Web1 Setup Process

From CSLabsWiki
Jump to: navigation, search

This page summarizes how the virtual machine Web1 was set up in Spring 2009.

Install

  • Installed CentOS 5.3 x64.
    • Partition Scheme
      • 3 GB /
      • 1.5 GB /var
      • 512 MB swap

Configuration

Updated System

  • Configured Yum Priorities & to use our mirror
    • Edited /etc/yum.repos.d/CentOS-Base.repo
# CentOS-Base.repo
#
# This file uses a new mirrorlist system developed by Lance Davis for CentOS.
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
baseurl=http://mirror.clarkson.edu/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#released updates
[updates]
name=CentOS-$releasever - Updates
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
baseurl=http://mirror.clarkson.edu/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#packages used/produced in the build but not released
[addons]
name=CentOS-$releasever - Addons
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=addons
baseurl=http://mirror.clarkson.edu/centos/$releasever/addons/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
baseurl=http://mirror.clarkson.edu/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=1

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
baseurl=http://mirror.clarkson.edu/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
baseurl=http://mirror.clarkson.edu/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
priority=2
    • Edited /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
baseurl = http://mirror.clarkson.edu/rpmforge/redhat/el5/en/$basearch/dag
#mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
priority=15
    • Edited /etc/yum.repos.d/epel.repo
[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
baseurl=http://mirror.clarkson.edu/epel/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=30

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 5 - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-debug-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30

[epel-source]
name=Extra Packages for Enterprise Linux 5 - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-source-5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=30
    • Edited /etc/yum.repos.d/epel-testing.repo
[epel-testing]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
priority=40

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Debug
baseurl=http://mirror.clarkson.edu/epel/testing/5/$basearch/debug
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-debug-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40

[epel-testing-source]
name=Extra Packages for Enterprise Linux 5 - Testing - $basearch - Source
baseurl=http://mirror.clarkson.edu/epel/testing/5/SRPMS
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=testing-source-epel5&arch=$basearch
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
gpgcheck=1
priority=40
  • Disabled Yum FastestMirror since using local mirror
    • sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf
  • Installed Yum Priorities (Note: This must be installed prior to installing the packages below.)
    • yum install yum-priorities
  • Configured Yum Priorities to check for obsoletes
    • echo "check_obsoletes=1" >> /etc/yum/pluginconf.d/priorities.conf
  • yum install vim-enhanced gcc emacs-nox screen
  • yum update

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp, /usr/bin/sudoedit

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl, /usr/bin/passwd

## HTTP
Cmnd_Alias HTTP = /etc/init.d/httpd restart, /etc/init.d/httpd stop, /etc/init.d/httpd condrestart

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%wheel  ALL=(ALL)       ALL
%admins ALL=(root) ALL, !SHELLS, !HTTP

Configured Networks

  • Configured hostname in /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=web1
  • Verified eth0 configuration for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=static
BROADCAST=128.153.145.255
HWADDR=00:16:3E:1F:2D:03
IPADDR=128.153.145.15
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
DEVICE=eth0:0
BOOTPROTO=none
BROADCAST=128.153.145.255
IPADDR=128.153.145.218
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
DEVICE=eth0:1
BOOTPROTO=none
BROADCAST=128.153.145.255
IPADDR=128.153.145.14
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Configured eth0:2 for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0:2
DEVICE=eth0:2
BOOTPROTO=none
BROADCAST=128.153.145.255
IPADDR=128.153.145.11
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet
  • Configured eth0:3 for Clarkson Network in /etc/sysconfig/network-scripts/ifcfg-eth0:3
DEVICE=eth0:3
BOOTPROTO=none
BROADCAST=128.153.145.255
IPADDR=128.153.145.13
NETMASK=255.255.255.0
NETWORK=128.153.145.0
ONBOOT=yes
GATEWAY=128.153.145.1
TYPE=Ethernet

Configured Hosts

  • Edited /etc/hosts
127.0.0.1       localhost.localdomain   localhost
128.153.145.15  web1.cslabs.clarkson.edu web1.cslabs web1
  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Disabled IP v6

  • Appended the following to /etc/modprobe.conf
install ipv6 /bin/true
  • Disabled IP v6 firewall
    • /sbin/chkconfig ip6tables off

