This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
computing:apachesurvival [2018/05/11 06:41] – oemb1905 | computing:apachesurvival [2021/11/10 03:48] – oemb1905 | ||
---|---|---|---|
Line 7: | Line 7: | ||
------------------------------------------- | ------------------------------------------- | ||
- | // | + | // |
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for users of Debian GNU/ | + | This tutorial is for users of Debian GNU/ |
- | | + | sudo apt install apache2 |
- | * Virtual hosts for more than one website | + | |
- | * Creation of self-signed SSL | + | |
- | * Let's Encrypt with Certbot | + | |
- | * MySQL survival commands | + | |
- | * Installation of Joomla, Wordpress, Dokuwiki, Cacti | + | |
- | * Installation and configuration of local sftp server | + | |
- | * Directory permissions | + | |
- | * firewall rules with ufw | + | |
- | * symbolic links for External Drive outside of root of webserver (risky) | + | |
- | + | ||
- | There is probably a bit more ... but this will get us started. | + | |
- | + | ||
- | ------------------------------------------- | + | |
- | + | ||
- | Installing apache, setting up two ore more websites. | + | |
- | + | ||
- | sudo apache2ctl configtest | + | |
- | | + | |
sudo mkdir -p / | sudo mkdir -p / | ||
sudo mkdir -p / | sudo mkdir -p / | ||
- | sudo chown -R $USER:$USER / | + | sudo chown -R $USER:$USER / |
sudo chown -R $USER:$USER / | sudo chown -R $USER:$USER / | ||
- | sudo chmod -R 755 /var/www | + | sudo chmod 755 /var/www |
- | nano / | + | |
- | | + | Later, when you change one or both of these sites to a content management system (CMS), you will need to adjust ownership/ |
+ | |||
+ | | ||
< | < | ||
< | < | ||
Line 46: | Line 30: | ||
< | < | ||
</ | </ | ||
- | </ | + | </ |
- | + | ||
- | nano /var/www/site2.com/ | + | Make sure to repeat the above steps for site2.com. |
- | + | ||
- | < | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | </ | + | |
- | + | ||
- | sudo cp / | + | |
- | sudo cp / | + | |
| | ||
+ | sudo cp / | ||
sudo nano / | sudo nano / | ||
- | | ||
< | < | ||
ServerAdmin name@site1.com | ServerAdmin name@site1.com | ||
Line 73: | Line 45: | ||
</ | </ | ||
| | ||
- | sudo nano / | + | Make sure to repeat the steps above for the second virtual host site2.com.conf. |
- | + | ||
- | < | + | |
- | ServerAdmin name@site2.com | + | |
- | ServerName site2.com | + | |
- | ServerAlias www.site2.com | + | |
- | DocumentRoot / | + | |
- | ErrorLog ${APACHE_LOG_DIR}/ | + | |
- | CustomLog ${APACHE_LOG_DIR}/ | + | |
- | </VirtualHost> | + | |
| | ||
sudo a2ensite site1.com.conf | sudo a2ensite site1.com.conf | ||
sudo a2ensite site2.com.conf | sudo a2ensite site2.com.conf | ||
- | sudo cp -r / | + | sudo cp -r / |
sudo rm -r / | sudo rm -r / | ||
sudo a2dissite 000-default.conf | sudo a2dissite 000-default.conf | ||
+ | | ||
+ | Now, in order for the server to correctly identify itself in headers, for example, when WP or another CMS sends an email to a user to restore their account, you need to adjust your host and domain name in the hosts file. if you prefer put some local dns entries in /etc/hosts | ||
| | ||
sudo nano /etc/hosts | sudo nano /etc/hosts | ||
| | ||
- | 127.0.0.1 | + | Append something like this to the bottom: |
- | 127.0.1.1 | + | |
- | # The following lines are desirable for IPv6 capable hosts | + | xxx.xxx.xxx.xxx site1.com |
- | | + | |
- | | + | Make sure to do this for each domain. |
- | ff02::2 ip6-allrouters | + | |
- | #Virtual Hosts - NOT Optional - replace xxx etc., with external IP | + | |
- | xxx.xxx.xxx.xxx site1.com | + | |
- | xxx.xxx.xxx.xxx www.site1.com | + | |
- | xxx.xxx.xxx.xxx site2.com | + | |
