Table of Contents
This tutorial on how to install httpd, php70 and PrivateBin on a minimal red hat or CentOS 7 installation was provided by @pozzo-balbi and was originally published at pozzo-balbi.com/help/Zerobin under Creative Commons Attribution ShareAlike 3.0 license.
Prerequisits
Assuming you are running a VM with minimal installation, you will need to install the following. First php in the latest version and httpd.
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
yum -y install php70w php70w-opcache php70w-gd php70w-intl php70w-mbstring php70w-mcrypt php70w-xml httpd httpd-tools
Update php.ini:
sed -i 's/expose_php = On/expose_php = Off/' /etc/php.ini
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini
sed -i 's/;date.timezone =/date.timezone = Europe\/Berlin/' /etc/php.ini
sed -i 's/;mail.log = syslog/mail.log = syslog/' /etc/php.ini
sed -i 's/;realpath_cache_size = 16k/realpath_cache_size = 256k/' /etc/php.ini
sed -i 's/;realpath_cache_ttl = 120/realpath_cache_ttl = 1200/' /etc/php.ini
Now customize httpd. Remove unnecessary modules (for PrivateBin) from /etc/httpd/conf.modules.d
. Uncomment as needed.
00-base.conf:
LoadModule access_compat_module modules/mod_access_compat.so
#Group authorizations based on host (name or IP address)
#LoadModule actions_module modules/mod_actions.so #Execute CGI scripts based on media type or request method.
#LoadModule alias_module modules/mod_alias.so #Provides for mapping different parts of the host filesystem in the document tree and for URL redirection
#LoadModule allowmethods_module modules/mod_allowmethods.so #Easily restrict what HTTP methods can be used on the server
#LoadModule auth_basic_module modules/mod_auth_basic.so #Basic HTTP authentication
#LoadModule auth_digest_module modules/mod_auth_digest.so #User authentication using MD5 Digest Authentication
#LoadModule authn_anon_module modules/mod_authn_anon.so #Allows "anonymous" user access to authenticated areas
#LoadModule authn_core_module modules/mod_authn_core.so #Core Authentication
#LoadModule authn_dbd_module modules/mod_authn_dbd.so #User authentication using an SQL database
#LoadModule authn_dbm_module modules/mod_authn_dbm.so #User authentication using DBM files
#LoadModule authn_file_module modules/mod_authn_file.so #User authentication using text files
#LoadModule authn_socache_module modules/mod_authn_socache.so #Manages a cache of authentication credentials to relieve the load on backends
LoadModule authz_core_module modules/mod_authz_core.so
#Core Authorization
#LoadModule authz_dbd_module modules/mod_authz_dbd.so #Group Authorization and Login using SQL
#LoadModule authz_dbm_module modules/mod_authz_dbm.so #Group authorization using DBM files
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so #Group authorization using plaintext files
#LoadModule authz_host_module modules/mod_authz_host.so #Group authorizations based on host (name or IP address)
#LoadModule authz_owner_module modules/mod_authz_owner.so #Authorization based on file ownership
#LoadModule authz_user_module modules/mod_authz_user.so #User Authorization
#LoadModule autoindex_module modules/mod_autoindex.so #Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
LoadModule cache_module modules/mod_cache.so
#RFC 2616 compliant HTTP caching filter.
LoadModule cache_disk_module modules/mod_cache_disk.so
#Disk based storage module for the HTTP caching filter.
LoadModule data_module modules/mod_data.so
#Convert response body into an RFC2397 data URL
#LoadModule dbd_module modules/mod_dbd.so #Manages SQL database connections
LoadModule deflate_module modules/mod_deflate.so
#Compress content before it is delivered to the client
LoadModule dir_module modules/mod_dir.so
#Provides for "trailing slash" redirects and serving directory index files
#LoadModule dumpio_module modules/mod_dumpio.so #Dumps all I/O to error log as desired.