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Configured SSH

  • Edited /etc/ssh/sshd_config
Due to the sensitivity of this material, this config file has been left off.
  • Restarted sshd
    • /etc/init.d/sshd restart

Set Up SSH Login Banner

  • Edited /etc/issue.net
             __  ___
 _    _____ / / <  /
| |/|/ / -_) _ \/ /
|__,__/\__/_.__/_/
       

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/spool/mail

PASS_MAX_DAYS   360
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   60

UID_MIN                   500
UID_MAX                 60000

GID_MIN                   500
GID_MAX                 60000

CREATE_HOME     yes

UMASK           077

USERGROUPS_ENAB yes

MD5_CRYPT_ENAB yes

ENCRYPT_METHOD MD5

Added Custom PATH Variables

  • Added the following to /etc/profile
PATH=$PATH:/usr/sbin:/sbin
export PATH

Configured Aliases

  • Edited /etc/aliases
#
#  Aliases in this file will NOT be expanded in the header from
#  Mail, but WILL be visible over networks or from /bin/mail.
#
#       >>>>>>>>>>      The program "newaliases" must be run after
#       >> NOTE >>      this file is updated for any changes to
#       >>>>>>>>>>      show through to sendmail.
#

# Basic system aliases -- these MUST be present.
mailer-daemon:  postmaster
postmaster:     logwatch@cslabs.clarkson.edu

# General redirections for pseudo accounts.
bin:            logwatch@cslabs.clarkson.edu
daemon:         logwatch@cslabs.clarkson.edu
adm:            logwatch@cslabs.clarkson.edu
lp:             logwatch@cslabs.clarkson.edu
sync:           logwatch@cslabs.clarkson.edu
shutdown:       logwatch@cslabs.clarkson.edu
halt:           logwatch@cslabs.clarkson.edu
mail:           logwatch@cslabs.clarkson.edu
news:           logwatch@cslabs.clarkson.edu
uucp:           logwatch@cslabs.clarkson.edu
operator:       logwatch@cslabs.clarkson.edu
games:          logwatch@cslabs.clarkson.edu
gopher:         logwatch@cslabs.clarkson.edu
ftp:            logwatch@cslabs.clarkson.edu
nobody:         logwatch@cslabs.clarkson.edu
radiusd:        logwatch@cslabs.clarkson.edu
nut:            logwatch@cslabs.clarkson.edu
dbus:           logwatch@cslabs.clarkson.edu
vcsa:           logwatch@cslabs.clarkson.edu
canna:          logwatch@cslabs.clarkson.edu
wnn:            logwatch@cslabs.clarkson.edu
rpm:            logwatch@cslabs.clarkson.edu
nscd:           logwatch@cslabs.clarkson.edu
pcap:           logwatch@cslabs.clarkson.edu
apache:         logwatch@cslabs.clarkson.edu
webalizer:      logwatch@cslabs.clarkson.edu
dovecot:        logwatch@cslabs.clarkson.edu
fax:            logwatch@cslabs.clarkson.edu
quagga:         logwatch@cslabs.clarkson.edu
radvd:          logwatch@cslabs.clarkson.edu
pvm:            logwatch@cslabs.clarkson.edu
amanda:         logwatch@cslabs.clarkson.edu
privoxy:        logwatch@cslabs.clarkson.edu
ident:          logwatch@cslabs.clarkson.edu
named:          logwatch@cslabs.clarkson.edu
xfs:            logwatch@cslabs.clarkson.edu
gdm:            logwatch@cslabs.clarkson.edu
mailnull:       logwatch@cslabs.clarkson.edu
postgres:       logwatch@cslabs.clarkson.edu
sshd:           logwatch@cslabs.clarkson.edu
smmsp:          logwatch@cslabs.clarkson.edu
postfix:        logwatch@cslabs.clarkson.edu
netdump:        logwatch@cslabs.clarkson.edu
ldap:           logwatch@cslabs.clarkson.edu
squid:          logwatch@cslabs.clarkson.edu
ntp:            logwatch@cslabs.clarkson.edu
mysql:          logwatch@cslabs.clarkson.edu
desktop:        logwatch@cslabs.clarkson.edu
rpcuser:        logwatch@cslabs.clarkson.edu
rpc:            logwatch@cslabs.clarkson.edu
nfsnobody:      logwatch@cslabs.clarkson.edu

