This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:apachesurvival [2018/05/06 07:56] – oemb1905 | computing:apachesurvival [2024/02/20 23:00] (current) – oemb1905 | ||
---|---|---|---|
Line 3: | Line 3: | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
* **Haack' | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
- | // | + | // |
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for users of Debian GNU/ | + | This tutorial is for users of Debian GNU/ |
- | | + | sudo apt install apache2 |
- | * Virtual hosts for more than one website | + | |
- | * Creation of self-signed SSL | + | |
- | * Let's Encrypt with Certbot | + | |
- | * MySQL survival commands | + | |
- | * Installation of Joomla, Wordpress, Dokuwiki, Cacti | + | |
- | * Installation and configuration of local sftp server | + | |
- | * Directory permissions | + | |
- | * firewall rules with ufw | + | |
- | * symbolic links for External Drive outside of root of webserver (risky) | + | |
- | + | ||
- | There is probably a bit more ... but this will get us started. | + | |
- | + | ||
- | ------------------------------------------- | + | |
- | + | ||
- | Installing apache, setting up two ore more websites. | + | |
- | + | ||
- | sudo apache2ctl configtest | + | |
- | | + | |
sudo mkdir -p / | sudo mkdir -p / | ||
sudo mkdir -p / | sudo mkdir -p / | ||
- | sudo chown -R $USER:$USER / | + | sudo chown -R $USER:$USER / |
sudo chown -R $USER:$USER / | sudo chown -R $USER:$USER / | ||
- | sudo chmod -R 755 /var/www | + | sudo chmod 755 /var/www |
- | nano / | + | |
- | | + | Later, when you change one or both of these sites to a content management system (CMS), you will need to adjust ownership/ |
+ | |||
+ | | ||
< | < | ||
< | < | ||
Line 46: | Line 30: | ||
< | < | ||
</ | </ | ||
- | </ | + | </ |
- | + | ||
- | nano /var/www/site2.com/ | + | Make sure to repeat the above steps for site2.com. |
- | + | ||
- | < | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | </ | + | |
- | + | ||
- | sudo cp / | + | |
- | sudo cp / | + | |
| | ||
+ | sudo cp / | ||
sudo nano / | sudo nano / | ||
- | | ||
< | < | ||
ServerAdmin name@site1.com | ServerAdmin name@site1.com | ||
Line 73: | Line 45: | ||
</ | </ | ||
| | ||
- | sudo nano / | + | Make sure to repeat the steps above for the second virtual host site2.com.conf. |
- | + | ||
- | < | + | |
- | ServerAdmin name@site2.com | + | |
- | ServerName site2.com | + | |
- | ServerAlias www.site2.com | + | |
- | DocumentRoot / | + | |
- | ErrorLog ${APACHE_LOG_DIR}/ | + | |
- | CustomLog ${APACHE_LOG_DIR}/ | + | |
- | </VirtualHost> | + | |
| | ||
sudo a2ensite site1.com.conf | sudo a2ensite site1.com.conf | ||
sudo a2ensite site2.com.conf | sudo a2ensite site2.com.conf | ||
- | sudo cp -r / | + | sudo cp -r / |
sudo rm -r / | sudo rm -r / | ||
sudo a2dissite 000-default.conf | sudo a2dissite 000-default.conf | ||
+ | | ||
+ | Now, in order for the server to correctly identify itself in headers, for example, when WP or another CMS sends an email to a user to restore their account, you need to adjust your host and domain name in the hosts file. if you prefer put some local dns entries in /etc/hosts | ||
| | ||
sudo nano /etc/hosts | sudo nano /etc/hosts | ||
| | ||
- | 127.0.0.1 | + | Append something like this to the bottom: |
- | 127.0.1.1 | + | |
| | ||
- | | + | |
- | ::1 | + | |
- | ff02::1 ip6-allnodes | + | |
