Differences

This shows you the differences between two versions of the page.

--- computing:apachesurvival [2018/05/11 02:50] – oemb1905
+++ computing:apachesurvival [2021/10/31 05:06] – oemb1905
@@ Line 7: / Line 7: @@
 -------------------------------------------
 //apachesurvival//
 -------------------------------------------
-This tutorial is for users of Debian GNU/Linux using the LAMP stack, wanting TLS encryption, multiple self-hosted websites, feature rich content management, etc., without sacrificing ownership or security.  This tutorial will cover:
+This tutorial is for users of Debian GNU/Linux using the LAMP stack, wanting TLS encryption, multiple self-hosted websites and will cover:
-  * Establish LAMP stack
+  * Establish LAMP stack and set-up TLS w/ Let's Encrypt
-  * Virtual hosts for more than one website
+  * Virtual hosts for more than one website on same server
-  * Creation of self-signed SSL
+  * Permissions and Firewall
-  * Let's Encrypt with Certbot
-  * MySQL survival commands
-  * Installation of Joomla, Wordpress, Dokuwiki, Cacti
-  * Installation and configuration of local sftp server
-  * Directory permissions
-  * firewall rules with ufw
-  * symbolic links for External Drive outside of root of webserver (risky)
-There is probably a bit more ... but this will get us started.  With the exception of Cacti, these are skills I learned on BSD / macOS and then migrated to Debian GNU/Linux which runs them better, has better implementations of the LAMP stack, more feature control, and most importantly is #freesoftware.
+The tutorial below creates two virtual hosts, for registered domain site1.com and site2.com, and this can be scaled to as many as you like and/or your host will serve properly:
--------------------------------------------
+  sudo apt install apache2 php mariadb-server
-Installing apache, setting up two ore more websites.
-  sudo apache2ctl configtest
-  sudo apt install apache2
   sudo mkdir -p /var/www/site1.com/public_html
   sudo mkdir -p /var/www/site2.com/public_html
   sudo chown -R $USER:$USER /var/www/site1.com/public_html
   sudo chown -R $USER:$USER /var/www/site2.com/public_html
-  sudo chmod -R 755 /var/www
+  sudo chmod 755 /var/www
-  nano /var/www/site1.com/public_html/index.html
+Okay, for the first website, create your index.html:
+  sudo nano /var/www/site1.com/public_html/index.html
+Give it some simple html:
   <html>
     <head>
@@ Line 47: / Line 40: @@
     </body>
   </html>
+Same for the second website, open the file:
+  sudo nano /var/www/site2.com/public_html/index.html
-  nano /var/www/site2.com/public_html/index.html
+Give it some simple html to distinguish it:
   <html>
@@ Line 58: / Line 55: @@
     </body>
   </html>
+Now, copy the default virtual host configuration to a new .conf file for each site:
   sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site1.com.conf
   sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site2.com.conf
+Open the first virtual host conf for the first website:
   sudo nano /etc/apache2/sites-available/site1.com.conf
+Adjust to something like this:
   <VirtualHost *:80>
@@ Line 73: / Line 76: @@
   </VirtualHost>
-  sudo nano /etc/apache2/sites-available/site2.com.conf
+Repeat the steps above for the second virtual host site2.com.conf.  Ok, now time to enable the virtual hosts with the a2ensite command, and disable the default site since you won't need that any longer:
-  <VirtualHost *:80>
-        ServerAdmin name@site2.com
-        ServerName site2.com
-        ServerAlias www.site2.com
-        DocumentRoot /var/www/site2.com/public_html
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log combined
-  </VirtualHost>
   sudo a2ensite site1.com.conf
   sudo a2ensite site2.com.conf
-  sudo cp -r /var/www/html /root/
+  sudo cp -r /var/www/html /root/html-bak
   sudo rm -r /var/www/html
   sudo a2dissite 000-default.conf
+Now, if you prefer put some local dns entries in /etc/hosts
   sudo nano /etc/hosts
-.0.0.1       localhost
+Append something like this to the bottom:
-.0.1.1       host.domain.com  hostname
-  # The following lines are desirable for IPv6 capable hosts
-  ::1     localhost ip6-localhost ip6-loopback
-  ff02::1 ip6-allnodes
-  ff02::2 ip6-allrouters
-  #Virtual Hosts - NOT Optional - replace xxx etc., with external IP
   xxx.xxx.xxx.xxx site1.com
   xxx.xxx.xxx.xxx www.site1.com
@@ Line 104: / Line 95: @@
   xxx.xxx.xxx.xxx www.site2.com
+Check your configurations up until now and then restart the service and check if it starts:
+  sudo apache2ctl configtest
   sudo systemctl restart apache2.service
-Visit site1.com and site2.com - debug, set up TLS - repeat this for additional sites, set up firewall w/ common exceptions.
