You don't have to have PHP but as it part of a LAMP stack we will include it here. There are loads of php modules that can be included Apache, but you should only install what you need.
yum install httpd php php-gd php-soap php-mysqlnd.x86_64 mod_sslSet httpd to run on startup
systemctl enable httpdSet the Apache default umask to something more restrictive like 0227 which will cause new files to be created with 440 permissions. This will create an override.conf file in /etc/systemd/system/httpd.service.d/
systemctl edit httpd#Add[Service]UMask = 0127^XyreturnDisable default configs
cd /etc/httpd/conf.dmv welcome.conf{,.disabled}mv autoindex.conf{,.disabled}mv userdir.conf{,.disabled}Amend/comment out the following directives in the httpd.conf file. The Listen directive will need the local IP address of the server.
cd /etc/httpd/conf/vim httpd.conf
Listen 10.106.31.12:80#Listen 80 ServerAdmin email_address@example.comServerTokens ProdServerSignature Off# Comment out the full section allowing access to the default "var/www/html"#<Directory "/var/www/html">...# Options Indexes FollowSymLinks...# AllowOverride None...# Require all granted#</Directory> # Comment out the full <IfModule alias_module> section#<IfModule alias_module>...#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"</IfModule> # Comment out the full <Directory "/var/www/cgi-bin"> section#<Directory "/var/www/cgi-bin"># AllowOverride None# Options None# Require all granted#</Directory>Disable non required modules
cd /etc/httpd/conf.modules.d/mv 00-dav.conf{,.disabled}mv 00-lua.conf{,.disabled}mv 00-proxy.conf{,.disabled}mv 01-cgi.conf{,.disabled}vim 00-base.conf# Only leave the following uncommented for a base install. You may need to uncomment further modules dependent on your requirements.
LoadModule alias_module modules/mod_alias.soLoadModule allowmethods_module modules/mod_allowmethods.soLoadModule auth_basic_module modules/mod_auth_basic.soLoadModule authn_core_module modules/mod_authn_core.soLoadModule authz_core_module modules/mod_authz_core.soLoadModule authz_host_module modules/mod_authz_host.soLoadModule dir_module modules/mod_dir.soLoadModule info_module modules/mod_info.soLoadModule log_config_module modules/mod_log_config.soLoadModule logio_module modules/mod_logio.soLoadModule mime_magic_module modules/mod_mime_magic.soLoadModule mime_module modules/mod_mime.soLoadModule rewrite_module modules/mod_rewrite.soLoadModule socache_shmcb_module modules/mod_socache_shmcb.soLoadModule status_module modules/mod_status.soLoadModule unixd_module modules/mod_unixd.soComment out the full <VirtualHost _default_:443> section and add the SSL Directives above this section. You will need to amend the SSL* directives accordingly.
vim /etc/httpd/conf.d/ssl.confSSLProtocol all -SSLv2#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5SSLCipherSuite HIGH:!aNULL:!MD5SSLCertificateFile /etc/httpd/conf/ssl/server.crtSSLCertificateKeyFile /etc/httpd/conf/ssl/server.keySSLCACertificateFile /etc/httpd/conf/ssl/server-ca.crtErrorLog logs/ssl_error_logTransferLog logs/ssl_access_logLogLevel warnCustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"#<VirtualHost _default_:443>#...##</VirtualHost>Amend the php.ini file as follows.
vim /etc/php.d/php.inidate.timezone = Europe/Londonexpose_php = Off Adding a single domain certificate is pretty straight forward.
openssl genrsa -out sslkey.key 2048openssl req -new -key sslkey.key -out sslcsr.csrSend the CSR to the SSL provider and then upload the CRT once received.
For san certificate, there is a little more work. Firstly you will need to create a new open ssl conf file and amend to add your Subject Alternative Domain names
cd /etc/pki/tls/cp openssl.conf new_san.cnfvim new_san.cnf# Amend/add the following
[ req_distinguished_name ]countryName = GBcountryName_default = GBstateOrProvinceName = LondonlocalityName = LondonlocalityName_default = London0.organizationName = Company Name0.organizationName_default = CompanyorganizationalUnitName = WeborganizationalUnitName_default = WebemailAddress = email_address@example.com[ v3_ca ]subjectAltName = @alt_names[alt_names]DNS.1 = www.example.comDNS.2 = wiki.example.comDNS.3 = www.example2.comopenssl genrsa -out sslkey.key 2048openssl req -new -key sslkey.key -out sslcsr.csrInstall required modules
yum install mod_ldap mod_sslAdd the following into your VirtualHost
AuthType Basic AuthName "Registry Authentication" AuthBasicProvider ldap AuthLDAPURL "ldap://FQDN:389/OU=[Root],DC=uk,DC=co,DC=grow4?sAMAccountName?sub?(objectClass=user)" AuthLDAPBindDN "CN=service_user,OU=CS,OU=System Accounts,OU=Street,OU=[Root],DC=uk,DC=co,DC=grow4" AuthLDAPBindPassword "exec:/bin/cat /etc/httpd/conf/.secrets/.ldap_pass" AuthLDAPBindAuthoritative off require ldap-group CN=Group_name,OU=Distribution,OU=Global Groups,OU=Town,OU=[Root],DC=uk,DC=co,DC=grow4