Imported submitted tutorial from https://www.pozzo-balbi.com/help/Zerobin
El RIDO
8 years ago
parent
327c5d6294
commit
668cced572
@ -0,0 +1,235 @@
|
||||
This tutorial on how to install httpd, php70 and ZeroBin on a minimal red hat or CentOS 7 installation was provided by [@pozzo-balbi](https://github.com/pozzo-balbi) and was originally published at [pozzo-balbi.com/help/Zerobin](https://www.pozzo-balbi.com/help/Zerobin).
|
||||
|
||||
## Prerequisits
|
||||
|
||||
Assuming you are running a VM with minimal installation, you will need to install the following. First php in the latest version and httpd.
|
||||
|
||||
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm
|
||||
yum -y install php70w php70w-opcache php70w-gd php70w-intl php70w-mbstring php70w-mcrypt php70w-xml httpd httpd-tools
|
||||
|
||||
Update php.ini:
|
||||
|
||||
sed -i 's/expose_php = On/expose_php = Off/' /etc/php.ini
|
||||
sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php.ini
|
||||
sed -i 's/;date.timezone =/date.timezone = Europe\/Berlin/' /etc/php.ini
|
||||
sed -i 's/;mail.log = syslog/mail.log = syslog/' /etc/php.ini
|
||||
sed -i 's/;realpath_cache_size = 16k/realpath_cache_size = 256k/' /etc/php.ini
|
||||
sed -i 's/;realpath_cache_ttl = 120/realpath_cache_ttl = 1200/' /etc/php.ini
|
||||
|
||||
Now customize httpd. Remove unnecessary modules (for ZeroBin) from `/etc/httpd/conf.modules.d`. Uncomment as needed.
|
||||
|
||||
00-base.conf:
|
||||
|
||||
LoadModule access_compat_module modules/mod_access_compat.so
|
||||
#Group authorizations based on host (name or IP address)
|
||||
#LoadModule actions_module modules/mod_actions.so #Execute CGI scripts based on media type or request method.
|
||||
#LoadModule alias_module modules/mod_alias.so #Provides for mapping different parts of the host filesystem in the document tree and for URL redirection
|
||||
#LoadModule allowmethods_module modules/mod_allowmethods.so #Easily restrict what HTTP methods can be used on the server
|
||||
#LoadModule auth_basic_module modules/mod_auth_basic.so #Basic HTTP authentication
|
||||
#LoadModule auth_digest_module modules/mod_auth_digest.so #User authentication using MD5 Digest Authentication
|
||||
#LoadModule authn_anon_module modules/mod_authn_anon.so #Allows "anonymous" user access to authenticated areas
|
||||
#LoadModule authn_core_module modules/mod_authn_core.so #Core Authentication
|
||||
#LoadModule authn_dbd_module modules/mod_authn_dbd.so #User authentication using an SQL database
|
||||
#LoadModule authn_dbm_module modules/mod_authn_dbm.so #User authentication using DBM files
|
||||
#LoadModule authn_file_module modules/mod_authn_file.so #User authentication using text files
|
||||
#LoadModule authn_socache_module modules/mod_authn_socache.so #Manages a cache of authentication credentials to relieve the load on backends
|
||||
LoadModule authz_core_module modules/mod_authz_core.so
|
||||
#Core Authorization
|
||||
#LoadModule authz_dbd_module modules/mod_authz_dbd.so #Group Authorization and Login using SQL
|
||||
#LoadModule authz_dbm_module modules/mod_authz_dbm.so #Group authorization using DBM files
|
||||
#LoadModule authz_groupfile_module modules/mod_authz_groupfile.so #Group authorization using plaintext files
|
||||
#LoadModule authz_host_module modules/mod_authz_host.so #Group authorizations based on host (name or IP address)
|
||||
#LoadModule authz_owner_module modules/mod_authz_owner.so #Authorization based on file ownership
|
||||
#LoadModule authz_user_module modules/mod_authz_user.so #User Authorization
|
||||
#LoadModule autoindex_module modules/mod_autoindex.so #Generates directory indexes, automatically, similar to the Unix ls command or the Win32 dir shell command
|
||||
LoadModule cache_module modules/mod_cache.so
|
||||
#RFC 2616 compliant HTTP caching filter.
