### httpd.conf
yum -y install httpd
cp -a /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig
# Setting server
sed -i 's/ServerAdmin root@localhost/ServerAdmin webmaster@pooh.gr.jp/' /etc/httpd/conf/httpd.conf
sed -i 's/#ServerName www.example.com:80/ServerName pooh.gr.jp:80/' /etc/httpd/conf/httpd.conf
sed -i 's/Options Indexes FollowSymLinks/Options ExecCGI FollowSymLinks/' /etc/httpd/conf/httpd.conf
# Setting security
sed -i 's/ServerTokens OS/ServerTokens Prod/' /etc/httpd/conf/httpd.conf
sed -i 's/ServerSignature On/ServerSignature Off/' /etc/httpd/conf/httpd.conf
echo -e '\nTraceEnable Off' >> /etc/httpd/conf/httpd.conf
# Disable userdir, dav_fs
sed -i '/<IfModule mod_userdir.c>/,/<\/IfModule>/s/^/#/' /etc/httpd/conf/httpd.conf
sed -i '/<IfModule mod_dav_fs.c>/,/<\/IfModule>/s/^/#/' /etc/httpd/conf/httpd.conf
# Disable default directories
sed -i \
-e '/ScriptAlias \/cgi-bin\/ "\/var\/www\/cgi-bin\/"/s/^/#/' \
-e '/<Directory "\/var\/www\/cgi-bin">/,/<\/Directory>/s/^/#/' \
/etc/httpd/conf/httpd.conf
sed -i \
-e '/Alias \/icons\/ "\/var\/www\/icons\/"/s/^/#/' \
-e '/<Directory "\/var\/www\/icons">/,/<\/Directory>/s/^/#/' \
-e '/AddIconByEncoding (CMP,\/icons\/compressed.gif) x-compress x-gzip/s/^/#/' \
-e '/^AddIconByType[[:space:]]/s/^/#/' \
-e '/^AddIcon[[:space:]]/s/^/#/' \
-e '/DefaultIcon \/icons\/unknown.gif/s/^/#/' \
/etc/httpd/conf/httpd.conf
# Disable unnecessary modules
sed -i \
-e '/LoadModule auth_digest_module modules\/mod_auth_digest.so/s/^/#/' \
-e '/LoadModule authn_alias_module modules\/mod_authn_alias.so/s/^/#/' \
-e '/LoadModule authn_anon_module modules\/mod_authn_anon.so/s/^/#/' \
-e '/LoadModule authn_dbm_module modules\/mod_authn_dbm.so/s/^/#/' \
-e '/LoadModule authn_default_module modules\/mod_authn_default.so/s/^/#/' \
-e '/LoadModule authz_owner_module modules\/mod_authz_owner.so/s/^/#/' \
-e '/LoadModule authz_groupfile_module modules\/mod_authz_groupfile.so/s/^/#/' \
-e '/LoadModule authz_dbm_module modules\/mod_authz_dbm.so/s/^/#/' \
-e '/LoadModule authz_default_module modules\/mod_authz_default.so/s/^/#/' \
-e '/LoadModule ldap_module modules\/mod_ldap.so/s/^/#/' \
-e '/LoadModule authnz_ldap_module modules\/mod_authnz_ldap.so/s/^/#/' \
-e '/LoadModule include_module modules\/mod_include.so/s/^/#/' \
-e '/LoadModule logio_module modules\/mod_logio.so/s/^/#/' \
-e '/LoadModule env_module modules\/mod_env.so/s/^/#/' \
-e '/LoadModule ext_filter_module modules\/mod_ext_filter.so/s/^/#/' \
-e '/LoadModule mime_magic_module modules\/mod_mime_magic.so/s/^/#/' \
-e '/LoadModule expires_module modules\/mod_expires.so/s/^/#/' \
-e '/LoadModule usertrack_module modules\/mod_usertrack.so/s/^/#/' \
-e '/LoadModule dav_module modules\/mod_dav.so/s/^/#/' \
-e '/LoadModule status_module modules\/mod_status.so/s/^/#/' \
-e '/LoadModule info_module modules\/mod_info.so/s/^/#/' \
-e '/LoadModule dav_fs_module modules\/mod_dav_fs.so/s/^/#/' \
-e '/LoadModule vhost_alias_module modules\/mod_vhost_alias.so/s/^/#/' \
-e '/LoadModule actions_module modules\/mod_actions.so/s/^/#/' \
-e '/LoadModule speling_module modules\/mod_speling.so/s/^/#/' \
-e '/LoadModule userdir_module modules\/mod_userdir.so/s/^/#/' \
-e '/LoadModule proxy_module modules\/mod_proxy.so/s/^/#/' \
-e '/LoadModule proxy_balancer_module modules\/mod_proxy_balancer.so/s/^/#/' \
-e '/LoadModule proxy_ftp_module modules\/mod_proxy_ftp.so/s/^/#/' \
-e '/LoadModule proxy_http_module modules\/mod_proxy_http.so/s/^/#/' \
-e '/LoadModule proxy_connect_module modules\/mod_proxy_connect.so/s/^/#/' \
-e '/LoadModule cache_module modules\/mod_cache.so/s/^/#/' \
-e '/LoadModule suexec_module modules\/mod_suexec.so/s/^/#/' \
-e '/LoadModule disk_cache_module modules\/mod_disk_cache.so/s/^/#/' \
-e '/LoadModule file_cache_module modules\/mod_file_cache.so/s/^/#/' \
