User Tools

Site Tools


computing:apachesurvival

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
computing:apachesurvival [2019/06/16 05:52] oemb1905computing:apachesurvival [2024/02/20 23:00] (current) oemb1905
Line 3: Line 3:
   * **Jonathan Haack**   * **Jonathan Haack**
   * **Haack's Networking**   * **Haack's Networking**
-  * **netcmnd@jonathanhaack.com**+  * **webmaster@haacksnetworking.org**
  
 ------------------------------------------- -------------------------------------------
  
-//apachesurvival// +//apachesurvival//      
  
 ------------------------------------------- -------------------------------------------
  
-This tutorial is for users of Debian GNU/Linux using the LAMP stack, wanting TLS encryption, multiple self-hosted websites and will cover:+This tutorial is for users of Debian GNU/Linux to set up a LAMP stack, TLS encryption, and a web-server which can serve two or more websites using apache's virtual hosts.  I will also discuss how to set up basic protection on your firewall and a script that will make sure apache stays running and keep down time to a minimum.  The first step is to create two content directories for each of the websites.  Later, we will configure two virtual host configuration files in apache for each of these. Using site1.com and site2.com as an example, do the following and/pr adjust as needed 
  
-  * Establish LAMP stack and set-up TLS w/ Let's Encrypt +  sudo apt install apache2 php mariadb-server
-  * Virtual hosts for more than one website on same server +
-  * Permissions and Firewall +
- +
-The tutorial below creates two virtual hosts, for registered domain site1.com and site2.com, and this can be scaled to as many as you like and/or your host will serve properly:   +
- +
-  sudo apt install apache2 +
   sudo mkdir -p /var/www/site1.com/public_html   sudo mkdir -p /var/www/site1.com/public_html
   sudo mkdir -p /var/www/site2.com/public_html   sudo mkdir -p /var/www/site2.com/public_html
-  sudo chown -R $USER:$USER /var/www/site1.com/public_html +  sudo chown -R $USER:$USER /var/www/site1.com/public_html
   sudo chown -R $USER:$USER /var/www/site2.com/public_html   sudo chown -R $USER:$USER /var/www/site2.com/public_html
   sudo chmod 755 /var/www   sudo chmod 755 /var/www
    
-Okayfor the first websitecreate your index.html: +Laterwhen you change one or both of these sites to a content management system (CMS)you will need to adjust ownership/permissions.  For example, WP requires that many directories be owned by www-data, and not the root or other user however, those changes should be done after this tutorial - not during.  Before setting those up, follow these steps and ensure both http/https are working, set up a cert cron job for TLS with LE, and then at that point, install your CMS and tweak ownership/permissions at that time The next step is to make a small website in each directory:
- +
-  sudo nano /var/www/site1.com/public_html/index.html +
- +
-Give it some simple html:+
  
 +  sudo nano /var/www/site1.com/public_html/index.html 
   <html>   <html>
     <head>     <head>
Line 39: Line 30:
       <h1>site1</h1>       <h1>site1</h1>
     </body>     </body>
-  </html>+  </html> 
  
-Same for the second website, open the file: +Make sure to repeat the above steps for site2.com.  Once that's done, it is time to set up the virtual host configuration files in Debian's apache implementation:
-    +
-  sudo nano /var/www/site2.com/public_html/index.html +
-    +
-Give it some simple html to distinguish it: +
-   +
-  <html> +
-    <head> +
-      <title>site2</title> +
-    </head> +
-    <body> +
-      <h1>site2</h1> +
-    </body> +
-  </html> +
-   +
-Now, copy the default virtual host configuration to a new .conf file for each site: +
-   +
-  sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site1.com.conf +
-  sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site2.com.conf +
-   +
-Open the first virtual host conf for the first website:+
      
 +  sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/site1.com.conf  
   sudo nano /etc/apache2/sites-available/site1.com.conf   sudo nano /etc/apache2/sites-available/site1.com.conf
-   
-Adjust to something like this: 
-   
   <VirtualHost *:80>   <VirtualHost *:80>
         ServerAdmin name@site1.com         ServerAdmin name@site1.com
Line 76: Line 45:
   </VirtualHost>   </VirtualHost>
      
-Repeat the steps above for the second virtual host site2.com.conf.  Ok, now time to enable the virtual hosts with the a2ensite command, and disable the default site since you won't need that any longer:+Make sure to repeat the steps above for the second virtual host site2.com.conf.  Ok, now time to enable the virtual hosts with the a2ensite command, and disable/backup the default site since you won't need that any longer:
      
   sudo a2ensite site1.com.conf   sudo a2ensite site1.com.conf
Line 84: Line 53:
   sudo a2dissite 000-default.conf   sudo a2dissite 000-default.conf
      
