Help us understand the problem. What is going on with this article?

Apache環境構築

Apache環境構築

概要

LinuxにApacheをインストールして、基本的な設定までを行う方法を紹介します。
(ドメインとSSLなどの設定はありません。)

環境

  • OS: Amazon Linux2
  • Apache2.4.39

構築手順

インストール

// パッケージ情報確認
$ yum info httpd

// インストール
$ yum -y install httpd

// バージョン確認
$ httpd -v

// 自動起動設定
$ systemctl enable httpd.service

// 起動
$ systemctl start httpd.service

// 起動確認
$ systemctl status httpd.service

設定

viコマンドを使用して、設定ファイルを作成および編集していきます。

ドキュメントルート設定

ドキュメントルートを/var/www/testに変更します。

/etc/httpd/conf.d/server.conf(新規作成)
<VirtualHost *:80>
  DocumentRoot /var/www/test
  <Directory "/var/www/test">
    AllowOverRide All
    Require all granted
  </Directory>
</VirtualHost>

ログ設定

ログフォーマット追加
/etc/httpd/conf/httpd.conf(編集)
<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" \"%{X-Forwarded-Proto}i\"" elb-customlog
出力制限
/etc/httpd/conf.d/log.conf(新規作成)
# ファビコンのログを出さない
SetEnvIf Request_URI "\.(ico)$" nolog

# 画像やJSのログを出さない
SetEnvIf Request_URI "\.(gif|jpg|png|ico|jpeg|js|css)$" nolog

CustomLog logs/access_log common env=!nolog
ログローテーション

ApacheログはDailyローテート、365日保管の設定

/etc/logrotate.d/httpd(編集)
/var/log/httpd/*log {
    daily
    rotate 365
    missingok
    ifempty
    dateext
    sharedscripts
    delaycompress
    postrotate
        /bin/systemctl reload httpd.service > /dev/null 2>/dev/null || true
    endscript
}
セキュリティ
デフォルトコンテンツ対策
/etc/httpd/conf.d/autoindex.conf(編集)
# We include the /icons/ alias for FancyIndexed directory listings.  If
# you do not use FancyIndexing, you may comment this out.
#
#Alias /icons/ "/usr/share/httpd/icons/"

#<Directory "/usr/share/httpd/icons">
#    Options MultiViews
#    AllowOverride None
#    Require all granted
#</Directory>
そのほか全般
/etc/httpd/conf.d/security.conf(新規作成)
# バージョン情報の隠蔽
ServerTokens Prod 

# phpバージョンの隠蔽
Header unset "X-Powered-By"

# httpoxy 対策
RequestHeader unset Proxy
# クリックジャッキング対策
Header always append X-Frame-Options SAMEORIGIN

# XSS対策
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options nosniff

# XST対策
TraceEnable Off

# エンティティタグ(ETag)の出力制御
FileETag None

# HTTPOnly属性
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

# HSTS (HTTP Strict Transport Security) の導入
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"

# ファイル一覧出力の禁止
Options -Indexes

再起動

// 文法チェック
$ httpd -t

// Apache再起動
$ systemctl reload httpd

関連

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away