-e '/LoadModule mem_cache_module modules\/mod_mem_cache.so/s/^/#/' \
-e '/LoadModule cgi_module modules\/mod_cgi.so/s/^/#/' \
-e '/LoadModule version_module modules\/mod_version.so/s/^/#/' \
/etc/httpd/conf/httpd.conf
# Disable unnecessary languages
sed -i \
-e '/AddLanguage ca .ca/,/AddLanguage el .el/s/^/#/' \
-e '/AddLanguage eo .eo/,/AddLanguage it .it/s/^/#/' \
-e '/AddLanguage ko .ko/,/AddLanguage zh-TW .zh-tw/s/^/#/' \
-e 's/LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW/LanguagePriority en ja/' \
/etc/httpd/conf/httpd.conf
sed -i 's/ LanguagePriority en es de fr/ LanguagePriority en ja/' /etc/httpd/conf/httpd.conf
### welcome.conf
cp -a /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.orig
sed -i '/^[^#]/s/^/#/' /etc/httpd/conf.d/welcome.conf
### proxy_ajp.conf
cp -a /etc/httpd/conf.d/proxy_ajp.conf /etc/httpd/conf.d/proxy_ajp.conf.orig
sed -i '/^[^#]/s/^/#/' /etc/httpd/conf.d/proxy_ajp.conf
### ssl.conf
yum -y install mod_ssl
sudo cp -a /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.orig
# Change key file name
sed -i 's/\/etc\/pki\/tls\/certs\/localhost.crt/\/etc\/pki\/tls\/certs\/server.crt/' /etc/httpd/conf.d/ssl.conf
sed -i 's/\/etc\/pki\/tls\/private\/localhost.key/\/etc\/pki\/tls\/certs\/server.key/' /etc/httpd/conf.d/ssl.conf
# Create config
{
echo -e "[ req ]"
echo -e "prompt\t\t\t= no"
echo -e "distinguished_name\t= req_distinguished_name"
echo -e "[ req_distinguished_name ]"
echo -e "C\t\t\t= JP"
echo -e "ST\t\t\t= Tokyo"
echo -e "L\t\t\t= Kita-ku"
echo -e "O\t\t\t= pooh.gr.jp"
echo -e "OU\t\t\t= pooh.gr.jp"
echo -e "CN\t\t\t= lachesis.pooh.gr.jp"
echo -e "emailAddress\t\t= webmaster@pooh.gr.jp"
} > /tmp/openssl.cnf
# Generate key
umask 0077
openssl genrsa -des3 2049 > /etc/pki/tls/certs/server.key
# Enter pass phrase: <PASSWORD>
# Verifying - Enter pass phrase: <PASSWORD>
openssl req -utf8 -new -x509 -days 3650 -set_serial 0 \
-key /etc/pki/tls/certs/server.key \
-out /etc/pki/tls/certs/server.crt \
-config /tmp/openssl.cnf
# Enter pass phrase for /etc/pki/tls/certs/server.key: <PASSWORD>
rm -f /tmp/openssl.cnf
umask 0022
# pp-filter
sed -i 's/SSLPassPhraseDialog builtin/SSLPassPhraseDialog exec:\/usr\/local\/sbin\/pp-filter/' /etc/httpd/conf.d/ssl.conf
{
echo -e '#!/bin/bash'
echo -e 'LANG=C'
echo -e "/bin/echo '<PASSWORD>'"
echo -e 'exit 0'
} > /usr/local/sbin/pp-filter
chmod 100 /usr/local/sbin/pp-filter
# Setting security
sed -i 's/SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW/SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:-LOW/' /etc/httpd/conf.d/ssl.conf
sed -i '/<Files ~ "\.(cgi\|shtml\|phtml\|php3?)$">/,/<\/Directory>/s/^/#/' /etc/httpd/conf.d/ssl.conf
### defrate.conf
{
echo -e '<Location />'
echo -e ' AddOutputFilterByType DEFLATE text/html text/plain text/xml text/x-js text/css'
echo -e '</Location>'
} > /etc/httpd/conf.d/deflate.conf
### php
yum -y install php
cp -a /etc/php.ini /etc/php.ini.orig
sed -i 's/expose_php = On/expose_php = Off/' /etc/php.ini
sed -i 's/;date.timezone =/date.timezone = Asia\/Tokyo/' /etc/php.ini
### apc
yum -y install php-pear php-devel pcre-devel httpd-devel
pecl install apc
# Enable per request file info about files used from the APC cache [no] : no
# Enable spin locks (EXPERIMENTAL) [no] : no
echo 'extension=apc.so' > /etc/php.d/apc.ini
### mysql
yum -y install mysql-server php-mysql
cp -a /etc/my.cnf /etc/my.cnf.orig
cp -a /usr/share/mysql/my-large.cnf /etc/my.cnf
/sbin/service mysqld start
/usr/bin/mysql_secure_installation
# Enter current password for root (enter for none): <BLANK>
# Set root password? [Y/n] y
# New password: <PASSWORD>
# Re-enter new password: <PASSWORD>
# Remove anonymous users? [Y/n] y
# Disallow root login remotely? [Y/n] y
# Remove test database and access to it? [Y/n] y
# Reload privilege tables now? [Y/n] y