-Now, if you prefer put some local dns entries in /etc/hosts+Now, in order for the server to correctly identify itself in headers, for example, when WP or another CMS sends an email to a user to restore their account, you need to adjust your host and domain name in the hosts file. if you prefer put some local dns entries in /etc/hosts
      
   sudo nano /etc/hosts   sudo nano /etc/hosts
Line 90: Line 59:
 Append something like this to the bottom: Append something like this to the bottom:
      
-  xxx.xxx.xxx.xxx site1.com +  xxx.xxx.xxx.xxx site1.com site1 
-  xxx.xxx.xxx.xxx www.site1.com + 
-  xxx.xxx.xxx.xxx site2.com +Make sure to do this for each domain.  Check your configurations up until now and then restart the service and check if it starts:
-  xxx.xxx.xxx.xxx www.site2.com +
-  +
-Check your configurations up until now and then restart the service and check if it starts:+
  
   sudo apache2ctl configtest   sudo apache2ctl configtest
   sudo systemctl restart apache2.service   sudo systemctl restart apache2.service
        
-Visit site1.com and site2.com and debug.  Once both properly resolve, it is time to set up TLS.  If this is a public IP on a VPSthen at a minimum, set up ufw to allow http/https and provide access for you to ssh: +Visit site1.com and site2.com and debug.  Once both properly resolve, it is time to set up https.  Before we setup Let's Encryptwe will first create your own self-signed certificates for each virtual host:
-   +
-  sudo apt install ufw +
-  sudo ufw allow 22 +
-  sudo ufw allow 80 +
-  sudo ufw allow 443 +
-  sudo ufw enable +
-   +
-It is always a good idea to first create your own self-signed certificates for each virtual host:+
  
-  sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout /etc/ssl/private/site1.key -out /etc/ssl/certs/site1.crt 
   sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout /etc/ssl/private/site1.key -out /etc/ssl/certs/site1.crt   sudo openssl req -x509 -nodes -days 7305 -newkey rsa:2048 -keyout /etc/ssl/private/site1.key -out /etc/ssl/certs/site1.crt
      
-Answer the questions, and pay careful attention to the email parameter because when we switch to Let's Encrypt, it will harvest that email and use it to contact you.  You should now configure a diffie-hellman key for secure key exchange: +Repeat this for site2.com and make sure to answer the question about your FQDN correctly.  
- +
-  sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 +
-   +
-You can simply add all of your TLS options to the default-ssl.conf, or you can create a snippet: +
-   +
-  sudo nano /etc/apache2/conf-available/ssl-params.conf +
-   +
-Having thus created the snippet, here are some recommended configurations and sources that document them: +
-   +
-  # from https://cipherli.st/ +
-  # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html +
-  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH +
-  SSLProtocol All -SSLv2 -SSLv3 +
-  SSLHonorCipherOrder On +
-  # Disable preloading HSTS for now.  You can use the commented out header line that includes +
-  # the "preload" directive if you understand the implications. +
-  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" +
-  Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" +
-  #Nextcloud prefers this rule with the other Header rules below it for X, disabled: +
-  #Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" +
-  Header always set X-Frame-Options DENY +
-  Header always set X-Content-Type-Options nosniff +
-  # Requires Apache >= 2.4 +
-  SSLCompression off  +
-  SSLSessionTickets Off +
-  SSLUseStapling on  +
-  SSLStaplingCache "shmcb:logs/stapling-cache(150000)" +
-  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" +
- +
-Don't forget to enable this configuration: +
- +
-  sudo a2enconf ssl-params+
  
 Configure the TLS virtual hosts for each domain previously configured above.  If you chose not to do the snippet approach above, then you will start here and skip the snippet portion (and merely add any configurations you need to the ssl virtual hosts directly): Configure the TLS virtual hosts for each domain previously configured above.  If you chose not to do the snippet approach above, then you will start here and skip the snippet portion (and merely add any configurations you need to the ssl virtual hosts directly):
Line 151: Line 76:
   sudo cp /etc/apache2/sites-available/default-ssl.conf /root/default-ssl.conf.bak   sudo cp /etc/apache2/sites-available/default-ssl.conf /root/default-ssl.conf.bak
   sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site1.com-ssl.conf   sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site1.com-ssl.conf
-  sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/site2.com-ssl.conf 
  