|
||||
LoadModule cache_disk_module modules/mod_cache_disk.so
|
||||
#Disk based storage module for the HTTP caching filter.
|
||||
LoadModule data_module modules/mod_data.so
|
||||
#Convert response body into an RFC2397 data URL
|
||||
#LoadModule dbd_module modules/mod_dbd.so #Manages SQL database connections
|
||||
LoadModule deflate_module modules/mod_deflate.so
|
||||
#Compress content before it is delivered to the client
|
||||
LoadModule dir_module modules/mod_dir.so
|
||||
#Provides for "trailing slash" redirects and serving directory index files
|
||||
#LoadModule dumpio_module modules/mod_dumpio.so #Dumps all I/O to error log as desired.
|
||||
#LoadModule echo_module modules/mod_echo.so #A simple echo server to illustrate protocol modules
|
||||
#LoadModule env_module modules/mod_env.so #Modifies the environment which is passed to CGI scripts and SSI pages
|
||||
LoadModule expires_module modules/mod_expires.so
|
||||
#Generation of Expires and Cache-Control HTTP headers according to user-specified criteria
|
||||
#LoadModule ext_filter_module modules/mod_ext_filter.so #Pass the response body through an external program before delivery to the client
|
||||
#LoadModule filter_module modules/mod_filter.so #Context-sensitive smart filter configuration module
|
||||
LoadModule headers_module modules/mod_headers.so
|
||||
#Customization of HTTP request and response headers
|
||||
#LoadModule include_module modules/mod_include.so #Server-parsed html documents (Server Side Includes)
|
||||
#LoadModule info_module modules/mod_info.so #Provides a comprehensive overview of the server configuration
|
||||
LoadModule log_config_module modules/mod_log_config.so
|
||||
#Logging of the requests made to the server
|
||||
#LoadModule logio_module modules/mod_logio.so #Logging of input and output bytes per request
|
||||
#LoadModule mime_magic_module modules/mod_mime_magic.so #Determines the MIME type of a file by looking at a few bytes of its contents
|
||||
LoadModule mime_module modules/mod_mime.so
|
||||
#Associates the requested filename's extensions with the file's behavior (handlers and filters) and content (mime-type, language, character set and encoding)
|
||||
#LoadModule negotiation_module modules/mod_negotiation.so #Provides for content negotiation
|
||||
LoadModule remoteip_module modules/mod_remoteip.so
|
||||
#Replaces the original client IP address for the connection with the useragent IP address list presented by a proxies or a load balancer via the request headers.
|
||||
#LoadModule reqtimeout_module modules/mod_reqtimeout.so #Set timeout and minimum data rate for receiving requests
|
||||
LoadModule rewrite_module modules/mod_rewrite.so
|
||||
#Provides a rule-based rewriting engine to rewrite requested URLs on the fly
|
||||
#LoadModule setenvif_module modules/mod_setenvif.so #Allows the setting of environment variables based on characteristics of the request
|
||||
#LoadModule slotmem_plain_module modules/mod_slotmem_plain.so #Slot-based shared memory provider.
|
||||
#LoadModule slotmem_shm_module modules/mod_slotmem_shm.so #Slot-based shared memory provider.
|
||||
#LoadModule socache_dbm_module modules/mod_socache_dbm.so #DBM based shared object cache provider.
|
||||
#LoadModule socache_memcache_module modules/mod_socache_memcache.so #Memcache based shared object cache provider.
|
||||
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
|
||||
#shmcb based shared object cache provider.
|
||||
#LoadModule status_module modules/mod_status.so #Provides information on server activity and performance
|
||||
#LoadModule substitute_module modules/mod_substitute.so #Perform search and replace operations on response bodies
|
||||
#LoadModule suexec_module modules/mod_suexec.so #Allows CGI scripts to run as a specified user and Group
|
||||
LoadModule unique_id_module modules/mod_unique_id.so
|
||||
#Provides an environment variable with a unique identifier for each request
|
||||
LoadModule unixd_module modules/mod_unixd.so
|
||||
#Basic (required) security for Unix-family platforms.
