This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:apachesurvival [2020/01/01 21:57] – oemb1905 | computing:apachesurvival [2024/02/20 23:00] (current) – oemb1905 | ||
---|---|---|---|
Line 3: | Line 3: | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
* **Haack' | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
Line 11: | Line 11: | ||
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for users of Debian GNU/ | + | This tutorial is for users of Debian GNU/ |
- | | + | sudo apt install apache2 |
- | * Virtual hosts for more than one website on same server | + | |
- | * Permissions and Firewall | + | |
- | + | ||
- | The tutorial below creates two virtual hosts, for registered domain site1.com and site2.com, and this can be scaled to as many as you like and/or your host will serve properly: | + | |
- | + | ||
- | | + | |
sudo mkdir -p / | sudo mkdir -p / | ||
sudo mkdir -p / | sudo mkdir -p / | ||
- | sudo chown -R $USER:$USER / | + | sudo chown -R $USER:$USER / |
sudo chown -R $USER:$USER / | sudo chown -R $USER:$USER / | ||
sudo chmod 755 /var/www | sudo chmod 755 /var/www | ||
- | Okay, for the first website, create your index.html: | + | Later, when you change one or both of these sites to a content management system (CMS), you will need to adjust ownership/ |
- | + | ||
- | sudo nano /var/www/site1.com/public_html/index.html | + | |
- | + | ||
- | Give it some simple html: | + | |
+ | sudo nano / | ||
< | < | ||
< | < | ||
Line 39: | Line 30: | ||
< | < | ||
</ | </ | ||
- | </ | + | </ |
- | Same for the second website, open the file: | + | Make sure to repeat the above steps for site2.com. |
- | + | ||
- | sudo nano /var/www/site2.com/ | + | |
- | + | ||
- | Give it some simple html to distinguish it: | + | |
- | + | ||
- | < | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | </ | + | |
- | + | ||
- | Now, copy the default | + | |
- | + | ||
- | sudo cp / | + | |
- | sudo cp / | + | |
- | + | ||
- | Open the first virtual host conf for the first website: | + | |
| | ||
+ | sudo cp / | ||
sudo nano / | sudo nano / | ||
- | | ||
- | Adjust to something like this: | ||
- | | ||
< | < | ||
ServerAdmin name@site1.com | ServerAdmin name@site1.com | ||
Line 76: | Line 45: | ||
</ | </ | ||
| | ||
- | Repeat | + | Make sure to repeat |
| | ||
sudo a2ensite site1.com.conf | sudo a2ensite site1.com.conf | ||
Line 84: | Line 53: | ||
sudo a2dissite 000-default.conf | sudo a2dissite 000-default.conf | ||
| | ||
- | Now, if you prefer put some local dns entries in /etc/hosts | + | Now, in order for the server to correctly identify itself in headers, for example, when WP or another CMS sends an email to a user to restore their account, you need to adjust your host and domain name in the hosts file. if you prefer put some local dns entries in /etc/hosts |
| | ||
sudo nano /etc/hosts | sudo nano /etc/hosts | ||
Line 90: | Line 59: | ||
Append something like this to the bottom: | Append something like this to the bottom: | ||
| | ||
- | xxx.xxx.xxx.xxx site1.com | + | xxx.xxx.xxx.xxx site1.com site1 |
- | xxx.xxx.xxx.xxx www.site1.com | + | |
- | xxx.xxx.xxx.xxx site2.com | + | Make sure to do this for each domain. Check your configurations up until now and then restart the service and check if it starts: |
- | xxx.xxx.xxx.xxx www.site2.com | + | |
- | + | ||
- | Check your configurations up until now and then restart the service and check if it starts: | + | |
sudo apache2ctl configtest | sudo apache2ctl configtest | ||
sudo systemctl restart apache2.service | sudo systemctl restart apache2.service | ||
- | Visit site1.com and site2.com and debug. | + | Visit site1.com and site2.com and debug. |
- | + | ||
- | sudo apt install ufw | + | |
- | sudo ufw allow 22 | + | |