#LoadModule echo_module modules/mod_echo.so #A simple echo server to illustrate protocol modules
#LoadModule env_module modules/mod_env.so #Modifies the environment which is passed to CGI scripts and SSI pages
LoadModule expires_module modules/mod_expires.so
#Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
#LoadModule ext_filter_module modules/mod_ext_filter.so #Pass the response body through an external program before delivery to the client
#LoadModule filter_module modules/mod_filter.so #Context-sensitive smart filter configuration module
LoadModule headers_module modules/mod_headers.so
#Customization of HTTP request and response headers
#LoadModule include_module modules/mod_include.so #Server-parsed html documents (Server Side Includes)
#LoadModule info_module modules/mod_info.so #Provides a comprehensive overview of the server configuration
LoadModule log_config_module modules/mod_log_config.so
#Logging of the requests made to the server
#LoadModule logio_module modules/mod_logio.so #Logging of input and output bytes per request
#LoadModule mime_magic_module modules/mod_mime_magic.so #Determines the MIME type of a file by looking at a few bytes of its contents
LoadModule mime_module modules/mod_mime.so
#Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
#LoadModule negotiation_module modules/mod_negotiation.so #Provides for content negotiation
LoadModule remoteip_module modules/mod_remoteip.so
#Replaces the original client IP address for the connection with the useragent IP address list presented by a proxies or a load balancer via the request headers.
#LoadModule reqtimeout_module modules/mod_reqtimeout.so #Set timeout and minimum data rate for receiving requests
LoadModule rewrite_module modules/mod_rewrite.so
#Provides a rule-based rewriting engine to rewrite requested URLs on the fly
#LoadModule setenvif_module modules/mod_setenvif.so #Allows the setting of environment variables based on characteristics of the request
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #Slot-based shared memory provider.
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #Slot-based shared memory provider.
#LoadModule socache_dbm_module modules/mod_socache_dbm.so #DBM based shared object cache provider.
#LoadModule socache_memcache_module modules/mod_socache_memcache.so #Memcache based shared object cache provider.
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#shmcb based shared object cache provider.
#LoadModule status_module modules/mod_status.so #Provides information on server activity and performance
#LoadModule substitute_module modules/mod_substitute.so #Perform search and replace operations on response bodies
#LoadModule suexec_module modules/mod_suexec.so #Allows CGI scripts to run as a specified user and Group
LoadModule unique_id_module modules/mod_unique_id.so
#Provides an environment variable with a unique identifier for each request
LoadModule unixd_module modules/mod_unixd.so
#Basic (required) security for Unix-family platforms.
#LoadModule userdir_module modules/mod_userdir.so #User-specific directories
#LoadModule version_module modules/mod_version.so #Version dependent configuration
#LoadModule vhost_alias_module modules/mod_vhost_alias.so #Provides for dynamically configured mass virtual hosting
#LoadModule buffer_module modules/mod_buffer.so #Support for request buffering
#LoadModule watchdog_module modules/mod_watchdog.so #provides infrastructure for other modules to periodically run tasks
#LoadModule heartbeat_module modules/mod_heartbeat.so #Sends messages with server status to frontend proxy
#LoadModule heartmonitor_module modules/mod_heartmonitor.so #Centralized monitor for mod_heartbeat origin servers
#LoadModule usertrack_module modules/mod_usertrack.so #Clickstream logging of user activity on a site
#LoadModule dialup_module modules/mod_dialup.so #Send static content at a bandwidth rate limit, defined by the various old modem standards
#LoadModule charset_lite_module modules/mod_charset_lite.so #Specify character set translation or recoding
#LoadModule log_debug_module modules/mod_log_debug.so #Additional configurable debug logging
#LoadModule ratelimit_module modules/mod_ratelimit.so #Bandwidth Rate Limiting for Clients
#LoadModule reflector_module modules/mod_reflector.so #Reflect a request body as a response via the output filter stack.