- | ff02::2 ip6-allrouters | + | |
- | #Virtual Hosts - NOT Optional - replace xxx etc., with external IP | + | Make sure to do this for each domain. Check your configurations up until now and then restart the service and check if it starts: |
- | | + | |
- | xxx.xxx.xxx.xxx www.site1.com | + | |
- | xxx.xxx.xxx.xxx site2.com | + | |
- | xxx.xxx.xxx.xxx www.site2.com | + | |
- | + | ||
sudo systemctl restart apache2.service | sudo systemctl restart apache2.service | ||
- | Visit site1.com and site2.com | + | Visit site1.com and site2.com |
- | + | ||
- | sudo ufw install | + | |
- | sudo ufw allow ssh | + | |
- | sudo ufw allow 22 | + | |
- | sudo ufw allow 222 | + | |
- | sudo ufw allow http | + | |
- | sudo ufw allow 80 | + | |
- | sudo ufw allow https | + | |
- | sudo ufw allow 443 | + | |
- | sudo ufw allow 'WWW Secure' | + | |
- | sudo ufw allow 'WWW Full' | + | |
- | sudo ufw allow ' | + | |
- | sudo ufw allow 1194/udp | + | |
- | sudo ufw allow 1194 | + | |
- | sudo ufw allow git | + | |
- | sudo ufw allow openvpn | + | |
- | sudo ufw allow samba | + | |
- | sudo ufw allow nfs | + | |
- | sudo ufw allow vnc | + | |
- | sudo ufw allow 21 | + | |
- | sudo ufw allow ftp | + | |
- | sudo ufw enable | + | |
- | + | ||
- | Create | + | |
- | sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout / | + | sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout / |
| | ||
- | Country Name (2 letter code) [AU]: <Country Initials> | + | Repeat this for site2.com and make sure to answer the question about your FQDN correctly. |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: <City or Township, etc., Name> | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name> | + | |
- | Organizational Unit Name (eg, section) []: < | + | |
- | Common Name (e.g. server FQDN or YOUR name) []: <site1 ip address> | + | |
- | Email Address []: person@site1.com | + | |
- | + | ||
- | sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout / | + | |
- | + | ||
- | Country Name (2 letter code) [AU]: <Country Initials> | + | |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: <City or Township, etc., Name> | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name> | + | |
- | Organizational Unit Name (eg, section) []: < | + | |
- | Common Name (e.g. server | + | |
- | Email Address []: person@site1.com | + | |
- | + | ||
- | Configure diffie-hellman key for all TLS enabled virtual hosts, configure ssl-params.conf for all TLS enabled virtual hosts. | + | |
- | sudo openssl dhparam -out / | + | Configure the TLS virtual hosts for each domain previously configured above. |
- | sudo cp / | + | |
- | sudo nano / | + | |
- | + | ||
- | # from https:// | + | |
- | # and https:// | + | |
- | SSLCipherSuite EECDH+AESGCM: | + | |
- | SSLProtocol All -SSLv2 -SSLv3 | + | |
- | SSLHonorCipherOrder On | + | |
- | # Disable preloading HSTS for now. | + | |
- | # the " | + | |
- | #Header always set Strict-Transport-Security " | + | |
- | Header always set Strict-Transport-Security " | + | |
- | Header always set X-Frame-Options DENY | + | |
- | Header always set X-Content-Type-Options nosniff | + | |
- | # Requires Apache >= 2.4 | + | |
- | SSLCompression off | + | |
- | SSLSessionTickets Off | + | |
- | SSLUseStapling on | + | |
- | SSLStaplingCache "shmcb:logs/ | + | |
- | SSLOpenSSLConfCmd DHParameters "/ | + | |
- | Configure virtual hosts for TLS for each domain previously configured above. | + | sudo cp / |
