NC]
RewriteRule ^.(.*) - [L,F]
Header unset ETag
FileETag None
Header always append X-Frame-Options SAMEORIGIN
TraceEnable off
TimeOut 10
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
LimitRequestline 512
LimitRequestFields 100
LimitRequestFieldsize 1024
LimitRequestBody 102400
EOT
Be sure to replace IPADDRESS and HOSTNAME.
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig
/bin/cat <<\EOT >/etc/httpd/conf.d/ssl.conf
Listen IPADDRESS:443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
Protocols h2 http/1.1
<VirtualHost _default_:443>
ServerName HOSTNAME:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLInsecureRenegotiation Off
SSLCompression Off
Header always set Strict-Transport-Security "max-age=600"
SSLEngine On
SSLProtocol -ALL +TLSv1.2
SSLHonorCipherOrder On
SSLCipherSuite ALL:!EXP:!NULL:!LOW:!SSLv2:!MD5:!RC4:!aNULL:!3DES:!IDEA
SSLCertificateFile /etc/letsencrypt/live/HOSTNAME/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/HOSTNAME/privkey.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
EOT
This process requires a TXT resource record be created in your hosted DNS domain
- Be sure to replace HOSTNAME.EXAMPLE.COM with your host FQDN
- If you are running FIPS mode, then you must disable FIPS before running certbot
/usr/bin/fips-mode-setup --disable
reboot
Then continue below
yum -y --enablerepo=epel install certbot
certbot certonly --manual -d HOSTNAME.EXAMPLE.COM --preferred-challenges dns
/bin/sed -i 's/LoadModule/#LoadModule/g' /etc/httpd/conf.modules.d/00-dav.conf
/bin/sed -i 's/LoadModule status_module/#LoadModule status_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule autoindex_module/#LoadModule autoindex_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule authn/#LoadModule authn/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule userdir_module/#LoadModule userdir_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule info_module/#LoadModule info_module/g' /etc/httpd/conf.modules.d/00-base.conf
/bin/sed -i 's/LoadModule proxy/#LoadModule proxy/g' /etc/httpd/conf.modules.d/10-proxy_h2.conf
/bin/sed -i 's/Options.*/Options None/' /etc/httpd/conf.d/userdir.conf
/bin/mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.orig
/usr/bin/touch /etc/httpd/conf.d/autoindex.conf
/bin/sed -i "/notifempty/ i \ \ \ \ weekly" /etc/logrotate.d/httpd
/bin/sed -i "/weekly/ i \ \ \ \ rotate 13" /etc/logrotate.d/httpd
setsebool -P httpd_execmem 1
setsebool -P httpd_unified 1
setsebool -P httpd_use_nfs 1
chown apache:apache /var/www/html -R
restorecon -Rv /var/www/html
systemctl enable --now httpd