ingres:         logwatch@cslabs.clarkson.edu
system:         logwatch@cslabs.clarkson.edu
toor:           logwatch@cslabs.clarkson.edu
manager:        logwatch@cslabs.clarkson.edu
dumper:         logwatch@cslabs.clarkson.edu
abuse:          logwatch@cslabs.clarkson.edu

newsadm:        news
newsadmin:      news
usenet:         news
ftpadm:         ftp
ftpadmin:       ftp
ftp-adm:        ftp
ftp-admin:      ftp
www:            webmaster
webmaster:      logwatch@cslabs.clarkson.edu
noc:            logwatch@cslabs.clarkson.edu
security:       logwatch@cslabs.clarkson.edu
hostmaster:     logwatch@cslabs.clarkson.edu
info:           postmaster
marketing:      postmaster
sales:          postmaster
support:        postmaster


# trap decode to catch security attacks
decode:         logwatch@cslabs.clarkson.edu

# Person who should get roots's mail
root:           logwatch@cslabs.clarkson.edu
  • Updated aliases
    • /usr/bin/newaliases

Disabled Various Kernel Modules

  • Added the following to /etc/modprobe.conf
install pppox /bin/true
install bluetooth /bin/true
install sctp /bin/true

Installed & Configured SNMP

  • Installed needed packages
yum install net-snmp ntp
  • Configured SNMP Daemon /etc/snmp/snmpd.conf
rocommunity     <passphrase>  127.0.0.1
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
disk /var
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime
  • Deployed ntp_check script
    • Copied over /usr/local/sbin/ntp_check from Isengard to /usr/local/sbin/
    • chown root.root /usr/local/sbin/ntp_check
  • Configured SNMP to start at specific run levels
/sbin/chkconfig --levels 2345 snmpd on
  • Started daemon
/etc/init.d/snmpd start

Increased Detail of Logwatch Reports

  • Set detail level to be high
echo "Detail = High" >> /etc/logwatch/conf/logwatch.conf

Disabled Unneeded Services

chkconfig nfs off
/etc/init.d/nfs stop
chkconfig nfslock off
/etc/init.d/nfslock stop
chkconfig rpcgssd off
/etc/init.d/rpcgssd stop
chkconfig rpcidmapd off
/etc/init.d/rpcidmapd stop
chkconfig rpcsvcgssd off
/etc/init.d/rpcsvcgssd stop
chkconfig portmap off
/etc/init.d/portmap stop
chkconfig netfs off
/etc/init.d/netfs stop
chkconfig anacron off
/etc/init.d/anacron stop
chkconfig autofs off
/etc/init.d/autofs stop
chkconfig avahi-daemon off
/etc/init.d/avahi-daemon stop
chkconfig avahi-dnsconfd off
/etc/init.d/avahi-dnsconfd stop
chkconfig bluetooth off
/etc/init.d/bluetooth stop
chkconfig hidd off
/etc/init.d/hidd stop
chkconfig cups off
/etc/init.d/cups stop
chkconfig firstboot off
/etc/init.d/firstboot stop
chkconfig gpm off
/etc/init.d/gpm stop
chkconfig haldaemon off
/etc/init.d/haldaemon stop
chkconfig irda off
/etc/init.d/irda stop
chkconfig kudzu off
/etc/init.d/kudzu stop
chkconfig messagebus off
/etc/init.d/messagebus stop
chkconfig microcode_ctl off
/etc/init.d/microcode_ctl stop
chkconfig pcscd off
/etc/init.d/pcscd stop
chkconfig readahead_early off
/etc/init.d/readahead_early stop
chkconfig readahead_later off
/etc/init.d/readahead_later stop
chkconfig ypbind off
/etc/init.d/ypbind stop

Modified Cron Weekly Execution Time

This was done to reduce load spikes that produce Nagios alerts around 4:30 AM every Sunday. In the event that this VM get moved off of righteous, this should be changed back to the default setting of 4:22 AM.