+Visit site1.com and site2.com and debug.  Once both properly resolve, it is time to set up TLS.  If this is a public IP on a VPS, then at a minimum, set up ufw to allow http/https and provide access for you to ssh:
-  sudo ufw install
+  sudo apt install ufw
-  sudo ufw allow ssh
   sudo ufw allow 22
-  sudo ufw allow 222
-  sudo ufw allow http
   sudo ufw allow 80
-  sudo ufw allow https
   sudo ufw allow 443
-  sudo ufw allow 'WWW Secure'
-  sudo ufw allow 'WWW Full'
-  sudo ufw allow 'WWW'
-  sudo ufw allow 1194/udp
-  sudo ufw allow 1194
-  sudo ufw allow git
-  sudo ufw allow openvpn
-  sudo ufw allow samba
-  sudo ufw allow nfs
-  sudo ufw allow vnc
-  sudo ufw allow 21
-  sudo ufw allow ftp
   sudo ufw enable
-Create self-signed TLS certificates, set up ssl.conf for each virtual host.
+It is always a good idea to first create your own self-signed certificates for each virtual host:
-  sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/site1.key -out /etc/ssl/certs/site1.crt
+  sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout /etc/ssl/private/site1.key -out /etc/ssl/certs/site1.crt
+  sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout /etc/ssl/private/site1.key -out /etc/ssl/certs/site1.crt
-  Country Name (2 letter code) [AU]: <Country Initials>
+Answer the questions, and pay careful attention to the email parameter because when we switch to Let's Encrypt, it will harvest that email and use it to contact you.  You should now configure a diffie-hellman key for secure key exchange:
-  State or Province Name (full name) [Some-State]: <State or Commonwealth, etc., Name>
-  Locality Name (eg, city) []: <City or Township, etc., Name>
+  sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name>
-  Organizational Unit Name (eg, section) []: <Department or Branch, etc., Name>
-  Common Name (e.g. server FQDN or YOUR name) []: <site1 ip address>
-  Email Address []: person@site1.com
-  sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout /etc/ssl/private/site2.key -out /etc/ssl/certs/site2.crt
+You can simply add all of your TLS options to the default-ssl.conf, or you can create a snippet:
-  Country Name (2 letter code) [AU]: <Country Initials>
-  State or Province Name (full name) [Some-State]: <State or Commonwealth, etc., Name>
-  Locality Name (eg, city) []: <City or Township, etc., Name>
-  Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name>
-  Organizational Unit Name (eg, section) []: <Department or Branch, etc., Name>
-  Common Name (e.g. server FQDN or YOUR name) []: <site1 ip address>
-  Email Address []: person@site1.com
-Configure diffie-hellman key for all TLS enabled virtual hosts, configure ssl-params.conf for all TLS enabled virtual hosts.
-  sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
-  sudo cp /etc/apache2/conf-available/ssl-params.conf /root/
   sudo nano /etc/apache2/conf-available/ssl-params.conf
+Having thus created the snippet, here are some recommended configurations and sources that document them:
   # from https://cipherli.st/
@@ Line 165: / Line 130: @@
   # Disable preloading HSTS for now.  You can use the commented out header line that includes
   # the "preload" directive if you understand the implications.
-  #Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
   Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
+  #Nextcloud prefers this rule with the other Header rules below it for X, disabled:
+  #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
   Header always set X-Frame-Options DENY
   Header always set X-Content-Type-Options nosniff
@@ Line 176: / Line 143: @@
   SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
-Configure virtual hosts for TLS for each domain previously configured above.
