Setup Apache 2.4 + PHP 7.2 + CentOS 7 with Basic Security + SSL (HTTPS)

This is the ad hoc tutorial on how to setup Apache 2.4 / PHP 7.2 web server in CentOS, configure basic security and enable SSL (HTTPS). We will first prepare the system and configure the needed repositories. Next the Apache and PHP will be installed and configured. Finally, we will create our first website adhoctuts1.com and enable SSL for it.

Below content is complementary to the video tutorial above.

Update the system, install some tools and packages and configure the repositories:

yum update -y && yum upgrade -y
yum -y install nano net-tools.x86_64 bind-utils
yum -y install epel-release
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
rpm -Uvh https://mirror.webtatic.com/yum/el7/webtatic-release.rpm

Set SELINUX=disabled:

nano /etc/selinux/config

Install Apache and PHP:

yum install httpd -y
yum install -y php72w php72w-fpm php72w-opcache php72w-xml php72w-soap php72w-xmlrpc php72w-mbstring php72w-mysqli php72w-json php72w-gd php72w-ldap php72w-intl php72w-bcmath php72w-mssql php72w-devel php72w-pear
httpd -v && php -v

Configure Apache:

nano /etc/httpd/conf/httpd.conf

Add following lines before IncludeOptional conf.d/*.conf line in httpd.conf file:

ServerName 127.0.0.1:80
ServerTokens Prod
ServerSignature Off
FileETag None
TraceEnable off
HostnameLookups Off
Header always set X-Content-Type-Options nosniff
Header always set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript

Configure PHP:

nano /etc/php.ini

Set the following parameter in php.ini:

short_open_tag = On
expose_php = Off
max_execution_time = 120
memory_limit = 512M
post_max_size = 50M
display_errors = Off
upload_max_filesize = 30M
max_file_uploads = 50

Start the services, add them to auto-start list and configure the firewall:

systemctl start httpd && systemctl enable httpd
systemctl start php-fpm && systemctl enable php-fpm
service httpd restart && service php-fpm restart
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --reload

Alternatively, you may completely disable the firewall:

systemctl stop firewalld && systemctl disable firewalld

Setup and configure the first web site – adhoctuts1.com:

sitename="adhoctuts1"
mkdir /var/www/html/$sitename
mkdir /var/www/html/$sitename/html
mkdir /var/www/html/$sitename/html/www
mkdir /var/www/html/$sitename/logs
mkdir /var/www/html/$sitename/tmp
chown -R apache:apache /var/www/html/$sitename/html/*
chown -R apache:apache /var/www/html/$sitename/logs
chown -R apache:apache /var/www/html/$sitename/tmp
chmod -R 775 /var/www/html/$sitename/html/*
echo '<?php phpinfo(); ?>' > /var/www/html/$sitename/html/www/index.php

Create Apache configuration file for – adhoctuts1.com:

nano /etc/httpd/conf.d/$sitename.conf

Add the following lines to the conf file:

<VirtualHost *:80>
ServerName adhoctuts1.com
ServerAlias www.adhoctuts1.com
DocumentRoot /var/www/html/adhoctuts1/html/www
<Directory /var/www/html/adhoctuts1/html/www>
Options -Indexes -FollowSymLinks -ExecCGI
AllowOverride All
</Directory>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/html/adhoctuts1/html/www/$1
ErrorLog /var/www/html/adhoctuts1/logs/error.log
php_admin_value upload_tmp_dir /var/www/html/adhoctuts1/tmp
php_admin_value session.save_path /var/www/html/adhoctuts1/tmp
</VirtualHost>

Reboot the CentOS.

reboot

On your PC, open CMD as administrator and run:

notepad %SystemRoot%\system32\drivers\etc\hosts

and add: YOUR_VM_IP adhoctuts1.com.

Enable secure (HTTPS) connection to web site:
Generate the SSL key files:

yum -y install mod_ssl openssl
sitename="adhoctuts1"
mkdir /var/www/html/$sitename/ssl_keys
cd /var/www/html/$sitename/ssl_keys
sudo openssl genrsa -out $sitename.key 2048
sudo openssl req -new -key $sitename.key -out $sitename.csr
sudo openssl x509 -req -days 360 -in $sitename.csr -signkey $sitename.key -out $sitename.crt

Create Apache configuration file for the SSL version of adhoctuts1.com

nano /etc/httpd/conf.d/$sitename.ssl.conf

Add the following file to SSL conf file:

<VirtualHost *:443>
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile /var/www/html/adhoctuts1/ssl_keys/adhoctuts1.crt
SSLCertificateKeyFile /var/www/html/adhoctuts1/ssl_keys/adhoctuts1.key
ServerName adhoctuts1.com:443
ServerAlias www.adhoctuts1.com
DocumentRoot /var/www/html/adhoctuts1/html/www
<Directory /var/www/html/adhoctuts1/html/www>
Options -Indexes -FollowSymLinks -ExecCGI
AllowOverride All
</Directory>
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
LogLevel error
ErrorLog /var/www/html/adhoctuts1/logs/error_ssl.log
php_admin_value upload_tmp_dir /var/www/html/adhoctuts1/tmp
php_admin_value session.save_path /var/www/html/adhoctuts1/tmp
</VirtualHost>

Add rules for https redirection to initial conf file

nano /etc/httpd/conf.d/$sitename.conf

add following lines in VirtualHost:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}:443%{REQUEST_URI}

service httpd restart && service php-fpm restart

Now we will upload additional file via sftp:
1. Download FileZilla client or any other FTP client you prefer.
2. Create hello.php file with the content in below.
3. Connect to VM and upload newly created file to /var/www/html/adhoctuts1/html/www directory.

———————————————————–Hello.php———————————————————

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Ad Hoc Tutorials - Test Page</title>
</head>

<body>
<h1 style="color: <?= (rand() % 2 == 0)?'red':'green' ?>">Hello, Ad Hoc Tutorials!!!</h1>
</body>

</html>

Related resources: