This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
computing:apachesurvival [2019/01/03 03:48] – oemb1905 | computing:apachesurvival [2024/02/20 23:00] (current) – oemb1905 | ||
---|---|---|---|
Line 3: | Line 3: | ||
* **Jonathan Haack** | * **Jonathan Haack** | ||
* **Haack' | * **Haack' | ||
- | * **netcmnd@jonathanhaack.com** | + | * **webmaster@haacksnetworking.org** |
------------------------------------------- | ------------------------------------------- | ||
- | // | + | // |
------------------------------------------- | ------------------------------------------- | ||
- | This tutorial is for users of Debian GNU/ | + | This tutorial is for users of Debian GNU/ |
- | | + | sudo apt install apache2 |
- | * Virtual hosts for more than one website | + | |
- | * TLS - Creation of self-signed SSL | + | |
- | * TLS - Let's Encrypt with Certbot | + | |
- | * MySQL survival commands | + | |
- | * Installation of Joomla, Wordpress, Dokuwiki, Cacti | + | |
- | * Installation and configuration of local sftp server | + | |
- | * Directory permissions | + | |
- | * firewall rules with ufw | + | |
- | * symbolic links for External Drive outside of root of webserver (risky) | + | |
- | + | ||
- | There is probably a bit more ... but this will get us started. | + | |
- | + | ||
- | ------------------------------------------- | + | |
- | + | ||
- | Installing apache, setting up two ore more websites. | + | |
- | + | ||
- | | + | |
sudo mkdir -p / | sudo mkdir -p / | ||
sudo mkdir -p / | sudo mkdir -p / | ||
- | sudo chown -R $USER:$USER / | + | sudo chown -R $USER:$USER / |
sudo chown -R $USER:$USER / | sudo chown -R $USER:$USER / | ||
- | sudo chmod -R 755 /var/www | + | sudo chmod 755 /var/www |
- | nano / | + | |
- | | + | Later, when you change one or both of these sites to a content management system (CMS), you will need to adjust ownership/ |
+ | |||
+ | | ||
< | < | ||
< | < | ||
Line 45: | Line 30: | ||
< | < | ||
</ | </ | ||
- | </ | + | </ |
- | + | ||
- | nano /var/www/site2.com/ | + | Make sure to repeat the above steps for site2.com. |
- | + | ||
- | < | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | < | + | |
- | < | + | |
- | </ | + | |
- | </ | + | |
- | + | ||
- | sudo cp / | + | |
- | sudo cp / | + | |
| | ||
+ | sudo cp / | ||
sudo nano / | sudo nano / | ||
- | | ||
< | < | ||
ServerAdmin name@site1.com | ServerAdmin name@site1.com | ||
Line 72: | Line 45: | ||
</ | </ | ||
| | ||
- | sudo nano / | + | Make sure to repeat the steps above for the second virtual host site2.com.conf. |
- | + | ||
- | < | + | |
- | ServerAdmin name@site2.com | + | |
- | ServerName site2.com | + | |
- | ServerAlias www.site2.com | + | |
- | DocumentRoot / | + | |
- | ErrorLog ${APACHE_LOG_DIR}/ | + | |
- | CustomLog ${APACHE_LOG_DIR}/ | + | |
- | </VirtualHost> | + | |
| | ||
sudo a2ensite site1.com.conf | sudo a2ensite site1.com.conf | ||
sudo a2ensite site2.com.conf | sudo a2ensite site2.com.conf | ||
- | sudo cp -r / | + | sudo cp -r / |
sudo rm -r / | sudo rm -r / | ||
sudo a2dissite 000-default.conf | sudo a2dissite 000-default.conf | ||
+ | | ||
+ | Now, in order for the server to correctly identify itself in headers, for example, when WP or another CMS sends an email to a user to restore their account, you need to adjust your host and domain name in the hosts file. if you prefer put some local dns entries in /etc/hosts | ||
| | ||
sudo nano /etc/hosts | sudo nano /etc/hosts | ||
| | ||
- | 127.0.0.1 | + | Append something like this to the bottom: |
- | 127.0.1.1 | + | |
- | # The following lines are desirable for IPv6 capable hosts | + | xxx.xxx.xxx.xxx site1.com |
- | ::1 | + | |
- | | + | Make sure to do this for each domain. |
- | ff02::2 ip6-allrouters | + | |
- | #Virtual Hosts - NOT Optional - replace xxx etc., with external IP | + | |
- | xxx.xxx.xxx.xxx site1.com | + | |
- | | + | |
- | xxx.xxx.xxx.xxx site2.com | + | |
- | xxx.xxx.xxx.xxx www.site2.com | + | |
- | + | ||
sudo apache2ctl configtest | sudo apache2ctl configtest | ||
sudo systemctl restart apache2.service | sudo systemctl restart apache2.service | ||
- | Visit site1.com and site2.com | + | Visit site1.com and site2.com |
- | + | ||
- | sudo ufw install | + | |
- | sudo ufw allow ssh | + | |
- | sudo ufw allow 22 | + | |
- | sudo ufw allow 222 | + | |
- | sudo ufw allow http | + | |
- | sudo ufw allow 80 | + | |