+Don't forget to enable this configuration:
+  sudo a2enconf ssl-params
+Configure the TLS virtual hosts for each domain previously configured above.  If you chose not to do the snippet approach above, then you will start here and skip the snippet portion (and merely add any configurations you need to the ssl virtual hosts directly):
   sudo cp /etc/apache2/sites-available/default-ssl.conf /root/default-ssl.conf.bak
-  sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site1.com-ssl.conf.bak
+  sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site1.com-ssl.conf
-  sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site2.com-ssl.conf.bak
+  sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site2.com-ssl.conf
-Create TLS sites in sites-enabled:
+Open the first TLS virtual host configuration file:
   sudo nano /etc/apache2/sites-available/site1.com-ssl.conf
+Uncomment the legacy support at the end and enter the standard configurations at the top:
   <IfModule mod_ssl.c>
         <VirtualHost _default_:443>
@@ Line 191: / Line 164: @@
                 ServerName site1.com
                 DocumentRoot /var/www/site1.com/public_html
-                ErrorLog ${APACHE_LOG_DIR}/error.log
-                CustomLog ${APACHE_LOG_DIR}/access.log combined
-                SSLEngine on
-                SSLCertificateFile      /etc/ssl/certs/site1.crt
-                SSLCertificateKeyFile /etc/ssl/private/site1.key
-                <FilesMatch "\.(cgi|shtml|phtml|php)$">
-                                SSLOptions +StdEnvVars
-                </FilesMatch>
-                <Directory /usr/lib/cgi-bin>
-                                SSLOptions +StdEnvVars
                 </Directory>
                 BrowserMatch "MSIE [2-6]" \
@@ Line 208: / Line 171: @@
   </IfModule>
-  sudo nano /etc/apache2/sites-available/site2.com-ssl.conf
+Repeat the steps above for the site2.com-ssl.conf virtual host. If you want to enter some modules, then do so after the "downgrade line" and before the </VirtualHost> line and start with <IfModules> and end with </IfModules>.  Now, you can redirect the original sites-enabled to default to TLS (or, skip this, and let Let's Encrypt handle it - but do not do both).  Open site1.com virtual host (non TLS) conf file:
+  sudo nano /etc/apache2/sites-available/site1.com.conf
-    <IfModule mod_ssl.c>
+At the top, just under the DocumentRoot, enter something like:
-        <VirtualHost _default_:443>
-                ServerAdmin name@site2.com
+  Redirect permanent "/" "https://site1.com/"
-                ServerName site2.com
-                ServerAlias www.site2.com
+Repeat this for the site2.conf file.  Now, check your configuration again and enable headers and mods:
-                DocumentRoot /var/www/site2.com/public_html
-                ErrorLog ${APACHE_LOG_DIR}/error.log
-                CustomLog ${APACHE_LOG_DIR}/access.log combined
-                SSLEngine on
-                SSLCertificateFile      /etc/ssl/certs/site2.crt
-                SSLCertificateKeyFile /etc/ssl/private/site2.key
-                <FilesMatch "\.(cgi|shtml|phtml|php)$">
-                                SSLOptions +StdEnvVars
-                </FilesMatch>
-                <Directory /usr/lib/cgi-bin>
-                                SSLOptions +StdEnvVars
-                </Directory>
-                BrowserMatch "MSIE [2-6]" \
-                               nokeepalive ssl-unclean-shutdown \
-                               downgrade-1.0 force-response-1.0
-        </VirtualHost>
-  </IfModule>
-Leave both http and https, or only https; for https-only, add a line to the .conf below ('permanent' is optional).