- | sudo ufw allow 80 | + | |
- | sudo ufw allow 443 | + | |
- | sudo ufw enable | + | |
- | + | ||
- | It is always a good idea to first create your own self-signed certificates for each virtual host: | + | |
- | sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout / | ||
sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout / | sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout / | ||
| | ||
- | Answer the questions, | + | Repeat this for site2.com |
- | + | ||
- | sudo openssl dhparam -out / | + | |
- | + | ||
- | You can simply add all of your TLS options to the default-ssl.conf, or you can create a snippet: | + | |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | Having thus created the snippet, here are some recommended configurations and sources that document them: | + | |
- | + | ||
- | # from https:// | + | |
- | # and https:// | + | |
- | SSLCipherSuite EECDH+AESGCM: | + | |
- | SSLProtocol All -SSLv2 -SSLv3 | + | |
- | SSLHonorCipherOrder On | + | |
- | # Disable preloading HSTS for now. You can use the commented out header line that includes | + | |
- | # the " | + | |
- | Header always set Strict-Transport-Security " | + | |
- | Header always set Strict-Transport-Security " | + | |
- | #Nextcloud prefers this rule with the other Header rules below it for X, disabled: | + | |
- | #Header always set Strict-Transport-Security " | + | |
- | Header always set X-Frame-Options DENY | + | |
- | Header always set X-Content-Type-Options nosniff | + | |
- | # Requires Apache >= 2.4 | + | |
- | SSLCompression off | + | |
- | SSLSessionTickets Off | + | |
- | SSLUseStapling on | + | |
- | SSLStaplingCache " | + | |
- | SSLOpenSSLConfCmd DHParameters "/ | + | |
- | + | ||
- | Don't forget to enable this configuration: | + | |
- | + | ||
- | sudo a2enconf ssl-params | + | |
Configure the TLS virtual hosts for each domain previously configured above. | Configure the TLS virtual hosts for each domain previously configured above. | ||
Line 151: | Line 76: | ||
sudo cp / | sudo cp / | ||
sudo cp / | sudo cp / | ||
- | sudo cp / | ||
Open the first TLS virtual host configuration file: | Open the first TLS virtual host configuration file: | ||
sudo nano / | sudo nano / | ||
- | | ||
- | Uncomment the legacy support at the end and enter the standard configurations at the top: | ||
- | |||
< | < | ||
< | < | ||
Line 171: | Line 92: | ||
</ | </ | ||
- | Repeat the steps above for the site2.com-ssl.conf virtual host. If you want to enter some modules, then do so after the " | + | Repeat the steps above for the site2.com-ssl.conf virtual host. If you want to enter some modules, then do so after the " |
- | + | ||
- | sudo nano / | + | |
- | + | ||
- | At the top, just under the DocumentRoot, | + | |
- | + | ||
- | Redirect permanent "/" | + | |
- | + | ||
- | Repeat this for the site2.conf file. Now, check your configuration again and enable headers and mods: | + | |
| | ||
sudo a2enmod ssl | sudo a2enmod ssl | ||
sudo a2enmod headers | sudo a2enmod headers | ||
- | sudo a2enconf ssl-params | ||
sudo apache2ctl configtest | sudo apache2ctl configtest | ||
- | | ||
- | You may get a trivial error if you do not have your ServerName set to localhost in the global configuration file located at / | ||
- | |||
sudo a2ensite site1.com-ssl.conf | sudo a2ensite site1.com-ssl.conf | ||
sudo a2ensite site2.com-ssl.conf | sudo a2ensite site2.com-ssl.conf | ||
| | ||
- | Visit both sites using Firefox, and ensure they resovle. | + | Visit both sites using Firefox, and ensure they resolve - if not, check each step and debug. |
- | sudo apt install certbot letsencrypt | + | sudo apt install certbot letsencrypt |
sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook " | sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook " | ||