|
||||
#LoadModule userdir_module modules/mod_userdir.so #User-specific directories
|
||||
#LoadModule version_module modules/mod_version.so #Version dependent configuration
|
||||
#LoadModule vhost_alias_module modules/mod_vhost_alias.so #Provides for dynamically configured mass virtual hosting
|
||||
|
||||
#LoadModule buffer_module modules/mod_buffer.so #Support for request buffering
|
||||
#LoadModule watchdog_module modules/mod_watchdog.so #provides infrastructure for other modules to periodically run tasks
|
||||
#LoadModule heartbeat_module modules/mod_heartbeat.so #Sends messages with server status to frontend proxy
|
||||
#LoadModule heartmonitor_module modules/mod_heartmonitor.so #Centralized monitor for mod_heartbeat origin servers
|
||||
#LoadModule usertrack_module modules/mod_usertrack.so #Clickstream logging of user activity on a site
|
||||
#LoadModule dialup_module modules/mod_dialup.so #Send static content at a bandwidth rate limit, defined by the various old modem standards
|
||||
#LoadModule charset_lite_module modules/mod_charset_lite.so #Specify character set translation or recoding
|
||||
#LoadModule log_debug_module modules/mod_log_debug.so #Additional configurable debug logging
|
||||
#LoadModule ratelimit_module modules/mod_ratelimit.so #Bandwidth Rate Limiting for Clients
|
||||
#LoadModule reflector_module modules/mod_reflector.so #Reflect a request body as a response via the output filter stack.
|
||||
#LoadModule request_module modules/mod_request.so #Filters to handle and make available HTTP request bodies
|
||||
#LoadModule sed_module modules/mod_sed.so #Filter Input (request) and Output (response) content using sed syntax
|
||||
#LoadModule speling_module modules/mod_speling.so #Attempts to correct mistaken URLs by ignoring capitalization, or attempting to correct various minor misspellings.
|
||||
|
||||
00-dav.conf:
|
||||
|
||||
#LoadModule dav_module modules/mod_dav.so
|
||||
#LoadModule dav_fs_module modules/mod_dav_fs.so
|
||||
#LoadModule dav_lock_module modules/mod_dav_lock.so
|
||||
|
||||
00-lua.conf:
|
||||
|
||||
#LoadModule lua_module modules/mod_lua.so
|
||||
|
||||
00-proxy.conf:
|
||||
|
||||
#LoadModule proxy_module modules/mod_proxy.so
|
||||
#LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
|
||||
#LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
|
||||
#LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
|
||||
#LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
|
||||
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
|
||||
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
|
||||
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
|
||||
#LoadModule proxy_express_module modules/mod_proxy_express.so
|
||||
#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
|
||||
#LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
|
||||
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
|
||||
#LoadModule proxy_http_module modules/mod_proxy_http.so
|
||||
#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
|
||||
|
||||
01-cgi.conf:
|
||||
|
||||
<IfModule mpm_worker_module>
|
||||
# LoadModule cgid_module modules/mod_cgid.so
|
||||
</IfModule>
|
||||
<IfModule mpm_event_module>
|
||||
# LoadModule cgid_module modules/mod_cgid.so
|
||||
</IfModule>
|
||||
<IfModule mpm_prefork_module>
|
||||
# LoadModule cgi_module modules/mod_cgi.so
|
||||
</IfModule>
|
||||
|
||||
Next adjust settings for modules in /etc/httpd/conf.d .
|
||||
|
||||
mv /etc/httpd/conf.d/autoindex.conf /etc/httpd/conf.d/autoindex.conf.orig
|
||||
mv /etc/httpd/conf.d/userdir.conf /etc/httpd/conf.d/userdir.conf.orig
|
||||
touch /etc/httpd/conf.d/autoindex.conf
|
||||
touch /etc/httpd/conf.d/userdir.conf
|
||||
|
||||
Last but not least configure Apache httpd itself.