  • Modified the following line in /etc/crontab
12 5 * * 0 root run-parts /etc/cron.weekly

Installed Apache

  • Installed httpd, php, etc.
    • yum install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-suhosin curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_python perl-HTML-Parser perl-DBI perl-Net-DNS perl-Digest-SHA1 mysql
    • Note: The default version of php (5.1) was installed. In the event that php 5.2 is needed later, it can be installed following this process. PHP_5.1_To_5.2
  • Modified /etc/httpd/conf/httpd.conf
ServerTokens Prod
ServerRoot "/etc/httpd"
PidFile run/httpd.pid
Timeout 30
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
TraceEnable Off

<IfModule prefork.c>
StartServers       5
MinSpareServers    5
MaxSpareServers   10
ServerLimit       50
MaxClients        50
MaxRequestsPerChild  0
</IfModule>

<IfModule worker.c>
StartServers         2
MaxClients         150
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  0
</IfModule>

Listen 80

LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule asis_module modules/mod_asis.so

Include conf.d/*.conf

User apache
Group apache

ServerAdmin web-admin@cslabs.clarkson.edu
ServerName web1.cslabs.clarkson.edu:80

UseCanonicalName Off

DocumentRoot "/var/www/html"

<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_userdir.c>
    UserDir disable
    #UserDir public_html
</IfModule>

#<Directory /home/*/public_html>
#    AllowOverride FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    <Limit GET POST OPTIONS>
#        Order allow,deny
#        Allow from all
#    </Limit>
#    <LimitExcept GET POST OPTIONS>
#        Order deny,allow
#        Deny from all
#    </LimitExcept>
#</Directory>

DirectoryIndex index.html index.html.var index.htm index.shtml index.cgi

AccessFileName .htaccess

XBitHack On

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

TypesConfig /etc/mime.types

DefaultType text/plain

<IfModule mod_mime_magic.c>
#   MIMEMagicFile /usr/share/magic.mime
    MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off

ErrorLog logs/error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

CustomLog logs/access_log combined

ServerSignature Off

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

<IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DAVLockDB /var/lib/dav/lockdb
</IfModule>

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html
HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

AddCharset ISO-8859-1  .iso8859-1  .latin1
AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
AddCharset ISO-8859-3  .iso8859-3  .latin3
AddCharset ISO-8859-4  .iso8859-4  .latin4
AddCharset ISO-8859-5  .iso8859-5  .latin5 .cyr .iso-ru
AddCharset ISO-8859-6  .iso8859-6  .latin6 .arb
AddCharset ISO-8859-7  .iso8859-7  .latin7 .grk
AddCharset ISO-8859-8  .iso8859-8  .latin8 .heb
AddCharset ISO-8859-9  .iso8859-9  .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5        .Big5       .big5
AddCharset WINDOWS-1251 .cp-1251   .win-1251
AddCharset CP866       .cp866
AddCharset KOI8-r      .koi8-r .koi8-ru
AddCharset KOI8-ru     .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8       .utf8
AddCharset GB2312      .gb2312 .gb
AddCharset utf-7       .utf7
AddCharset utf-8       .utf8
AddCharset big5        .big5 .b5
AddCharset EUC-TW      .euc-tw
AddCharset EUC-JP      .euc-jp
AddCharset EUC-KR      .euc-kr
AddCharset shift_jis   .sjis

AddType application/x-tar .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

AddHandler type-map var
AddHandler cgi-script .cgi
AddHandler imap-file map

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>
</IfModule>
</IfModule>

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/atom_xml
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/x-httpd-php
AddOutputFilterByType DEFLATE application/x-httpd-fastphp
AddOutputFilterByType DEFLATE application/x-httpd-eruby
AddOutputFilterByType DEFLATE text/html
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