- | | + | |
- | + | ||
sudo systemctl restart apache2.service | sudo systemctl restart apache2.service | ||
- | Visit site1.com and site2.com | + | Visit site1.com and site2.com |
- | + | ||
- | sudo ufw install | + | |
- | sudo ufw allow ssh | + | |
- | sudo ufw allow 22 | + | |
- | sudo ufw allow 222 | + | |
- | sudo ufw allow http | + | |
- | sudo ufw allow 80 | + | |
- | sudo ufw allow https | + | |
- | sudo ufw allow 443 | + | |
- | sudo ufw allow 'WWW Secure' | + | |
- | sudo ufw allow 'WWW Full' | + | |
- | sudo ufw allow ' | + | |
- | sudo ufw allow 1194/udp | + | |
- | sudo ufw allow 1194 | + | |
- | sudo ufw allow git | + | |
- | sudo ufw allow openvpn | + | |
- | sudo ufw allow samba | + | |
- | sudo ufw allow nfs | + | |
- | sudo ufw allow vnc | + | |
- | sudo ufw allow 21 | + | |
- | sudo ufw allow ftp | + | |
- | sudo ufw enable | + | |
- | + | ||
- | Create | + | |
- | + | ||
- | sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout / | + | |
- | + | ||
- | Country Name (2 letter code) [AU]: <Country Initials> | + | |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: <City or Township, etc., Name> | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name> | + | |
- | Organizational Unit Name (eg, section) []: < | + | |
- | Common Name (e.g. server FQDN or YOUR name) []: <site1 ip address> | + | |
- | Email Address []: person@site1.com | + | |
- | + | ||
- | sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout / | + | |
- | + | ||
- | Country Name (2 letter code) [AU]: <Country Initials> | + | |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: <City or Township, etc., Name> | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name> | + | |
- | Organizational Unit Name (eg, section) []: < | + | |
- | Common Name (e.g. server FQDN or YOUR name) []: <site1 ip address> | + | |
- | Email Address []: person@site1.com | + | |
- | + | ||
- | Configure diffie-hellman key for all TLS enabled virtual hosts, configure ssl-params.conf for all TLS enabled virtual hosts. | + | |
- | sudo openssl | + | sudo openssl |
- | sudo cp /etc/ | + | |
- | sudo nano / | + | |
| | ||
- | # from https:// | + | Repeat this for site2.com and make sure to answer |
- | # and https:// | + | |
- | SSLCipherSuite EECDH+AESGCM: | + | |
- | SSLProtocol All -SSLv2 -SSLv3 | + | |
- | SSLHonorCipherOrder On | + | |
- | # Disable preloading HSTS for now. You can use the commented out header line that includes | + | |
- | # the " | + | |
- | #Header always set Strict-Transport-Security " | + | |
- | Header always set Strict-Transport-Security " | + | |
- | Header always set X-Frame-Options DENY | + | |
- | Header always set X-Content-Type-Options nosniff | + | |
- | # Requires Apache >= 2.4 | + | |
- | SSLCompression off | + | |
- | SSLSessionTickets Off | + | |
- | SSLUseStapling on | + | |
- | SSLStaplingCache " | + | |
- | SSLOpenSSLConfCmd DHParameters "/ | + | |
- | Configure virtual hosts for TLS for each domain previously configured above. | + | Configure |
sudo cp / | sudo cp / | ||
- | sudo cp / | + | sudo cp / |
- | sudo cp / | + | |
- | Create | + | Open the first TLS virtual host configuration file: |
sudo nano / | sudo nano / | ||
- | | ||
< | < | ||
< | < | ||
Line 191: | Line 85: | ||
ServerName site1.com | ServerName site1.com | ||
DocumentRoot / | DocumentRoot / | ||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | SSLEngine on | ||
- | SSLCertificateFile | ||
- | SSLCertificateKeyFile / | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
</ | </ | ||
BrowserMatch "MSIE [2-6]" \ | BrowserMatch "MSIE [2-6]" \ | ||
Line 208: | Line 92: | ||
</ | </ | ||
- | sudo nano / | + | Repeat the steps above for the site2.com-ssl.conf |