- | sudo ufw allow https | + | |
- | sudo ufw allow 443 | + | |
- | sudo ufw allow 'WWW Secure' | + | |
- | sudo ufw allow 'WWW Full' | + | |
- | sudo ufw allow ' | + | |
- | sudo ufw allow 1194/udp | + | |
- | sudo ufw allow 1194 | + | |
- | sudo ufw allow git | + | |
- | sudo ufw allow openvpn | + | |
- | sudo ufw allow samba | + | |
- | sudo ufw allow nfs | + | |
- | sudo ufw allow vnc | + | |
- | sudo ufw allow 21 | + | |
- | sudo ufw allow ftp | + | |
- | sudo ufw enable | + | |
- | + | ||
- | Create | + | |
- | sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout / | + | sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout / |
| | ||
- | Country Name (2 letter code) [AU]: <Country Initials> | + | Repeat this for site2.com and make sure to answer the question about your FQDN correctly. |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: <City or Township, etc., Name> | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name> | + | |
- | Organizational Unit Name (eg, section) []: < | + | |
- | Common Name (e.g. server FQDN or YOUR name) []: <site1 ip address> | + | |
- | Email Address []: person@site1.com | + | |
- | + | ||
- | sudo openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout / | + | |
- | + | ||
- | Country Name (2 letter code) [AU]: <Country Initials> | + | |
- | State or Province Name (full name) [Some-State]: | + | |
- | Locality Name (eg, city) []: <City or Township, etc., Name> | + | |
- | Organization Name (eg, company) [Internet Widgits Pty Ltd]: <Group or Entity, etc., Name> | + | |
- | Organizational Unit Name (eg, section) []: < | + | |
- | Common Name (e.g. server | + | |
- | Email Address []: person@site1.com | + | |
- | + | ||
- | Configure diffie-hellman key for all TLS enabled virtual hosts, configure ssl-params.conf for all TLS enabled virtual hosts. | + | |
- | sudo openssl dhparam -out / | + | Configure the TLS virtual hosts for each domain previously configured above. |
- | sudo cp / | + | |
- | sudo nano / | + | |
- | + | ||
- | # from https:// | + | |
- | # and https:// | + | |
- | SSLCipherSuite EECDH+AESGCM: | + | |
- | SSLProtocol All -SSLv2 -SSLv3 | + | |
- | SSLHonorCipherOrder On | + | |
- | # Disable preloading HSTS for now. | + | |
- | # the " | + | |
- | #Header always set Strict-Transport-Security " | + | |
- | Header always set Strict-Transport-Security " | + | |
- | Header always set X-Frame-Options DENY | + | |
- | Header always set X-Content-Type-Options nosniff | + | |
- | # Requires Apache >= 2.4 | + | |
- | SSLCompression off | + | |
- | SSLSessionTickets Off | + | |
- | SSLUseStapling on | + | |
- | SSLStaplingCache " | + | |
- | SSLOpenSSLConfCmd DHParameters "/etc/ssl/ | + | |
- | + | ||
- | Configure | + | |
sudo cp / | sudo cp / | ||
- | sudo cp / | + | sudo cp / |
- | sudo cp / | + | |
- | Create | + | Open the first TLS virtual host configuration file: |
sudo nano / | sudo nano / | ||
- | | ||
< | < | ||
< | < | ||
Line 191: | Line 85: | ||
ServerName site1.com | ServerName site1.com | ||
DocumentRoot / | DocumentRoot / | ||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | SSLEngine on | ||
- | SSLCertificateFile | ||
- | SSLCertificateKeyFile / | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
</ | </ | ||
BrowserMatch "MSIE [2-6]" \ | BrowserMatch "MSIE [2-6]" \ | ||
Line 208: | Line 92: | ||
</ | </ | ||
- | sudo nano / | + | Repeat the steps above for the site2.com-ssl.conf |
| | ||
- | < | ||
- | < | ||
- | ServerAdmin name@site2.com | ||
- | ServerName site2.com | ||
- | ServerAlias www.site2.com | ||
- | DocumentRoot / | ||
- | ErrorLog ${APACHE_LOG_DIR}/ | ||
- | CustomLog ${APACHE_LOG_DIR}/ | ||
- | SSLEngine on | ||
- | SSLCertificateFile | ||
- | SSLCertificateKeyFile / | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | < | ||
- | SSLOptions +StdEnvVars | ||
- | </ | ||
- | BrowserMatch "MSIE [2-6]" \ | ||
- | | ||
- | | ||
- | </ | ||
- | </ | ||
- | | ||
- | Redirect the original sites-enabled to default to TLS. | ||
- | |||
- | sudo nano / | ||
- | Redirect permanent "/" | ||
- | sudo nano / | ||
- | Redirect permanent "/" | ||
- | |||
- | Enable both TLS sites, check configuration: | ||
- | |||
sudo a2enmod ssl | sudo a2enmod ssl | ||
sudo a2enmod headers | sudo a2enmod headers | ||
+ | sudo apache2ctl configtest | ||
sudo a2ensite site1.com-ssl.conf | sudo a2ensite site1.com-ssl.conf | ||