-  sudo nano /etc/apache2/sites-available/site1.com.conf
-        Redirect permanent "/" "https://site1.com/
-  sudo nano /etc/apache2/sites-available/site2.com.conf
-        Redirect permanent "/" "https://site2.com/
-Enable both TLS sites and re-directs, check configuration:
   sudo a2enmod ssl
   sudo a2enmod headers
-  sudo a2ensite site1.com.conf
+  sudo a2enconf ssl-params
-  sudo a2ensite site2.com.conf
   sudo apache2ctl configtest
+You may get a trivial error if you do not have your ServerName set to localhost in the global configuration file located at /etc/apache2/apache2.conf.  Once that is done, and if everything looks good, enable the TLS virtual hosts:
-Ignore error below, or set global ServerName (not advised) to avoid:
+  sudo a2ensite site1.com-ssl.conf
+  sudo a2ensite site2.com-ssl.conf
+Visit both sites using Firefox, and ensure they resovle.  Now, set up Let's Encrypt so that you have your TLS certificates managed by a proper authority.  I have never been able to get the stock certbot instructions to work, so I found this on a certbot tech support git repo, and have used it every since
-  AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
+  sudo apt install certbot letsencrypt python3-certbot-apache
-  Syntax OK
+  sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
-  sudo systemctl restart apache2
-Set up Let's Encrypt for free certificate authority on the SSL certs you just made.
+This certbot command can be adjusted for nginx instances too:
+  sudo certbot --authenticator standalone --installer nginx -d site1.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start nginx"
+Run the second command again, but adjust it for site2.com.  Now, restart the service:
-  sudo apt install certbot letsencrypt python-certbot-apache
-  certbot --authenticator standalone --installer apache -d site1.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
-  certbot --authenticator standalone --installer apache -d site2.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
   sudo systemctl restart apache2
-Test them both, first clear cache and restart browser, set up cron job to update every week:
+You can optionally verify them with ACME:
   https://www.ssllabs.com/ssltest/analyze.html?d=site1.com&latest
   https://www.ssllabs.com/ssltest/analyze.html?d=site2.com&latest
+Let's Encrypt expires often, so you likely want a cron job to update everything for you when/if needed:
   sudo crontab -e
@@ Line 271: / Line 216: @@
   sudo systemctl restart apache2
-Manually check certificates by:
+You can also manually check certificates by:
   sudo certbot renew
+I have some servers in production that seem to just stop apache for whatever reason, so to limit downtime after all this work, you can create a simple monitoring script called apache-restart.sh:
-Set up ftp server and then set up content mgt & mySQL
+  sudo touch /usr/local/bin/apache-restart.sh
+  sudo chmod 750 /usr/local/bin/apache-restart.sh
-  sudo apt install proftpd ftp ftp-ssl ftpd-ssl
+  sudo chown $USER:$USER /usr/local/bin/apache-restart.sh
-  cd /etc/proftpd
+  sudo nano /usr/local/bin/apache-restart.sh
-  openssl req -new -x509 -days 7300 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem
-  sudo nano /etc/proftpd/proftpd.conf
-  <IfModule mod_tls.c>
-     TLSEngine on
-     TLSLog /var/log/proftpd-tls.log
-     TLSProtocol TLSv1
-     # Are clients required to use FTP over TLS when talking to this server?
-     TLSRequired off
-     TLSRSACertificateFile    /etc/proftpd/ftpd-rsa.pem
-     TLSRSACertificateKeyFile /etc/proftpd/ftpd-rsa-key.pem
-     # Authenticate clients that want to use FTP over TLS?
-     TLSVerifyClient off
-  </IfModule>
-  sudo systemctl restart proftpd.service
+Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs:
-Might change the TLS version/requirement - now, to MySQL set up and making index.php default.