| | ||
- | < | ||
- | < | ||
- | ServerAdmin name@site2.com | ||
- | ServerName site2.com | ||
- | ServerAlias www.site2.com | ||
- | DocumentRoot / | ||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | SSLEngine on | ||
- | SSLCertificateFile | ||
- | SSLCertificateKeyFile / | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | BrowserMatch "MSIE [2-6]" \ | ||
- | | ||
- | | ||
- | </ | ||
- | </ | ||
- | | ||
- | Leave both http and https, or only https; for https-only, add a line to the .conf below (' | ||
- | |||
- | sudo nano / | ||
- | Redirect permanent "/" | ||
- | sudo nano / | ||
- | Redirect permanent "/" | ||
- | |||
- | Enable both TLS sites and re-directs, check configuration: | ||
- | |||
sudo a2enmod ssl | sudo a2enmod ssl | ||
sudo a2enmod headers | sudo a2enmod headers | ||
- | sudo a2ensite site1.com.conf | ||
- | sudo a2ensite site2.com.conf | ||
sudo apache2ctl configtest | sudo apache2ctl configtest | ||
+ | sudo a2ensite site1.com-ssl.conf | ||
+ | sudo a2ensite site2.com-ssl.conf | ||
+ | | ||
+ | Visit both sites using Firefox, and ensure they resovle - if not, check each step and debug. | ||
- | Ignore error below, or set global ServerName (not advised) to avoid: | + | sudo apt install certbot letsencrypt python3-certbot-apache |
+ | sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook " | ||
- | AH00558: apache2: Could not reliably determine the server' | + | When LE prompts you, make sure to specify to " |
- | Syntax OK | + | |
- | sudo systemctl | + | |
- | + | ||
- | Set up Let's Encrypt for free certificate authority on the SSL certs you just made. | + | |
- | sudo apt install certbot letsencrypt python-certbot-apache | ||
- | certbot --authenticator standalone --installer apache -d site1.com --pre-hook " | ||
- | certbot --authenticator standalone --installer apache -d site2.com --pre-hook " | ||
sudo systemctl restart apache2 | sudo systemctl restart apache2 | ||
| | ||
- | Test them both, first clear cache and restart browser, set up cron job to update | + | Let's Encrypt expires often, so you likely want a cron job to update |
- | + | ||
- | https:// | + | |
- | https:// | + | |
| | ||
sudo crontab -e | sudo crontab -e | ||
Line 270: | Line 115: | ||
sudo systemctl restart cron.service | sudo systemctl restart cron.service | ||
sudo systemctl restart apache2 | sudo systemctl restart apache2 | ||
- | | ||
- | Manually check certificates by: | ||
- | sudo certbot renew | + | If this is a public IP on a VPS and you are new to GNU/ |
- | + | ||
- | Set up ftp server | + | |
- | + | ||
- | sudo apt install proftpd ftp ftp-ssl ftpd-ssl | + | |
- | cd / | + | |
- | openssl req -new -x509 -days 7300 -nodes -out ftpd-rsa.pem -keyout ftpd-rsa-key.pem | + | |
- | sudo nano / | + | |
| | ||
- | | + | |
- | TLSEngine on | + | sudo ufw allow 22 |
- | TLSLog / | + | sudo ufw allow 80 |
- | TLSProtocol TLSv1 | + | sudo ufw allow 443 |
- | # Are clients required to use FTP over TLS when talking to this server? | + | |
- | | + | |
- | | + | |
- | | + | |
- | # Authenticate clients that want to use FTP over TLS? | + | |
- | | + | |
- | | + | |
| | ||
- | sudo systemctl | + | If you are comfortable with GNU/Linux and know how to check '' |
- | Might change the TLS version/requirement | + | sudo touch / |
- | + | sudo chmod 750 / | |
- | sudo apt install mysql-server php7.0 phpmyadmin apache2-utils php libapache2-mod-php php-mcrypt php-mysql | + | sudo chown $USER:$USER / |
- | sudo mysql_secure_installation | + | sudo nano /usr/local/bin/apache-restart.sh |
- | sudo nano /etc/apache2/mods-enabled/ | + | |
- | + | ||
- | < | + | |
- | DirectoryIndex index.php index.html index.cgi index.pl index.xhtml index.htm | + | |