sudo a2ensite site2.com-ssl.conf | sudo a2ensite site2.com-ssl.conf | ||
- | | + | |
+ | Visit both sites using Firefox, and ensure they resolve - if not, check each step and debug. | ||
- | Ignore error below, or set global ServerName (not advised) to avoid: | + | sudo apt install certbot letsencrypt python3-certbot-apache |
+ | sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook " | ||
- | AH00558: apache2: Could not reliably determine the server' | + | When LE prompts you, make sure to specify to " |
- | Syntax OK | + | |
- | sudo systemctl | + | |
- | + | ||
- | Set up Let's Encrypt for free certificate authority on the SSL certs you just made. | + | |
- | sudo apt install certbot letsencrypt python-certbot-apache | ||
- | certbot --authenticator standalone --installer apache -d site1.com --pre-hook " | ||
- | certbot --authenticator standalone --installer apache -d site2.com --pre-hook " | ||
sudo systemctl restart apache2 | sudo systemctl restart apache2 | ||
| | ||
- | Test them both, first clear cache and restart browser, set up cron job to update | + | Let's Encrypt expires often, so you likely want a cron job to update |
- | + | ||
- | https:// | + | |
- | https:// | + | |
| | ||
sudo crontab -e | sudo crontab -e | ||
Line 270: | Line 115: | ||
sudo systemctl restart cron.service | sudo systemctl restart cron.service | ||
sudo systemctl restart apache2 | sudo systemctl restart apache2 | ||
- | | ||
- | Manually check certificates by: | ||
- | sudo certbot renew | + | If this is a public IP on a VPS and you are new to GNU/Linux, then you should set up a firewall as a precaution. |
| | ||
- | Okay, now you need to make sure that your server stays running | + | sudo apt install ufw |
+ | sudo ufw allow 22 | ||
+ | sudo ufw allow 80 | ||
+ | sudo ufw allow 443 | ||
+ | sudo ufw enable | ||
+ | |||
+ | If you are comfortable with GNU/ | ||
- | sudo touch / | + | sudo touch / |
- | sudo chmod 750 / | + | sudo chmod 750 / |
- | sudo chown $USER:$USER / | + | sudo chown $USER:$USER / |
- | sudo nano / | + | sudo nano / |
| | ||
- | Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs. | + | Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs: |
#!/bin/sh | #!/bin/sh | ||
Line 288: | Line 137: | ||
RESTART="/ | RESTART="/ | ||
SERVICE=" | SERVICE=" | ||
- | LOGFILE="/ | + | LOGFILE="/ |
#check for the word dead in the service output from systemctl | #check for the word dead in the service output from systemctl | ||
if | if | ||
- | | + | |
then | then | ||
- | | + | |
+ | $RESTART >> $LOGFILE | ||
+ | mail -s " | ||
else | else | ||
- | echo "Ms., apache2 was running as of $(date)" | + | exit |
fi | fi | ||
- | Ok, now we also want to restart it at exactly the same time that we found out it wasn't running. | + | Alright, no point in making |
- | + | ||
- | #!/bin/sh | + | |
- | # | + | |
- | RESTART="/ | + | |
- | SERVICE=" | + | |
- | LOGFILE="/ | + | |
- | #check for the word dead in the service output from systemctl | + | |
- | if | + | |
- | systemctl status apache2.service | grep dead | + | |
- | then | + | |
- | $RESTART >> $LOGFILE | + | |
- | fi | + | |
- | + | ||
- | Thanks to @varange on a Digital Ocean forum who inspired these scripts, but I had to change them for systemd, and I also changed them into two scripts because the way he had originally composed them together with an " | + | |
sudo crontab -e | sudo crontab -e | ||
- | * * * * * /bin/bash / | + | * * * * * /bin/bash / |
- | * * * * * /bin/bash /usr/ | + | |
- | sudo systemctl stop apache2 | + | |
sudo systemctl restart cron | sudo systemctl restart cron | ||
- | sudo systemctl status apache2 [Wait 1 minute, and then run same command again to confirm working] | ||
- | Make sure to run the cron job as root, or it will not work. You can also run the scripts manually if you want since we added them to the default user PATH above. | + | Also, log files can build up quickly, so adjust logrotate so that you don't use up precious storage recklessly! |
- | | + | sudo nano /etc/logrotate.d/apache-restart |
+ | | ||
+ | daily | ||
+ | rotate 10 | ||
+ | delaycompress | ||
+ | compress | ||
+ | notifempty | ||
+ | missingok | ||
+ | size 100000k | ||
+ | } | ||
+ | Awesome! | ||
- | | + | |
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
+ | * [[https:// | ||
- | | + | This tutorial is a designated " |
+ | |||
+ | --- // |