#LoadModule request_module modules/mod_request.so #Filters to handle and make available HTTP request bodies
#LoadModule sed_module modules/mod_sed.so #Filter Input (request) and Output (response) content using sed syntax
#LoadModule speling_module modules/mod_speling.so #Attempts to correct mistaken URLs by ignoring capitalization, or attempting to correct various minor misspellings.
00-dav.conf:
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule dav_lock_module modules/mod_dav_lock.so
00-lua.conf:
#LoadModule lua_module modules/mod_lua.so
00-proxy.conf:
#LoadModule proxy_module modules/mod_proxy.so
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
#LoadModule proxy_express_module modules/mod_proxy_express.so
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
#LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
01-cgi.conf:
<IfModule mpm_worker_module>
# LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_event_module>
# LoadModule cgid_module modules/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
# LoadModule cgi_module modules/mod_cgi.so
</IfModule>
Next adjust settings for modules in /etc/httpd/conf.d .
mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.orig
mv /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/userdir.conf.orig
touch /etc/httpd/conf.d/autoindex.conf
touch /etc/httpd/conf.d/userdir.conf
Last but not least configure Apache httpd itself.
cd /etc/httpd/conf
cp httpd.conf httpd.conf.orig
#sed -i 's/ServerAdmin root@localhost/ServerAdmin youremail@example.com/' /etc/httpd/conf/httpd.conf # change against your email if needed
sed -i 's/Listen 80/Listen 0.0.0.0:80/' /etc/httpd/conf/httpd.conf
sed -i 's/LogLevel warn/LogLevel error/' /etc/httpd/conf/httpd.conf
sed -i 's/#EnableMMAP off/EnableMMAP on/' /etc/httpd/conf/httpd.conf
#echo -e "ServerSignature off\nServerTokens Prod\nExtendedStatus Off\nStartServers 10\nMinSpareServers 1\nMaxSpareServers 2\nServerLimit 12\nMaxClients 12\nMaxRequestsPerChild 10000\nKeepAlive on\nKeepAliveTimeout 120" | cat - /etc/httpd/conf/httpd.conf > /etc/httpd/conf/temp && mv /etc/httpd/conf/temp /etc/httpd/conf/httpd.conf <<< y
cat >> /etc/httpd/conf.d/custom.conf << EOF
ServerSignature off
ServerTokens Prod
ExtendedStatus Off
StartServers 10
MinSpareServers 1
MaxSpareServers 2
ServerLimit 12
MaxClients 12
MaxRequestsPerChild 10000
KeepAlive on
KeepAliveTimeout 120
<Directory "/var/www/html/paste/data">
Require all denied
</Directory>
<Directory "/var/www/html/paste/tmp">
Require all denied
</Directory>
<Directory "/var/www/html/paste/cfg">
Require all denied
</Directory>
<Directory "/var/www/html/paste/lib">
Require all denied
</Directory>
ExpiresActive On
ExpiresDefault A2592000 # (= one month)
Header set Cache-Control "max-age=2592000, public"
<FilesMatch "\.(pl|php|cgi|spl)$">
Header unset Cache-Control
Header unset Expires
Header unset Last-Modified
FileETag None
Header unset Pragma
</FilesMatch>
EOF
setsebool -P httpd_execmem=1
setsebool -P httpd_builtin_scripting=1
systemctl enable httpd
Installation
Download the latest version of PrivateBin and extract it to /var/www/html/paste
.
Create directories needed by PrivateBin, update permissions and (re)start httpd:
cd /var/www/html/paste
mkdir data
mkdir tmp
chown apache:apache *
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/tmp(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/data(/.*)?"
systemctl restart httpd
Update selinux after some time with:
cd /var/log/audit
grep hugetlbfs audit.log | audit2allow -M hugetlbfs
semodule -i hugetlbfs.pp
Nginx/Naxsi
If using nginx with naxsi on your reverse proxy, add these whitelist_rules:
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1315 "mz:$URL:/paste/|$HEADERS_VAR:cookie";
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:data";
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:nickname";
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:nickname";
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:nickname";