# yum install mailcap
# yum install perl
# yum install perl-devel
# yum --enablerepo=epel install nghttp2
# yum --enablerepo=epel install libev-devel
# yum --enablerepo=epel install libnghttp2-devel
# yum install openldap
# yum install openldap-devel
# yum install expat
# yum install expat-devel
# yum install system-logos
# yum install libdb
# yum install libdb-devel
# yum install http://dl.marmotte.net/rpms/redhat/el7/x86_64/brotli-1.0.7-1.el7/brotli-1.0.7-1.el7.x86_64.rpm
# yum install http://dl.marmotte.net/rpms/redhat/el7/x86_64/brotli-1.0.7-1.el7/brotli-devel-1.0.7-1.el7.x86_64.rpm
# yum --disablerepo=base,extras,updates --enablerepo=ius install httpd
# yum --disablerepo=base,extras,updates --enablerepo=ius install httpd-devel
# yum --disablerepo=base,extras,updates --enablerepo=ius install mod_ssl
# rpm -qi httpd24u
ServerAdmin webmaster@example.jp
ServerName www.example.jp:80
<Directory "/var/www/html">
Options FollowSymLinks IncludesNOEXEC
AllowOverride All
Require all granted
</Directory>
SetEnvIf Request_URI "_health\.html|\.(gif|jpg|png|ico)$" nolog
CustomLog logs/access_log combined env=!nolog
<IfModule alias_module>
# ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
#<Directory "/var/www/cgi-bin">
# AllowOverride None
# Options None
# Require all granted
#</Directory>
#AddDefaultCharset UTF-8
AddDefaultCharset Off
#################################################
########### Additional Options ##################
#################################################
KeepAlive On
KeepAliveTimeout 120
Timeout 120
ServerTokens Prod
ExtendedStatus Off
ServerSignature Off
UseCanonicalName Off
TraceEnable Off
Header always append X-Frame-Options SAMEORIGIN
# XSS対策
Header set X-XSS-Protection "1;mode=block"
Header set X-Content-Type-Options nosniff
# vi /etc/httpd/conf.d/_virtualhost.conf
<VirtualHost *:80>
<IfModule http2_module>
LogLevel http2:info
ProtocolsHonorOrder On
Protocols h2c http/1.1
H2Direct on
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
</IfModule>
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</VirtualHost>
# cd /etc/httpd/conf.d
# mv autoindex.conf autoindex.conf.bak
#<VirtualHost _default_:443>
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName www.example.jp:443
ServerAlias example.jp www.example.com
#ErrorLog logs/ssl_error_log
#TransferLog logs/ssl_access_log
ErrorLog logs/error_log
SetEnvIf Request_URI "_health\.html|\.(gif|jpg|png|ico)$" nolog
CustomLog logs/access_log combined env=!nolog
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3
SSLProtocol -all +TLSv1.2
SSLProxyProtocol -all +TLSv1.2
#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLCipherSuite AESGCM:HIGH:!MEDIUM:!LOW:!3DES:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA
SSLProxyCipherSuite AESGCM:HIGH:!MEDIUM:!LOW:!3DES:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!AES256-SHA256:!AES128-SHA256:!AES256-SHA:!AES128-SHA:!DES-CBC3-SHA:!CAMELLIA:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA256:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA
※上記設定だと、以下のブラウザで閲覧ができなくなります。 ・Safari 6(iOS 6.0.1) ・Safari 7(iOS 7.1) ・Safari 7(OS X 10.9) ・Safari 8(iOS 8.4) ・Safari 8(iOS X 10.10) もし、上記ブラウザの閲覧が必要な場合は、「!ECDHE-RSA-AES256-SHA384」の「!」を削除して「ECDHE-RSA-AES256-SHA384」として下さい。 ただしこの場合、Qualys SSL LabsのSSL Server Testで「TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384」が「WEAK」という判定がされます。 |
SSLCertificateFile /etc/httpd/certs/latest/www.example.jp.full_cert.pem
