This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. {{tag>linux debian apache apache2 httpd web server php certbot letsencrypt nextcloud cloud vm virtual machine kvm proxy reverse proxy gid uid vipw vigr group id user id}} ======Web Server setup====== =====Basic Web Server setup on VM===== I am moving away from Ubuntu to Debian. I find the instruction for here are good to setup a basic web server [[https://workaround.org/ispmail|workaround.org]] ISPmail tutorials for a Debian based server.\\ ++++Old, tl;dr;|The main reference used is [[https://www.unixmen.com/how-to-install-lamp-stack-on-ubuntu-16-04/|Unixmen - How To Install LAMP Stack On Ubuntu 16.04]], for the basic web server setup on a virtual machine (VM), However this setup is quite basic and any similar page would probably suffice. Subsequently I found this reference that looks to be more complete for installing Apache2 on Ubuntu 18.04, [[https://www.linode.com/docs/web-servers/lamp/install-lamp-stack-on-ubuntu-18-04/|Linode - Install LAMP Stack on Ubuntu 18.04]].++++ As installing on a virtual machine (VM) it is important to also have set up the NFS to allow access to the main storage. Also consider aligning the appropriate file system user and groups between the VM server and VM guests. (For the Ubuntu Network Filing System, NFS, see [[http://www.havetheknowhow.com/Configure-the-server/Configure-NFS.html|Havetheknowhow.com - How to configure NFS Version 4]], that contains configuration information for both the VM server and clients.\\ I really need to create some of my own notes on this. =====Adding Users===== * Basic: ''sudo useradd name'' * Check ''/etc/default/useradd'' for defaults on the useradd command. * ''-g group1 group2'' to create user and add to additional group =====Aligning Group and User IDs across Virtual Machines on Same LAN===== Unfortunately, Havetheknowhow.com does not seem to cover the alignment of user and groups between the main OS and VMs. I create a basic template machine and manual update the group and user id numbers to align, a use the basic information given in [[https://muffinresearch.co.uk/linux-changing-uids-and-gids-for-user/|Linux: Changing UIDs and GIDs for a user]]. The process is tedious and takes a bit of care to complete, but once setup properly allows better operation between the server and virtual machines. The following scripts assist with changing the uid and gid of files on a system. These scripts are reasonably basic with basic commenting and understanding of function can be easily seen from the script text. I got these of the internet somewhere, I do not remember where now. ++++changegid.sh| <code> #!/bin/bash if [ "$#" -ne 3 ]; then # only proceed if all parameters are given echo "Changing the GID of a group and modify ownership of its files and directories." echo "Usage: changeGID.sh [groupname] [oldGID] [newGID]" >&2 exit 1 fi # ask for confirmation read -p "Changing the GID of group '$1' from $2 to $3. Proceed (y/n)? " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then # check group GROUPEXISTS=$(cat /etc/group | grep -e "$1:[^:]*:$2" | wc -l) if [ "$GROUPEXISTS" -ne 1 ]; then echo "Group '$1' with GID $2 not found in /etc/group" echo "Aborted" exit 1 fi # check if new GID is already in use GIDEXISTS=$(cat /etc/group | grep -e "[^:]*:[^:]*:$3" | wc -l) if [ "$GIDEXISTS" -ne 0 ]; then echo "GID $3 already exists." echo "Aborted" exit 1 fi # modify GID, change ownership, change initial group of users groupmod -g $3 $1 find / -group $2 -exec chgrp -h $3 {} \; USERS=$(cat /etc/passwd | grep -e "[^:]*:[^:]*:[^:]*:33:" | sed -r 's/^([^:]*):.*$/\1/') for user in $USERS; do echo "Changing initial group of user '$user'" usermod -g $3 $user done exit 0 </code> ++++ ''Usage: changeGID.sh [groupname] [oldGID] [newGID]''\\ ++++changeuid.sh| <code> #!/bin/bash if [ "$#" -ne 3 ]; then echo "Changing the UID of a User and modify ownership of his files and directories." echo "Usage: changeUID.sh [username] [oldUID] [newUID]" >&2 exit 1 fi read -p "Changing the UID of user '$1' from $2 to $3. Proceed (y/n)? " -n 1 -r echo if [[ $REPLY =~ ^[Yy]$ ]]; then # check user USEREXISTS=$(cat /etc/passwd | grep -e "$1:[^:]*:$2" | wc -l) if [ "$USEREXISTS" -ne 1 ]; then echo "User '$1' with UID $2 not found in /etc/passwd" echo "Aborted" exit 1 fi UIDEXISTS=$(cat /etc/passwd | grep -e "[^:]*:[^:]*:$3" | wc -l) if [ "$UIDEXISTS" -ne 0 ]; then echo "UID $3 already exists." echo "Aborted" exit 1 fi # start modifiyng usermod -u $3 $1 find / -user $2 -exec chown -h $3 {} \; exit 0 fi echo "Aborted" exit 1 </code> ++++ ''Usage: changeUID.sh [username] [oldUID] [newUID]''\\ \\ Seems there are tools to directly manually edit the **/etc/group** and **/etc/passwd** files and their shadow files. The commands are ''sudo vipw'' and ''sudo vigr''. ---- =====LDPA===== I have not got around to working with this yet. Not sure if it is merited on a small home network. *[[https://www.golinuxcloud.com/ldap-tutorial-for-beginners-configure-linux/|Basics OpenLDAP Tutorial for Beginners - Understanding Terminologies & Usage]] *[[https://www.linux.com/news/linux-ldap-authentication/|Linux LDAP authentication]] *[[https://directory.apache.org/studio/|Apache Directory]] Apache Eclipse-based LDAP browser and directory client *[[https://www.digitalocean.com/community/tutorials/how-to-configure-openldap-and-perform-administrative-ldap-tasks|How To Configure OpenLDAP and Perform Administrative LDAP Tasks]] (A DigitalOcean Tutorial.) =====Web Server Change Basic Default Settings===== ++++old, tl;dr;|The Ubuntu Documentation page, [[https://help.ubuntu.com/lts/serverguide/httpd.html|HTTPD - Apache2 Web Server]], describes the setup of apache2 under Ubuntu 18.04. I prefer to have the html files located on a directory not inside the VM (virtual machine), so the following basic changes are required to move the html pages under the Ubuntu 18.04 apache2 setup.++++ As per [[https://workaround.org/ispmail|workaround.org]] I will change my Apache main configuration files to "example.org-http.conf" for http, port 80 and example.org-https.conf for https, port 443 services. ====Hostname==== *Systemd seems to use the control function hostnamectl to control hostname. It used to be simply modify the text Hostname in the file "/etc/hostname" was all that was required. Now the system overwrites this. The following procedure is now required. *Use the command ''hostnamectl'' to check current Hostname *To change the Hosename: ''sudo hostnamectl set-hostname New_Hostname'' *Ubuntu as 18.04 and up to 20.4 complicates further, another file needs to be modified to prevent automated changes, if present the file ''sudo vim /etc/cloud/cloud.cfg'', configuration variable within must be changed as follow: ''preserve_hostname: true'' *Last the ''/etc/hosts'' file should be updated to include the Hostname, this is same procedure as previous *127.0.0.1 localhost *127.0.0.1 New_Hostname *Additional system hosts can be placed in ''/etc/hosts'' to provide basic local host name resolution. I prefer to install a separate DNS server to provide this functionality. ====Apache2 Setup==== *Copy the current html files to the proposed new location: ''sudo rsync -av /var/www/html /mnt/shared/www16/'' *Change the /var/www.html reference in the following apache2 configuration files: *''sudo vim /etc/apache2/apache2.conf'', in particular change ''‹Directory /var/www/›'' to ''‹Directory /mnt/shared/www16/›'' (This defines file system access, add /var/www/ temporarily if necessary.) *''sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/kptree.net-http.conf'' then ''sudo vim /etc/apache2/sites-available/kptree.net-https.conf'', in particular change ''DocumentRoot /var/www/html'' to ''DocumentRoot /mnt/shared/www16/html/kptree.net/public_html''. Also change ''ServerName kptree.net'' and add-in directly after this line ''ServerAlias *.kptree.net''. *''sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/kptree.net-https.conf'' then ''sudo vim /etc/apache2/sites-available/kptree.net-https.conf'', in particular change ''DocumentRoot /var/www/html'' to ''DocumentRoot /mnt/shared/www16/html/kptree.net/public_html'' *After making these changes: *Test the apache2 configuration: ''sudo apachectl configtest'', ensure the statement "syntax ok" in output *To enable the new website configuration: ''sudo a2ensite kpbtree.net-http.conf'' and ''sudo a2ensite kpbtree.net-https.conf'', also disable the default website configuration ''sudo a2dissite example.com.conf'' *Reload or restart apache2 to enable configuration changes: ''sudo systemctl reload apache2'' or ''sudo systemctl restart apache2'' *Test the web page by typing in the local ip address of the apache2 server in a web browser The [[https://www.digitalocean.com/community/tutorials/how-to-move-a-mysql-data-directory-to-a-new-location-on-ubuntu-18-04|MySQL (Maria) database data directory can also be moved]], however the database sizes are not so large, nor need to be often changed after initial setup to merit this move. Also move mysql data directory [[https://www.digitalocean.com/community/tutorials/how-to-change-a-mysql-data-directory-to-a-new-location-using-a-symlink|How to Change a MySQL Data Directory to a New Location Using a Symlink]]. ====Apache Configuration Files===== I have been caught out too often with configuration files in apache, particularly not checking which are enable or disabled. - Edit configuration files in ''la -ls /etc/apache2/sites-available/'' - main http (port 80) setup file: ''sudo vim /etc/apache2/sites-available/example.org-http.conf'' - main https (port 443) setup file: ''sudo vim /etc/apache2/sites-available/example.org-https.conf'' - The main apache2 configuration file is: ''sudo vim /etc/apache2/apache2.conf'' - Always check the enable apache configuration files: ''la -ls /etc/apache2/sites-enabled/'' - Enable configuration files as required with for example: ''sudo a2dissite example.com.conf'' - Disable configuration files as required with for example: ''sudo a2dissite example.com.conf'' - Check configuration files with: ''sudo apachectl configtest'' - After changes are made reload or restart apache2: ''sudo systemctl reload apache2'' or ''sudo systemctl restart apache2'' To further add to confusion it would seem some Linux distributions refer to ''httpd'' instead of ''apache2'', e.g.: * ''/etc/httpd/httpd.conf'' or ''/etc/apache2/httpd.conf'' instead of ''/etc/apache2/apache2.conf'' * systemd service: ''httpd.service'' instead of ''apache2.service'' Note that these examples are presumption based upon documentation references. Basically Debian and related downstream distributions do not reference 'httpd'. =====Secure Web Server Settings===== There are a number of ways the various certificate files are handle and the nomenclature and file names used can be confusing. Basically there are 3 (+1) components to a central authority trusted key. -The public key, which actually acts as a lock to encrypt a file. The public key (lock) is made freely available to the public to be used to encrypt a file that only the matching private key can decrypt (unlock). -The private key, which is the only key that can unlock a file that is encrypted with the matching public key (lock). The private key must be kept absolutely private. -The Certificate Authority's (CA) Public Key (lock) which is used to encrypt communications with the CA to confirm that public key (lock) and the certificate embedded websites actually belongs to whoever hold the matching private key and hence the website belongs to the person that controls the private key. -(+1) The CA must have a corresponding private key to unlock the encryption of their certificates and their public keys used to lock them. They need to do this to verify the Certificate data and corresponding public key. Some points about secure web sites: -A secure website really only means that the website used encryption to secure it and the certificate authority has performed basic checks to confirm ownership/control of the website. **This does not necessarily guarantee the honesty of the owner/controller.** There are certificates that the authorities issue that require greater ownership checks and hence cost more money and require greater verification upon the owner/controller to achieve. These tend to be used by larger organisations. The greater checking and costs tend to -The public/private encryption system is not proven and relies upon large keys numbers to prevent brute force cracking. There is no guarantee that in the future the may not be developments that require even larger keys or make the current system otherwise ineffective. The following is a list of Apache SSL directives used to handle certificates: -SSLCertificateFile, refers to the the public key (lock) file, it sometimes also contains the CA certificate and lock. -SSLCertificateKeyFile, refers to the private key file. This must be key securely private and never made public, even to the CA. -SSLCertificateChainFile, refers to the CA certificate and lock file, it is sometimes combined with the SSLCertificateFile and is then not used. StartSSL and Godaddy use all 3 directives mentioned above, whereas LetsEncrypt use only the first 2, with the CA certificate combined with the public key in the SSLCertificateFile directive. See the Apache HTTP Server Version 2.4 documentation on [[http://httpd.apache.org/docs/2.4/mod/mod_ssl.html|Apache Module mod_ssl]]. This reference also has information on the directives mentioned above as well as a number of other SSL Certificate directive not discussed herein. See the wikipedia article [[https://en.wikipedia.org/wiki/X.509|X.509]], as a general reference / background on CAs. ====LetEncrypt Certificate Settings==== ++++Old TL;DR;| As of writing this there is no direct support for LetsEncrpyt's current version of installation software on Ubuntu 18.04, Certbot. The recommended Certbot PPA for Ubuntu can be found at [[https://launchpad.net/~certbot/+archive/ubuntu/certbot|"certbot" team - Certbot PPA]]. Unfortunately the command ''add-apt-repository'' needs to be added, so the final commands are: *To ensure the current package database is up to date: ''sudo apt update'' *To install the add-apt-repository command: "sudo apt install software-properties-common" *To add the official Debian Certbot repository that have been back-ported to Ubuntu: ''sudo add-apt-repository ppa:certbot/certbot'' *To update the repositories including the newly added Certbot ones: ''sudo apt update'' *To install Certbot: ''sudo apt install certbot'' DigitalOcean has Ubuntu 20.04 setup, [[https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-20-04|How To Secure Apache with Let's Encrypt on Ubuntu 20.04]]. ++++ To install Certbot: ''sudo apt install certbot'' (Unfortunately Cerbot site recommends use of snap package, unbelievable.....)