sudo tasksel

Then follow the onscreen instructions and choose “LAMP Server” when prompted to be up and running with Apache, MySQL, and PHP in mere minutes. This is great for a user that just wants the standard versions of PHP or MySQL. However, I’m working on a project that requires PHP 5.3, and installing a LAMP server using tasksel installs PHP 5.2. I decided that I would just install Apache and PHP manually so that I could use PHP 5.3. This guide starts with my ideal Apache setup. This is kind of a personal preference of how I like Apache setup, others may prefer a different method. If you follow this guide directly you will end up with your web directory in your home folder, with two sites (http://sandbox.local/ and http://production.local/). Lets get started.

Installing Apache

Installing Apache is the easy part, simply use apt:

sudo apt-get install apache2 apache2-prefork-dev apache2-mpm-prefork

Let it do its thing and in a few minutes you should have Apache up and running. Once it is done you can test if it is working by opening a web browser and entering http://localhost/ in the address bar. You should get Apache’s default message that says “It works!”. Now that Apache is installed we can configure it to fit our needs.

Configuring Apache

The first thing we are going to do is edit our hosts file to include our two “domain names” we’ll be using for the site, sandbox.local and production.local. Open up the /etc/hosts file with nano (or your editor of choice):

sudo nano /etc/hosts

And add the following lines below the line that begins with 127.0.1.1:

127.0.1.2 sandbox.local www.sandbox.local
127.0.1.3 production.local www.production.local

For those not familiar with the hosts file, what this is doing is assigning an IP Address to the host names. 127.0.1.2 and 127.0.1.3 are IP addresses that point to the local machine. The values following the IP Address are the host name, and host alias respectively. If you want to additional host names that point to the local machine then add them here. You can call your host names whatever you like instead of sandbox.local and production.local, just be sure to substitute your own names in place of these for the rest of the tutorial.

Now that we have our host names pointing to our local machine we can create directories to hold the content for our two websites. I created my base web directory inside of my home directory:

mkdir ~/www

Now I want a directory for each site inside of the www directory. The following will make a directory for each site with sub directories for the type of content (httpdocs for the web files, logs for the logs). The last line just creates an index.html file in the httpdocs directory so we can test that our websites are working later.

For the sandbox.local website:

mkdir ~/www/sandbox.local
mkdir ~/www/sandbox.local/httpdocs
mkdir ~/www/sandbox.local/logs
echo "<h1>sandbox.local</h1>" > ~/www/sandbox.local/httpdocs/index.html

For the production.local website:

mkdir ~/www/production.local
mkdir ~/www/production.local/httpdocs
mkdir ~/www/production.local/logs
echo "<h1>production.local</h1>" > ~/www/production.local/httpdocs/index.html

Now we have our host names setup, and directories setup that contain our website. The next step is to create configuration files to tell Apache what our host name (domain name) is and where on the computer it is located. The configuration files for each site should be created in "/etc/apache2/sites-available".

First lets create the configuration file for sandbox.local

cd /etc/apache2/sites-available
sudo nano sandbox.local

The file sandbox.local should contain the following. You will have to change the "ServerAdmin" value and all the instances of "/home/lane" to your home directory depending on your username.

<VirtualHost *:80>
	ServerAdmin username@sandbox.local
	ServerName sandbox.local
	ServerAlias www.sandbox.local
 
	DocumentRoot /home/lane/www/sandbox.local/httpdocs/
	<Directory /home/lane/www/sandbox.local/httpdocs/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>
 
	ErrorLog /home/lane/www/sandbox.local/logs/error.log
	LogLevel warn
	CustomLog /home/lane/www/sandbox.local/logs/access.log combined
</VirtualHost>

Now do the same for production.local.

sudo nano production.local

With contents:

<VirtualHost *:80>
	ServerAdmin username@production.local
	ServerName production.local
	ServerAlias www.production.local
 
	DocumentRoot /home/lane/www/production.local/httpdocs/
	<Directory /home/lane/www/production.local/httpdocs/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Order allow,deny
		allow from all
	</Directory>
 
	ErrorLog /home/lane/www/production.local/logs/error.log
	LogLevel warn
	CustomLog /home/lane/www/production.local/logs/access.log combined
</VirtualHost>

As you can see the two configuration files are pretty straight forward XML files. The ServerName and ServerAlias values tell Apache what host name the following configuration is meant for. The DocumentRoot value tells Apache where to find the files for this website. The Directory directive allows you to specify specific options for the given directory. Lastly the ErrorLog and CustomLog tells Apache where to store the log files for this domain.

Once the configuration files have been created we want to enable them so that Apache knows they are there. I also chose to disable the default config, this is up to you. The default config will load whatever is in "/var/www" when you point your browser to "localhost" (which is why we recieved the "It works!" message earlier.

sudo a2ensite sandbox.local
sudo a2ensite production.local
sudo a2dissite default

Finally the last step is to restart Apache. This can be done with the following command:

sudo /etc/init.d/apache2 restart

If all went well we should be able to bring up our two new local websites. Here is where everything we've done comes together. Open up your web browser and type in "http://sandbox.local/". When you type in sandbox.local in your web browser, the host name is looked up (and found in /etc/hosts) which points to the localhost (127.0.1.2). Apache is listening on port 80 (the default http port) and picks up the request for "sandbox.local". It looks in the enabled sites for one with a ServerName of "sandbox.local" then points to the requested file (index.html by default) in "DocumentRoot". The web browser then displays this page and should say "sandbox.local" in big letters.

Now point your web browser to http://production.local/ and you should receive a similar page that says "production.local" in big letters.