- | Run the second command again, but adjust it for site2.com. | + | When LE prompts you, make sure to specify to " |
sudo systemctl restart apache2 | sudo systemctl restart apache2 | ||
- | | ||
- | You can optionally verify them with ACME: | ||
- | |||
- | https:// | ||
- | https:// | ||
| | ||
Let's Encrypt expires often, so you likely want a cron job to update everything for you when/if needed: | Let's Encrypt expires often, so you likely want a cron job to update everything for you when/if needed: | ||
Line 211: | Line 115: | ||
sudo systemctl restart cron.service | sudo systemctl restart cron.service | ||
sudo systemctl restart apache2 | sudo systemctl restart apache2 | ||
- | | ||
- | You can also manually check certificates by: | ||
- | | + | If this is a public IP on a VPS and you are new to GNU/Linux, then you should set up a firewall as a precaution. |
+ | |||
+ | | ||
+ | sudo ufw allow 22 | ||
+ | sudo ufw allow 80 | ||
+ | sudo ufw allow 443 | ||
+ | sudo ufw enable | ||
| | ||
- | I have some servers in production that seem to just stop apache for whatever reason, so to limit downtime after all this work, you can create | + | If you are comfortable with GNU/Linux and know how to check '' |
sudo touch / | sudo touch / | ||
Line 225: | Line 133: | ||
Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs: | Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs: | ||
- | #!/bin/bash | + | #!/bin/sh |
#functions | #functions | ||
RESTART="/ | RESTART="/ | ||
SERVICE=" | SERVICE=" | ||
- | LOGFILE="/ | + | LOGFILE="/ |
+ | #check for the word dead in the service output from systemctl | ||
if | if | ||
- | | + | |
then | then | ||
- | | + | |
+ | $RESTART >> $LOGFILE | ||
+ | mail -s " | ||
else | else | ||
- | echo "Ms., apache2 was running as of $(date)" | + | exit |
fi | fi | ||
- | Okay, now let' | + | Alright, no point in making an apache monitoring script unless it runs automatically, |
- | sudo nano /etc/logrotate.d/ | + | sudo crontab -e |
+ | * * * * * /bin/bash / | ||
+ | sudo systemctl restart cron | ||
- | In that file that you just opened, enter some common sense limits for the log file so your computer does not fill up with logs: | + | Also, log files can build up quickly, |
+ | sudo nano / | ||
/ | / | ||
daily | daily | ||
Line 254: | Line 168: | ||
} | } | ||
- | Alright, no point in making an apache monitoring script unless it runs automatically, | + | Awesome! You now have to super basic websites that both resolve and use TLS. |
- | + | ||
- | sudo crontab -e | + | |
- | * * * * * /bin/bash / | + | |
- | sudo systemctl restart cron | + | |
- | + | ||
- | Test it, by stopping the service, and then waiting a minute. | + | |
- | + | ||
- | sudo systemctl stop apache2 | + | |
- | + | ||
- | Check the logfile to verify it is working: | + | |
- | + | ||
- | cat / | + | |
- | + | ||
- | Cool! You now have two websites that are TLS encrypted! | + | |
- | + | ||
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | * [[https:// | + | |
- | + | ||
- | Also, you probably want to keep this host up to date, and you may have others, so consider reading the tutorial below, which covers how to do remote upgrades easily: | + | |
- | + | ||
- | * [[https:// | + | |
- | + | ||
- | I keep the scripts up to date on my repo, over here: | + | |
- | * [[https://codetalkers.services/oemb1905/haackingclub/|Haacking Club]] | + | * [[https://wiki.haacksnetworking.org/doku.php? |
+ | * [[https://wiki.haacksnetworking.org/ | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
- | This tutorial is a designated " | + | This tutorial is a designated " |
- | --- //[[jonathan@haacksnetworking.com|oemb1905]] | + | --- //[[webmaster@haacksnetworking.org|oemb1905]] |