+ | sudo cp / | ||
+ | |||
+ | Open the first TLS virtual host configuration file: | ||
- | sudo cp / | ||
- | sudo cp / | ||
- | sudo cp / | ||
- | | ||
sudo nano / | sudo nano / | ||
- | | ||
< | < | ||
< | < | ||
Line 192: | Line 85: | ||
ServerName site1.com | ServerName site1.com | ||
DocumentRoot / | DocumentRoot / | ||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | SSLEngine on | ||
- | SSLCertificateFile | ||
- | SSLCertificateKeyFile / | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
</ | </ | ||
BrowserMatch "MSIE [2-6]" \ | BrowserMatch "MSIE [2-6]" \ | ||
| | ||
| | ||
- | |||
</ | </ | ||
</ | </ | ||
- | sudo nano / | + | Repeat the steps above for the site2.com-ssl.conf |
| | ||
- | < | + | sudo a2enmod ssl |
- | < | + | sudo a2enmod headers |
- | | + | sudo apache2ctl configtest |
- | | + | sudo a2ensite site1.com-ssl.conf |
- | ServerAlias www.site2.com | + | sudo a2ensite |
- | | + | |
- | ErrorLog ${APACHE_LOG_DIR}/ | + | Visit both sites using Firefox, and ensure they resolve - if not, check each step and debug. |
- | | + | |
- | | + | |
- | SSLCertificateFile | + | |
- | SSLCertificateKeyFile / | + | |
- | < | + | |
- | SSLOptions +StdEnvVars | + | |
- | </ | + | |
- | < | + | |
- | SSLOptions +StdEnvVars | + | |
- | </ | + | |
- | BrowserMatch "MSIE [2-6]" \ | + | sudo apt install certbot letsencrypt python3-certbot-apache |
- | nokeepalive ssl-unclean-shutdown \ | + | sudo certbot |
- | | + | |
- | </ | + | When LE prompts you, make sure to specify to " |
- | | + | |
+ | | ||
| | ||
+ | Let's Encrypt expires often, so you likely want a cron job to update everything for you when/if needed: | ||
| | ||
+ | sudo crontab -e | ||
+ | 30 2 * * 1 / | ||
+ | sudo systemctl restart cron.service | ||
+ | sudo systemctl restart apache2 | ||
+ | |||
+ | If this is a public IP on a VPS and you are new to GNU/Linux, then you should set up a firewall as a precaution. | ||
| | ||
+ | sudo apt install ufw | ||
+ | sudo ufw allow 22 | ||
+ | sudo ufw allow 80 | ||
+ | sudo ufw allow 443 | ||
+ | sudo ufw enable | ||
| | ||
+ | If you are comfortable with GNU/Linux and know how to check '' | ||
+ | |||
+ | sudo touch / | ||
+ | sudo chmod 750 / | ||
+ | sudo chown $USER:$USER / | ||
+ | sudo nano / | ||
| | ||
+ | Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs: | ||
+ | |||
+ | #!/bin/sh | ||
+ | #functions | ||
+ | RESTART="/ | ||
+ | SERVICE=" | ||
+ | LOGFILE="/ | ||
+ | #check for the word dead in the service output from systemctl | ||
+ | if | ||
+ | systemctl status apache2.service | grep dead | ||
+ | then | ||
+ | echo " | ||
+ | $RESTART >> $LOGFILE | ||
+ | mail -s " | ||
+ | else | ||
+ | exit | ||
+ | fi | ||
+ | |||
+ | Alright, no point in making an apache monitoring script unless it runs automatically, | ||
+ | |||
+ | sudo crontab -e | ||
+ | * * * * * /bin/bash / | ||
+ | sudo systemctl restart cron | ||
+ | |||
+ | Also, log files can build up quickly, so adjust logrotate so that you don't use up precious storage recklessly! | ||
+ | |||
+ | sudo nano / | ||
+ | / | ||
+ | daily | ||
+ | rotate 10 | ||
+ | delaycompress | ||
+ | compress | ||
+ | notifempty | ||
+ | missingok | ||
+ | size 100000k | ||
+ | } | ||
+ | |||
+ | Awesome! | ||
+ | |||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | |||
+ | This tutorial is a designated " | ||
+ | |||
+ | --- // |