You can now put whatever web content you want in ~/www/sandbox.local/httpdocs/ or ~/www/production.local/httpdocs/ and they will load up when you type their host name into your web browser.

This isn't really all that useful yet because all you can load up are html pages, which you could do anyways just by double clicking on an html file. In my next blog post I will show you how to install PHP for use with your Apache web server so you can use it as a testing ground for various projects.

• Splunk htaccess Authentication
• SSL Setup
• IPtables setup

I recommend viewing them for a more detailed explanation.

This guide assumes you have a fresh installation of Splunk but should work fine with an existing one. If you don’t have a Splunk installation yet, you can install it quite easily:

cd /opt
sudo wget 'http://www.splunk.com/index.php/download_track?file=3.4.10/linux/splunk-3.4.10-60883-Linux-i686.tgz&ac=&wget=true&name=wget&typed=releases'
sudo tar xvfz splunk-3.4.10-60883-Linux-i686.tgz
sudo splunk/bin/splunk start
sudo /opt/splunk/bin/splunk enable boot-start

Note: Make sure you obtain the latest release. The address in the above wget is probably not the most recent version.

You will also want to enable https on the Splunk installation. You can do this bygoing to http://127.0.0.1:8000/ and clicking the Admin link on the top right part of Splunk Web. Then in the Server: View Settings page under Splunk Web set Enable SSL (HTTPS) in Splunk Web? to Yes. Restart Splunk and you should now be able to access it with an https prefix.

For this guide you are also going to need apache2, openssl.

sudo apt-get install apache2 openssl

Once apache has installed you have to enable the required modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl

The proxy modules are required because we are going to be taking requests on port 80 and those requests will be forwarded to the Splunk web interface on port 8000.

Now I am not going to go into extreme detail about generating certificates as this could be a whole topic in itself. Check out Paul Bramscher’s page on generating self signed certificates if you want more details.

The first step is to go to your home directory and generate a server key:

cd ~
sudo openssl genrsa -des3 -out server.key 4096

Next create a certificate signing request with the server key. You will be asked a series of questions, answer them as you see fit:

sudo openssl req -new -key server.key -out server.csr

Now sign the certificate signing request. This one is valid for 1000 days, you may use whatever you like:

sudo openssl x509 -req -days 1000 -in server.csr -signkey server.key -out server.crt

Now make a version that does not require a password:

sudo openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key

Lastly copy the key and certificate that do not require a password to the designated apache folder:

sudo mkdir /etc/apache2/ssl
sudo cp server.key /etc/apache2/ssl
sudo cp server.crt /etc/apache2/ssl

That’s it for the certificates! Now we can start configuring apache. Create a configuration file for the ssl setup:

sudo vim /etc/apache2/sites-available/ssl

You will want to enter something similar to this:

<VirtualHost *:443>
        ServerAdmin webmaster@domain.com
        ServerAlias machine.domain.com
        ProxyPass / https://127.0.0.1:8000/
        ProxyPassReverse / https://127.0.0.1:8000/
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key
        SSLProxyEngine on
</VirtualHost>
<Proxy https://127.0.0.1:8000/*>
        Order deny,allow
        Deny from all
        Allow from all
        AuthName "machine.domain.com"
        AuthType Basic
        AuthUserFile /var/www/.htpasswd
        Require valid-user
</Proxy>

The ServerAlias will be whatever your DNS name for your Splunk server is.

Now enable the site we just set up:

sudo a2ensite ssl

You should also make sure that Apache is listening on port 443. Do this:

sudo vim /etc/apache2/ports.conf

Add this (if it does not already exist):

<IfModule mod_ssl.c>
    Listen 443
</IfModule>

Now the last step is setting up your user account in the .htpasswd file. This can be done with the following:

sudo htpasswd -c /var/www/.htpasswd username

Where username is replaced with the username you wish to use. The -c flag creates the file, if you need to add multiple users do not use the -c flag after the first command or it will overwrite the file.

Now restart Apache:

sudo /etc/init.d/apache2 restart

If all goes well you should be able to type in the https://machine.domain.com/ and you will receive a password prompt. Enter the username/password you just created and you will be at Splunk Web!

Now, try typing in https://machine.domain.com:8000/ and see what happens. You will probably be directed to Splunk web without being prompted for a password. Uh oh… did you just do all this for nothing?! Nope! We can set up some ip table rules to prevent access to port 8000 to force users to use the proxy. I won’t go into depth on this but we first allow access to port 8000 from localhost with the following command:

sudo iptables -A INPUT -s 127.0.0.1 -p tcp --dport 8000 -j ACCEPT

Now we want to drop all other hosts from accessing port 8000:

sudo iptables -A INPUT -p tcp --dport 8000 -j DROP

Now any attempts to access https://machine.domain.com:8000/ will be blocked, but access attempts to the password protected interface on port 443 will still be allowed.

You can also modify the above rules to limit access to the interface by IP address. Just replace 127.0.0.1 with the IP address you wish to allow acces and change the dport to 443. Enter one of these commands for each IP address to allow. Then enter the second rule (with dport 443) once all the allowed hosts have been added.

Note: The iptables will not be reloaded when you reboot the Splunk machine. I recommend following this firewall guide in order to have a configurable iptables script that loads on startup

It is indeed a problem with a security module in Apache. If you are as unlucky as I was to still have the problem after trying out the solutions in the blog post above, then you have the joy of tracking down the specific word that appears to be the problem. In my case, I was posting a code snippet from my post on Caching Data with CakePHP. For some reason mod_security was flagging my use of the word “settings”. Once I changed the variable names in the post it worked flawlessly.