 Open the first TLS virtual host configuration file: Open the first TLS virtual host configuration file:
  
   sudo nano /etc/apache2/sites-available/site1.com-ssl.conf   sudo nano /etc/apache2/sites-available/site1.com-ssl.conf
-   
-Uncomment the legacy support at the end and enter the standard configurations at the top:  
- 
   <IfModule mod_ssl.c>   <IfModule mod_ssl.c>
         <VirtualHost _default_:443>         <VirtualHost _default_:443>
Line 171: Line 92:
   </IfModule>   </IfModule>
  
-Repeat the steps above for the site2.com-ssl.conf virtual host. If you want to enter some modules, then do so after the "downgrade line" and before the </VirtualHost> line and start with <IfModules> and end with </IfModules>.  Now, you can redirect the original sites-enabled to default to TLS (or, skip this, and let Let's Encrypt handle it - but do not do both).  Open site1.com virtual host (non TLS) conf file: +Repeat the steps above for the site2.com-ssl.conf virtual host. If you want to enter some modules, then do so after the "downgrade line" and before the </VirtualHost> line and start with <IfModules> and end with </IfModules>.  Before we test the website for functionalitywe need to 
- +
-  sudo nano /etc/apache2/sites-available/site1.com.conf +
-   +
-At the top, just under the DocumentRoot, enter something like: +
-   +
-        Redirect permanent "/" "https://site1.com/ +
-         +
-Repeat this for the site2.conf file.  Nowcheck your configuration again and enable headers and mods:+
      
   sudo a2enmod ssl   sudo a2enmod ssl
   sudo a2enmod headers   sudo a2enmod headers
-  sudo a2enconf ssl-params 
   sudo apache2ctl configtest   sudo apache2ctl configtest
-   
-You may get a trivial error if you do not have your ServerName set to localhost in the global configuration file located at /etc/apache2/apache2.conf.  Once that is done, and if everything looks good, enable the TLS virtual hosts: 
- 
   sudo a2ensite site1.com-ssl.conf   sudo a2ensite site1.com-ssl.conf
   sudo a2ensite site2.com-ssl.conf   sudo a2ensite site2.com-ssl.conf
      
-Visit both sites using Firefox, and ensure they resovle.  Now, set up Let's Encrypt so that you have your TLS certificates managed by a proper authority.  I have never been able to get the stock certbot instructions to work, so I found this on a certbot tech support git repo, and have used it every since  +Visit both sites using Firefox, and ensure they resolve - if not, check each step and debug.  Rememberyou can trust the browser warning, because you set this cert up!  However, for others to access your site, you need to use a trusted authority like Let's Encrypt.  Here's how we do this
  
-  sudo apt install certbot letsencrypt python-certbot-apache+  sudo apt install certbot letsencrypt python3-certbot-apache
   sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"   sudo certbot --authenticator standalone --installer apache -d site1.com --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"
  
-Run the second command again, but adjust it for site2.com.  Now, restart the service:+When LE prompts you, make sure to specify to "redirect" traffic to https.  Make sure to run the second command again changing the domain to site2.com.  Now, restart the service:
  
   sudo systemctl restart apache2   sudo systemctl restart apache2
-   
-You can optionally verify them with ACME: 
- 
-  https://www.ssllabs.com/ssltest/analyze.html?d=site1.com&latest 
-  https://www.ssllabs.com/ssltest/analyze.html?d=site2.com&latest 
      
 Let's Encrypt expires often, so you likely want a cron job to update everything for you when/if needed: Let's Encrypt expires often, so you likely want a cron job to update everything for you when/if needed:
Line 211: Line 115:
   sudo systemctl restart cron.service   sudo systemctl restart cron.service
   sudo systemctl restart apache2   sudo systemctl restart apache2
-   
-You can also manually check certificates by: 
  
-  sudo certbot renew+If this is a public IP on a VPS and you are new to GNU/Linux, then you should set up a firewall as a precaution.  Here is a basic way to do this: 
 +   
 +  sudo apt install ufw 
 +  sudo ufw allow 22 
 +  sudo ufw allow 80 
 +  sudo ufw allow 443 
 +  sudo ufw enable
      
-I have some servers in production that seem to just stop apache for whatever reasonso to limit downtime after all this work, you can create simple monitoring script called apache-restart.sh:+If you are comfortable with GNU/Linux and know how to check ''netstat -tulpn'' etc.and properly monitor what services are listening and to what netmaskthen you can skip the firewall step.  The last thing I usually do on new setups is make a script called apache-restart.sh that monitors apache to ensure its running every minute:
  
   sudo touch /usr/local/bin/apache-restart.sh   sudo touch /usr/local/bin/apache-restart.sh
Line 225: Line 133:
 Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs: Ok, now that we created the script file and made it executable, paste in the contents below but adjust them to your needs:
  
-  #!/bin/bash+  #!/bin/sh
   #functions   #functions
   RESTART="/bin/systemctl restart apache2.service"   RESTART="/bin/systemctl restart apache2.service"
   SERVICE="apache2.service"   SERVICE="apache2.service"
-  LOGFILE="/home/username/Desktop/apache-restart.log"+  LOGFILE="/home/sexa/Desktop/apache.log" 
 +  #check for the word dead in the service output from systemctl
   if   if
-      systemctl status apache2.service | grep dead+          systemctl status apache2.service | grep dead
   then   then
-      echo "Sir, apache2 failed at $(date), so I restarted it for you." >> $LOGFILE+          echo "Person, apache2 failed at $(date), so I restarted it for you." >> $LOGFILE 
 +          $RESTART >> $LOGFILE 
 +          mail -s "[apache-restart]-$(hostname)-$(date)" email@email.com < $LOGFILE
   else   else
-      echo "Ms., apache2 was running as of $(date)" >> $LOGFILE #or leave the else empty if you prefer+  exit
   fi   fi
  
-Okaynow let'make sure your log files do not get too large.  First create a new entry in the logrotate daemon directory:+Alrightno point in making an apache monitoring script unless it runs automatically, so let's create a cron job to do that:
  
-  sudo nano /etc/logrotate.d/apache-restart+  sudo crontab -e 
 +  * * * * * /bin/bash /usr/local/bin/apache-restart.sh >> /home/user/Desktop/apache-restart.log 
 +  sudo systemctl restart cron
  
-In that file that you just openedenter some common sense limits for the log file so your computer does not fill up with logs:+Also, log files can build up quickly, so adjust logrotate so that you don't use up precious storage recklessly!  First, create a new entry in the logrotate daemon directory:
  
 +  sudo nano /etc/logrotate.d/apache-restart
   /home/user/Desktop/apache-restart.log {   /home/user/Desktop/apache-restart.log {
         daily         daily
Line 254: Line 168:
   }   }
  
-Alright, no point in making an apache monitoring script unless it runs automatically, so let's create a cron job: +Awesome!  You now have to super basic websites that both resolve and use TLS Now, consider replacing those basic website shells with some type of CMS or other content.  Here are some examples that provide:
- +
-  sudo crontab -e +
-  * * * * * /bin/bash /usr/local/bin/apache-restart.sh >> /home/user/Desktop/apache-restart.log +
-  sudo systemctl restart cron +
- +
-Test it, by stopping the service, and then waiting a minute.  +
- +
-  sudo systemctl stop apache2 +
-   +
-See what it is the logfile to verify it is working: +
- +
-  cat /home/user/Desktop/apache-restart.log +
- +
-Cool!  You now have two websites that are TLS encrypted!  Now, it is time to put some content on that site, so consider these tutorials: +
- +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:selfhostedwp|Self-Hosted Word Press]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:migratewp|Manually Migrating Word Press]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:nextcloud|Nextcloud]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:moodle|Moodle]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:dokuwiki|Dokuwiki]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:smokeping|Smokeping]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:cactiwebserver|Cacti]] +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:gitlab-ce|Gitlab-ce]] (requires extensive mods) +
- +
-Also, you probably want to keep this host up to date, and you may have others, so consider reading the tutorial below, which covers how to do remote upgrades easily: +
- +
-  * [[https://jonathanhaack.com/dokuwiki/doku.php?id=computing:remote-upgrades|Upgrades]] +
- +
-keep the scripts up to date on my repo, over here:+
  
-  * [[https://codetalkers.services/oemb1905/haackingclub/|Haacking Club]]+  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:selfhostedwp|Self-Hosted Word Press]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:migratewp|Manually Migrating Word Press]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:nextcloud|Nextcloud]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:moodle|Moodle]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:dokuwiki|Dokuwiki]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:smokeping|Smokeping]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:cactiwebserver|Cacti]] 
 +  * [[https://wiki.haacksnetworking.org/doku.php?id=computing:gitlab-ce|Gitlab-ce]] (requires extensive mods)
  
-This tutorial is a designated "Invariant Section" of the "Technotronic" section of Haack's Wiki as described on the [[https://jonathanhaack.com/dokuwiki/doku.php?id=start|Start Page]].+This tutorial is a designated "Invariant Section" of the "Technotronic" section of Haack's Wiki as described on the [[https://wiki.haacksnetworking.org/doku.php?id=start|Start Page]].
  
- --- //[[netcmnd@jonathanhaack.com|oemb1905]] 2019/06/15 22:51//+ --- //[[webmaster@haacksnetworking.org|oemb1905]] 2024/02/20 23:00//
computing/apachesurvival.1560664350.txt.gz · Last modified: 2019/06/16 05:52 by oemb1905