NameVirtualHost *:80
  • Created /etc/httpd/conf.d/web1.conf
<VirtualHost *:80>
    ServerName web1.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/html/"
    ErrorLog logs/web1-error_log
    CustomLog logs/web1-access_log combined
    ServerAlias web1*
    RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/httpd/conf.d/zDefault.conf
<VirtualHost *:80>
    ServerName web1.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/html/"
    ErrorLog logs/web1-error_log
    CustomLog logs/web1-access_log combined
    ServerAlias *
    RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/httpd/conf.d/cosi.conf
<VirtualHost 128.153.145.11>
    ServerName cosi.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/cosi_html/"
    ErrorLog logs/cosi-error_log
    CustomLog logs/cosi-access_log combined
    ServerAlias cosi*
    Redirect permanent /xen http://xen.cslabs.clarkson.edu
    <Directory /var/www/cosi_html/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
    <Directory /var/www/cosi_html/docs/installingxen/>
        AllowOverride FileInfo
    </Directory>
    <Directory /var/www/cosi_html/knowledge/workshops/sp05/installingxen/>
        AllowOverride FileInfo
    </Directory>
</VirtualHost>
  • Created /etc/httpd/conf.d/cslabs.conf
<VirtualHost *:80>
    ServerName cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/cslabs_html/"
    ErrorLog logs/cslabs-error_log
    CustomLog logs/cslabs-access_log combined
    ServerAlias cslabs*
    <Directory /var/www/cslabs_html/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Created /etc/httpd/conf.d/planet.conf
<VirtualHost 128.153.145.13>
    ServerName planet.cosi.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/planet_html/output/"
    ErrorLog logs/planet-error_log
    CustomLog logs/planet-access_log combined
    ServerAlias planet*
    <Directory /var/www/planet_html/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Created /etc/httpd/conf.d/rrs.conf
<VirtualHost *:80>
    ServerName rrs.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/rrs_html/"
    ErrorLog logs/rrs-error_log
    CustomLog logs/rrs-access_log combined
    ServerAlias rrs*
    <Directory /var/www/rrs_html/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

<VirtualHost 128.153.145.218>
    ServerName rrs.cosi.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/rrs_html/"
    ErrorLog logs/rrs-error_log
    CustomLog logs/rrs-access_log combined
    ServerAlias rrs*
    Redirect permanent / http://rrs.cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/httpd/conf.d/xen.conf
<VirtualHost *:80>
    ServerName xen.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/xen_html/"
    ErrorLog logs/xen-error_log
    CustomLog logs/xen-access_log combined
    ServerAlias xen*
    <Directory /var/www/xen_html/>
        Options Indexes FollowSymLinks
        AllowOverride None
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

<VirtualHost 128.153.145.14>
    ServerName xen.cosi.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/xen_html/"
    ErrorLog logs/xen-error_log
    CustomLog logs/xen-access_log combined
    ServerAlias xen*
    Redirect permanent / http://xen.cslabs.clarkson.edu/
</VirtualHost>
  • Modified Apache to not display a test page when no index.html is present
    • Edited /etc/httpd/conf.d/welcome.conf
# 
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>
  • Configured server so php is not exposed and y2k compliance is off
    • Edited /etc/php.ini
expose_php = Off
memory_limit = 64M
  • Disabled /etc/httpd/conf.d/welcome.conf
#
# This configuration file enables the default "Welcome"
# page if there is no default index page present for
# the root URL.  To disable the Welcome page, comment
# out all the lines below.
#
#<LocationMatch "^/+$">
#    Options -Indexes
#    ErrorDocument 403 /error/noindex.html
#</LocationMatch>

  • Disabled /etc/httpd/conf.d/proxy_ajp.conf

#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

#
# When loaded, the mod_proxy_ajp module adds support for
# proxying to an AJP/1.3 backend server (such as Tomcat).
# To proxy to an AJP backend, use the "ajp://" URI scheme;
# Tomcat is configured to listen on port 8009 for AJP requests
# by default.
#

#
# Uncomment the following lines to serve the ROOT webapp
# under the /tomcat/ location, and the jsp-examples webapp
# under the /examples/ location.
#
#ProxyPass /tomcat/ ajp://localhost:8009/
#ProxyPass /examples/ ajp://localhost:8009/jsp-examples/


  • Configured Apache to start on boot
    • /sbin/chkconfig --levels 345 httpd on
  • Started Apache
    • /etc/init.d/httpd start

Virtual Host Notes

  • A group must be created for each virtual host and the virtual host html root must be owned by that group.
  • The setgid bit should be set on each of the virtual host html roots. This can be done by using the following command: chmod g+s <vhost>_html/

AWStats