+  #!/bin/bash
+  #functions
+  RESTART="/bin/systemctl restart apache2.service"
+  SERVICE="apache2.service"
+  LOGFILE="/home/username/Desktop/apache-restart.log"
+  if
+      systemctl status apache2.service | grep dead
+  then
+      echo "Sir, apache2 failed at $(date), so I restarted it for you." >> $LOGFILE
+  else
+      echo "Ms., apache2 was running as of $(date)" >> $LOGFILE #or leave the else empty if you prefer
+  fi
-  sudo apt install mysql-server php7.0 phpmyadmin apache2-utils php libapache2-mod-php php-mcrypt php-mysql
+Okay, now let's make sure your log files do not get too large.  First create a new entry in the logrotate daemon directory:
-  sudo mysql_secure_installation
-  sudo nano /etc/apache2/mods-enabled/dir.conf
-  <IfModule mod_dir.c>
-      DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm
-  </IfModule>
-  sudo systemctl restart mysqld.service
-Secure phpmyadmin with user phpmyadmin and .htaccess file .phpmyadmin for security.
-  sudo htpasswd -c /etc/apache2/.phpmyadmin phpmyadmin
+  sudo nano /etc/logrotate.d/apache-restart
-  sudo nano /usr/share/phpmyadmin/.htaccess
-  AuthType Basic
-  AuthName "Restricted Files"
-  AuthUserFile /etc/apache2/.phpmyadmin
-  Require valid-user
-  sudo systemctl restart apache2.service
-Now, the MySQL - more here than neeeded in case of trouble:
-  sudo mysql -u root -p
+In that file that you just opened, enter some common sense limits for the log file so your computer does not fill up with logs:
-  mysql> CREATE DATABASE databasename DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
-  mysql> GRANT ALL ON databasename.* TO 'databaseuser'@'localhost' IDENTIFIED BY 'passwdhere';
-  mysql> CREATE DATABASE database2name DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci;
-  mysql> GRANT ALL ON database2name.* TO 'databaseuser'@'localhost' IDENTIFIED BY 'passwdhere';
-  mysql> FLUSH PRIVILEGES;
-  mysql> EXIT;
-Install PHP, configure .htaccess to allow overrides, enable apache modules:
+  /home/user/Desktop/apache-restart.log {
+        daily
+        rotate 10
+        delaycompress
+        compress
+        notifempty
+        missingok
+        size 100000k
+  }
+Alright, no point in making an apache monitoring script unless it runs automatically, so let's create a cron job:
+  sudo crontab -e
+  * * * * * /bin/bash /usr/local/bin/apache-restart.sh >> /home/user/Desktop/apache-restart.log
+  sudo systemctl restart cron
+Test it, by stopping the service, and then waiting a minute.
+  sudo systemctl stop apache2
-  sudo apt update
+Check the logfile to verify it is working:
-  sudo apt-get install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc
-  sudo nano /etc/apache2/apache2.conf
+  cat /home/user/Desktop/apache-restart.log
-  <Directory /var/www/html/>
-      AllowOverride All
-  </Directory>
+Cool!  You now have two websites that are TLS encrypted!  Now, it is time to put some content on that site, so consider these tutorials:
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:selfhostedwp|Self-Hosted Word Press]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:migratewp|Manually Migrating Word Press]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:nextcloud|Nextcloud]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:moodle|Moodle]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:dokuwiki|Dokuwiki]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:smokeping|Smokeping]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:cactiwebserver|Cacti]]
+  * [[https://wiki.haacksnetworking.com/doku.php?id=computing:gitlab-ce|Gitlab-ce]] (requires extensive mods)
+Also, you probably want to keep this host up to date, and you may have others, so consider reading the tutorial below, which covers how to do remote upgrades easily:
+  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:remote-upgrades|Upgrades]]
+I keep the scripts up to date on my repo, over here:
+  * [[https://codetalkers.services/oemb1905/haackingclub/|Haacking Club]]
+This tutorial is a designated "Invariant Section" of the "Technotronic" section of Haack's Wiki as described on the [[https://jonathanhaack.com/dokuwiki/doku.php?id=start|Start Page]].
+ --- //[[jonathan@haacksnetworking.com|oemb1905]] 2021/10/29 20:14//

Haack's Wiki

User Tools

Site Tools

Differences

Page Tools