- Project description
- Part I : Apache2 server configuration
- Part II: HTTP and DNS
- Part III: Secure a repository
- Access filtering at user's level
- Modification the configuration
- Create accounts (Apache provides a tool to easily generate encrypted passwords)
- Test the access to the website, what do you notice?
- Check if the password is encrypted at the level of transfer from the client to the server
- What is the solution?
- Part IV: Configuration with .htaccess
- Part V: Personal Directories
Apache is an open-source web server that powers a large number of websites around the world. Its official name is Apache HTTP Server and it is maintained and developed by the Apache Software Foundation.
Apache allows website owners to provide content on the web, hence the name “web server”. It is one of the oldest and most reliable web servers with a first version released over 25 years ago, in 1995.
When a user wants to visit a website, they type a domain name (or IP address) in the browser’s bar. Then the web server delivers the requested files by acting as a virtual delivery agent.
sudo apt install apache2 -yThat’s it, Apache is installed in your Kali Linux now you have to start the service using this command:
sudo service apache2 startNow you can check the status of the Apache service using this command:
sudo service apache2 statusTo verify that apache server working correctly in Kali Linux, open your browser, type your server IP address or domain name http://YOUR_IP_OR_DOMAIN/ and you will see the default Apache welcome page as shown below:
In Kali Linux, the Apache configuration files are stored in the /etc/apache2 directory:
apache configuration files
Here is a brief description of the files in this directory:
-
apache2.conf : the main Apache2 configuration file that contains settings global to Apache.
-
envvars : a file where Apache environment variables are set.
-
ports.conf : a configuration file that houses the directives that determine the TCP ports Apache is listening on.
-
conf.d : This directory is used for controlling specific aspects of the Apache configuration. For example, it is often used to define SSL configuration and default security choices.
-
sites-available : a directory that has configuration files for Apache Virtual Hosts. Virtual Hosts allow Apache2 to be configured for multiple sites that have separate configurations.
-
sites-enabled : a directory that contains symlinks to the /etc/apache2/sites-available directory.
-
mods-available : a directory that contains configuration files to both load modules and configure them.
-
mods-enabled : a directory that holds symlinks to the files in /etc/apache2/mods-available.
The first thing we're going to do is create two directories
(mywebsite1 and mywebsite2) with the command:
sudo mkdir /var/www/mywebsite1sudo mkdir /var/www/mywebsite2Then we're going to create two pages in each directory
(index.html) with the command:
sudo nano /var/www/mywebsite1/html.indexsudo nano /var/www/mywebsite2/html.indexNote : we're going to focus on the first page only in the rest of the project
After that we create the conf-file (mywebsite1.conf)
Where we put our settings for the good fonctionality of the manipulated website
And then we avtivate the vhost :
sudo a2ensite mywebsite1.confWich create a symlink from site-available to site-enabled
In order to update the new configuration we simply reload the service :
sudo systemctl reload apache2And finally we're going to test our conf :
We added new records for the website :
| dir_resol | rev_resol |
|---|---|
 |
 |
| by NS | by ADDR |
|---|---|
 |
 |
We are going to create the .htpasswd file with a new user (oussama)
sudo htpasswd -c /etc/apache2/.htpasswd oussamaThen we will be asked to supply and confirm a password for that user.
Now the access is restricted :
But if you got it right you will have access to the page
We're going to ckeck if the password is encrypted at the level of transer : (using wireshark)
Well, the solution is simply to find another way of authentification, that makes sure that the password is encrypted at the level of transfer.
The .htaccess files are Apache configuration files, allowing to define rules in a directory and in all its subdirectories (which do not have such a file inside). They can be used to protect a directory with a password, to change the name or extension of the index page, or to prohibit access to the directory.
The .htaccess file is placed in the directory in which it must act. It thus acts on the permissions of the directory that contains it and of all its sub-directories. Another .htaccess file can be placed in a subdirectory of a directory already controlled by an .htaccess file. The .htaccess file in the parent directory remains in “activity” until the functionality is rewritten.
By default, the .htaccess file is not enabled.
- Open the default host configuration file by entering the following command in the terminal:
sudo nano /etc/apache2/sites-available/mywebsite1.conf- Locate the section labeled <Directory /var/www>. In that section, change the AllowOverride None entry to all: AllowOverride All
- Next, restart the Apache service:
sudo systemctl apache2 restartTo create and open the .htaccess file for editing, enter:
sudo nano /var/www/mywebsite1.com/.htaccess
For digest authentication we need to use a utility called htdigest, unlike with basic authentication where we used htpasswd. The application takes the file name, private and ataman as arguments, then prompts twice for the user’s password. The flag -c creates a new file, it overrides the existing one if exists.
htdigest -c /etc/apache2/.htpasswd private atamanCommand to see Apache password file:
sudo nano /etc/apache2/.htpasswd
| login | wireshark |
|---|---|
 |
 |
Out Team - AIT EL KADI Ilyas - AZIZ Oussama
Project Link: https://github.com/IlyasKadi/Domain-Name-System-Protocol