You don't have to have PHP but as it part of a LAMP stack we will include it here. There are loads of php modules that can be included Apache, but you should only install what you need.
yum install httpd php php-gd php-soap php-mysqlnd.x86_64 mod_ssl
Set httpd to run on startup
systemctl enable httpd
Set the Apache default umask to something more restrictive like 0227 which will cause new files to be created with 440 permissions. This will create an override.conf file in /etc/systemd/system/httpd.service.d/
systemctl edit httpd
#Add
[Service]
UMask = 0127
^X
y
return
Disable default configs
cd /etc/httpd/conf.d
mv welcome.conf{,.disabled}
mv autoindex.conf{,.disabled}
mv userdir.conf{,.disabled}
Amend/comment out the following directives in the httpd.conf file. The Listen directive will need the local IP address of the server.
cd /etc/httpd/conf/
vim httpd.conf
Listen 10.106.31.12:80
#Listen 80
ServerAdmin email_address@example.com
ServerTokens Prod
ServerSignature Off
# Comment out the full section allowing access to the default "var/www/html"
#<Directory "/var/www/html">
...
# Options Indexes FollowSymLinks
...
# AllowOverride None
...
# Require all granted
#</Directory>
# Comment out the full <IfModule alias_module> section
#<IfModule alias_module>
...
#ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
# Comment out the full <Directory "/var/www/cgi-bin"> section
#<Directory "/var/www/cgi-bin">
# AllowOverride None
# Options None
# Require all granted
#</Directory>
Disable non required modules
cd /etc/httpd/conf.modules.d/
mv 00-dav.conf{,.disabled}
mv 00-lua.conf{,.disabled}
mv 00-proxy.conf{,.disabled}
mv 01-cgi.conf{,.disabled}
vim 00-base.conf
# Only leave the following uncommented for a base install. You may need to uncomment further modules dependent on your requirements.
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule dir_module modules/mod_dir.so
LoadModule info_module modules/mod_info.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule mime_module modules/mod_mime.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule status_module modules/mod_status.so
LoadModule unixd_module modules/mod_unixd.so
Comment out the full <VirtualHost _default_:443> section and add the SSL Directives above this section. You will need to amend the SSL* directives accordingly.
vim /etc/httpd/conf.d/ssl.conf
SSLProtocol all -SSLv2
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCipherSuite HIGH:!aNULL:!MD5
SSLCertificateFile /etc/httpd/conf/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl/server.key
SSLCACertificateFile /etc/httpd/conf/ssl/server-ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#<VirtualHost _default_:443>
#
...
#
#</VirtualHost>
Amend the php.ini file as follows.
vim /etc/php.d/php.ini
date.timezone = Europe/London
expose_php = Off
Adding a single domain certificate is pretty straight forward.
openssl genrsa -out sslkey.key 2048
openssl req -new -key sslkey.key -out sslcsr.csr
Send the CSR to the SSL provider and then upload the CRT once received.
For san certificate, there is a little more work. Firstly you will need to create a new open ssl conf file and amend to add your Subject Alternative Domain names
cd /etc/pki/tls/
cp openssl.conf new_san.cnf
vim new_san.cnf
# Amend/add the following
[ req_distinguished_name ]
countryName = GB
countryName_default = GB
stateOrProvinceName = London
localityName = London
localityName_default = London
0.organizationName = Company Name
0.organizationName_default = Company
organizationalUnitName = Web
organizationalUnitName_default = Web
emailAddress = email_address@example.com
[ v3_ca ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.com
DNS.2 = wiki.example.com
DNS.3 = www.example2.com
openssl genrsa -out sslkey.key 2048
openssl req -new -key sslkey.key -out sslcsr.csr
Install required modules
yum install mod_ldap mod_ssl
Add the following into your VirtualHost
AuthType Basic
AuthName "Registry Authentication"
AuthBasicProvider ldap
AuthLDAPURL "ldap://FQDN:389/OU=[Root],DC=uk,DC=co,DC=grow4?sAMAccountName?sub?(objectClass=user)"
AuthLDAPBindDN "CN=service_user,OU=CS,OU=System Accounts,OU=Street,OU=[Root],DC=uk,DC=co,DC=grow4"
AuthLDAPBindPassword "exec:/bin/cat /etc/httpd/conf/.secrets/.ldap_pass"
AuthLDAPBindAuthoritative off
require ldap-group CN=Group_name,OU=Distribution,OU=Global Groups,OU=Town,OU=[Root],DC=uk,DC=co,DC=grow4