- | </ | + | |
- | + | ||
- | sudo systemctl | + | |
| | ||
- | Secure phpmyadmin with user phpmyadmin and .htaccess | + | Ok, now that we created the script |
- | | + | |
- | | + | #functions |
- | | + | |
- | | + | |
- | AuthName | + | |
- | | + | |
- | | + | |
- | + | systemctl | |
- | | + | |
- | + | echo " | |
- | Now, the MySQL - more here than neeeded in case of trouble: | + | $RESTART >> $LOGFILE |
+ | mail -s " | ||
+ | else | ||
+ | exit | ||
+ | fi | ||
- | sudo mysql -u root -p | + | Alright, no point in making an apache monitoring script unless it runs automatically, |
- | mysql> CREATE DATABASE database1name DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; | + | |
- | mysql> GRANT ALL ON database1name.* TO 'databaseuser' | + | |
- | mysql> CREATE DATABASE database2name DEFAULT CHARACTER SET utf8 COLLATE utf8_unicode_ci; | + | |
- | mysql> GRANT ALL ON database2name.* TO ' | + | |
- | mysql> FLUSH PRIVILEGES; | + | |
- | mysql> EXIT; | + | |
- | Install PHP, configure .htaccess to allow overrides, enable apache modules: | + | |
- | + | | |
- | | + | sudo systemctl restart |
- | sudo apt-get install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc | + | |
- | | + | |
- | + | ||
- | < | + | |
- | AllowOverride All | + | |
- | </ | + | |
- | | + | |
- | sudo systemctl restart | + | |
- | sudo a2enmod rewrite | + | |
- | sudo apache2ctl configtest | + | |
- | + | ||
- | If you have not set the fully qualified domain name, you may get an error - that can safely be ignored unless you desire it. | + | |
- | cd ~/ | + | Also, log files can build up quickly, so adjust logrotate so that you don't use up precious storage recklessly! |
- | mkdir wpdownload | + | |
- | cd wpdownload | + | |
- | curl -O https:// | + | |
- | tar xzvf latest.tar.gz | + | |
- | touch ~/ | + | |
- | sudo chmod 660 ~/ | + | |
- | cp ~/ | + | |
- | mkdir ~/ | + | |
- | sudo cp -ar ~/ | + | |
- | sudo cp -ar ~/ | + | |
- | sudo chown -R username: | + | |
- | sudo chown -R username: | + | |
- | sudo find / | + | |
- | sudo find / | + | |
- | sudo chmod g+w / | + | |
- | sudo chmod g+w / | + | |
- | sudo chmod -R g+w / | + | |
- | sudo chmod -R g+w / | + | |
- | sudo chmod -R g+w / | + | |
- | sudo chmod -R g+w / | + | |
- | + | ||
- | Grab secure values from Word Press. | + | |
- | + | ||
- | curl -s https:// | + | |
- | + | ||
- | sudo nano / | + | |
- | <swap the defined values> | + | |
- | sudo nano / | + | |
- | <swap the defined values> | + | |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | . . . | + | |
- | define(' | + | |
- | /** MySQL database username */ | + | |
- | define(' | + | |
- | /** MySQL database password */ | + | |
- | define(' | + | |
- | . . . | + | |
- | define(' | + | |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | . . . | + | |
- | define(' | + | |
- | /** MySQL database username */ | + | |
- | define(' | + | |
- | /** MySQL database password */ | + | |
- | define(' | + | |
- | . . . | + | |
- | define(' | + | |
- | + | ||
- | sudo systemctl restart apache2 | + | |
- | + | ||
- | Problem solving .htaccess files - use this default setup if its get hosed: | + | |
- | sudo nano /var/www/site1.com/public_html/.htaccess | + | sudo nano /etc/logrotate.d/apache-restart |
- | + | | |
- | # BEGIN WordPress | + | daily |
- | < | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | |
- | | + | size 100000k |
- | RewriteRule . /index.php [L] | + | } |
- | </ | + | |
- | # END WordPress | + | |
- | Visit wordpress site and configure | + | Awesome! |
- | | + | |
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
- | | + | This tutorial is a designated " |
- | + | ||
+ | --- // |