|
||||
|
||||
cd /etc/httpd/conf
|
||||
cp httpd.conf httpd.conf.orig
|
||||
#sed -i 's/ServerAdmin root@localhost/ServerAdmin youremail@example.com/' /etc/httpd/conf/httpd.conf # change against your email if needed
|
||||
sed -i 's/Listen 80/Listen 0.0.0.0:80/' /etc/httpd/conf/httpd.conf
|
||||
sed -i 's/LogLevel warn/LogLevel error/' /etc/httpd/conf/httpd.conf
|
||||
sed -i 's/#EnableMMAP off/EnableMMAP on/' /etc/httpd/conf/httpd.conf
|
||||
#echo -e "ServerSignature off\nServerTokens Prod\nExtendedStatus Off\nStartServers 10\nMinSpareServers 1\nMaxSpareServers 2\nServerLimit 12\nMaxClients 12\nMaxRequestsPerChild 10000\nKeepAlive on\nKeepAliveTimeout 120" | cat - /etc/httpd/conf/httpd.conf > /etc/httpd/conf/temp && mv /etc/httpd/conf/temp /etc/httpd/conf/httpd.conf <<< y
|
||||
cat >> /etc/httpd/conf.d/custom.conf << EOF
|
||||
ServerSignature off
|
||||
ServerTokens Prod
|
||||
ExtendedStatus Off
|
||||
StartServers 10
|
||||
MinSpareServers 1
|
||||
MaxSpareServers 2
|
||||
ServerLimit 12
|
||||
MaxClients 12
|
||||
MaxRequestsPerChild 10000
|
||||
KeepAlive on
|
||||
KeepAliveTimeout 120
|
||||
<Directory "/var/www/html/paste/data">
|
||||
Require all denied
|
||||
</Directory>
|
||||
<Directory "/var/www/html/paste/tmp">
|
||||
Require all denied
|
||||
</Directory>
|
||||
<Directory "/var/www/html/paste/cfg">
|
||||
Require all denied
|
||||
</Directory>
|
||||
<Directory "/var/www/html/paste/lib">
|
||||
Require all denied
|
||||
</Directory>
|
||||
ExpiresActive On
|
||||
ExpiresDefault A2592000 # (= one month)
|
||||
Header set Cache-Control "max-age=2592000, public"
|
||||
<FilesMatch "\.(pl|php|cgi|spl)$">
|
||||
Header unset Cache-Control
|
||||
Header unset Expires
|
||||
Header unset Last-Modified
|
||||
FileETag None
|
||||
Header unset Pragma
|
||||
</FilesMatch>
|
||||
EOF
|
||||
setsebool -P httpd_execmem=1
|
||||
setsebool -P httpd_builtin_scripting=1
|
||||
systemctl enable httpd
|
||||
|
||||
## Installation
|
||||
|
||||
Download the [latest version of ZeroBin](https://github.com/elrido/ZeroBin/releases/latest) and extract it to `/var/www/html/paste`.
|
||||
|
||||
Create directories needed by ZeroBin, update permissions and (re)start httpd:
|
||||
|
||||
cd /var/www/html/paste
|
||||
mkdir data
|
||||
mkdir tmp
|
||||
chown apache:apache *
|
||||
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/tmp(/.*)?"
|
||||
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/paste/data(/.*)?"
|
||||
systemctl restart httpd
|
||||
|
||||
Update selinux after some time with:
|
||||
|
||||
cd /var/log/audit
|
||||
grep hugetlbfs audit.log | audit2allow -M hugetlbfs
|
||||
semodule -i hugetlbfs.pp
|
||||
|
||||
## Nginx/Naxsi
|
||||
|
||||
If using nginx with naxsi on your reverse proxy, add these whitelist_rules:
|
||||
|
||||
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:data";
|
||||
BasicRule wl:1315 "mz:$URL:/paste/|$HEADERS_VAR:cookie";
|
||||
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:data";
|
||||
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:data";
|
||||
BasicRule wl:1009 "mz:$URL:/paste/|$BODY_VAR:nickname";
|
||||
BasicRule wl:1001 "mz:$URL:/paste/|$BODY_VAR:nickname";
|
||||
BasicRule wl:1015 "mz:$URL:/paste/|$BODY_VAR:nickname";
|
||||
Loading…
Reference in new issue