SSLCertificateKeyFile /etc/httpd/certs/latest/www.example.jp.privkey_nopwd.pem
<Directory "/var/www/html">
Options FollowSymLinks IncludesNOEXEC
AllowOverride All
Require all granted
</Directory>
<IfModule http2_module>
ProtocolsHonorOrder On
Protocols h2 http/1.1
</IfModule>
TraceEnable Off
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header edit Set-Cookie "^(?!.*(\s+|;)(?i)SameSite=)(.*)" "$0; SameSite=None; Secure; HttpOnly"
# openssl dhparam -out /etc/httpd/certs/dhparams.pem 4096
SSLOpenSSLConfCmd DHParameters /etc/httpd/certs/dhparams.pem
# cd /etc/httpd/conf.d
# mv userdir.conf userdir.conf.bak
# cd /etc/httpd/conf.modules.d
# mv 00-dav.conf 00-dav.conf.bak
# cd /etc/httpd/conf.modules.d
# mv 00-lua.conf 00-lua.conf.bak
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
#LoadModule mpm_worker_module modules/mod_mpm_worker.so
LoadModule mpm_event_module modules/mod_mpm_event.so
# cd /etc/httpd/conf.modules.d
# mv 01-cgi.conf 01-cgi.conf.bak
# apachectl configtest
# systemctl start httpd.service
# systemctl stop httpd.service
# systemctl enable httpd.service
# systemctl disable httpd.service
# systemctl is-enabled httpd.service
/var/log/httpd/*log {
missingok
notifempty
sharedscripts
postrotate
/sbin/service httpd reload > /dev/null 2>/dev/null || true
endscript
}
vi /etc/logrotate.d/httpd
#/var/log/httpd/*log {
# missingok
# notifempty
# sharedscripts
# postrotate
# /sbin/service httpd reload > /dev/null 2>/dev/null || true
# endscript
#}
# chmod 000 /etc/logrotate.d/httpd
#!/bin/bash
#----- backup file save base directory -----
BACKUP_BASE_DIR=/var/__backup__/apache_log
LOG_DIR=/var/log
APACHE_LOG_DIR=/var/log/httpd
#-------------------------------------------
#----- backup file save base directory -----
cd $BACKUP_BASE_DIR
#----- monthly date directory create -----
MONTH_DATE_VAL="$(date "+%Y%m")"
if [ ! -d $MONTH_DATE_VAL ]; then
mkdir $MONTH_DATE_VAL
fi
cd $MONTH_DATE_VAL
#----- get serial date value -----
TODAY_DATE_VAL="$(date "+%Y%m%d")"
SERIAL_DATE_VAL="$(date "+%s")"
#----- apache log moved & http restart -----
mv $APACHE_LOG_DIR/*log .
/usr/bin/systemctl restart httpd.service
/usr/bin/sleep 10
if [ ! -f $APACHE_LOG_DIR/access_log ]; then
/usr/bin/systemctl restart httpd.service
/usr/bin/sleep 10
fi
#----- compress log files -----
FILENAME=apache_log_${TODAY_DATE_VAL}.tar.gz
if [ -f $FILENAME ]; then
TEMP_FILENAME=${FILENAME}.${SERIAL_DATE_VAL}
mv $FILENAME $TEMP_FILENAME
fi
tar cvfz $FILENAME *_log
rm -f *log
/usr/bin/sleep 5
cd /var
FILENAME=$BACKUP_BASE_DIR/$MONTH_DATE_VAL/var_log_${TODAY_DATE_VAL}.tar.gz
if [ -f $FILENAME ]; then
TEMP_FILENAME=${FILENAME}.${SERIAL_DATE_VAL}
mv $FILENAME $TEMP_FILENAME
fi
tar cvfz $FILENAME log
# vi /etc/httpd/conf.d/deflate.conf
<IfModule mod_deflate.c>
DeflateCompressionLevel 1
<IfModule mod_filter.c>
FilterDeclare COMPRESS
FilterProvider COMPRESS DEFLATE "%{CONTENT_TYPE} =~ m#^text/#i"
FilterProvider COMPRESS DEFLATE "%{CONTENT_TYPE} =~ m#^application/(atom\+xml|javascript|json|rss\+xml|xml|xhtml\+xml)#i"
FilterProvider COMPRESS DEFLATE "%{CONTENT_TYPE} =~ m#^image/(svg\+xml|vnd\.microsoft\.icon)#i"
FilterChain COMPRESS
FilterProtocol COMPRESS DEFLATE change=yes;byteranges=no
#BrowserMatch ^Mozilla/4 gzip-only-text/html
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
#BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
#Header append Vary Accept-Encoding env=!dont-vary
</IfModule>
</IfModule>
# systemctl restart httpd.service