\\ Make sure the basic web site domain/sub-domain is working and accessible off internet.\\ I now prefer to use the following instructions, [[https://workaround.org/ispmail/bullseye/tls-encryption-key-and-certificate/|Creating a TLS encryption key and certificate]]. Once setup, the basic commands are: *To create a new certificate with sub-domains: ''certbot-auto --apache -d example.com -d www.example.com -d mail.example.com''. This assume that all these domains and sub-domains are existing accessible Apache web pages. *''%%certbot certonly --webroot --webroot-path /var/www/example.org -d example.org%%'' *To manually auto renewal: ''sudo certbot-auto renew''. Set up auto renew using a cron job. The Cerbot process seems to be fairly automated. And worked immediately for my existing sites. I had to update my domain DNS records to add additional sub-domains for these to work correctly with this Certbot command. **The cerbot documentation can be found at: [[https://certbot.eff.org/docs/using.html|User Guide]]** *To check systemd times: ''systemctl list-timers'' //(Cerbot used this in systemd enables systems)// *To list cerbot related certificates: ''sudo certbot certificates'' *To delete cerbot certificats not required ''%%sudo certbot delete --cert-name certname%%'' *To check certbot auto renew script ''sudo certbot renew'' *To check certbot auto renew functionality ''%%sudo certbot renew --dry-run%%'' //%%(The --dry-run option provides additional test of functionality)%%// I needed to check and delete incorrect cerbot certificate set-up due to copying across virtual machines setup and changing. ======Web Server Applications Setup====== =====Nextcloud setup===== The following references show how to install Nextcloud on Ubuntu 20.04 *[[https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-nextcloud-on-ubuntu-20-04|DigitalOcean - How To Install and Configure Nextcloud on Ubuntu 20.04]]. To move / redeploy Nextcloud from one server to another, backup and restore instructions, [[https://docs.nextcloud.com/server/stable/admin_manual/maintenance/index.html|Nextcloud Maintenance]]. Also check the mariadb help on mysqldump and [[https://mariadb.com/kb/en/mariadb/mysql-command-line-client/|mysql Command-line Client]]. Also the DigitalOcean - [[https://www.digitalocean.com/community/tutorials/how-to-backup-mysql-databases-on-an-ubuntu-vps|How To Backup MySQL Databases on an Ubuntu VPS]] is a handy reference. *To back up use, where moving deployment from the old server virtual machine: *For the database: ''sudo mysqldump -l -h localhost -u root -p nextcloud > ~/nextcloud-dbbackup_`date +"%Y%m%d"`.bak'' (Then move to the oc-backdir: ''sudo mv ~/nextcloud-dbbackup_`date +"%Y%m%d"`.bak /mnt/shared/temp/oc-backupdir/''). *For the config files: ''sudo rsync -Aax /var/www/owncloud/config /mnt/shared/temp/oc-backupdir/'' *For the relocated data: ''sudo rsync -Aax /mnt/shared/www/owncloud/data /mnt/shared/temp/oc-backupdir/'' *To restore use, where moving deployment from the new server virtual machine: *If required create the nextcloud database in MySQL: *Enter MySQL as root: ''mysql -u root -p'', you will be prompted for MySQL root password. *Create the NextCloud database in MySQL: ''CREATE DATABASE nextcloud;'' *Create a separate MySQL account for NextCloud, obviously using your own assigned password: ''%%GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'set_database_password'%%''; *Make current MySQL session know of the recent privilege change: ''FLUSH PRIVILEGES;'' *Last, exit MySQL command line with: ''exit''. *(First copy to the local VM home directory from the backup directory, oc-backdir: ''sudo cp /mnt/shared/temp/oc-backupdir/owncloud-dbbackup_`date +"%Y%m%d"`.bak ~'') For the database: ''mysql -h localhost -u root -p nextcloud < owncloud-dbbackup_`date +"%Y%m%d"`.bak''. *For the config files: ''sudo rsync -Aax /mnt/shared/temp/oc-backupdir/config /var/www/nextcloud/'', add the -n flag for a test run. *For the relocated data: ''sudo rsync -Aax /mnt/shared/temp/oc-backupdir/data /mnt/shared/www16/nextcloud/'' *Ensure the path to your nextcloud directory is included in the /etc/apache2/apache2.conf, e.g. statement. ====Nextcloud Updating==== *Nextcloud Stable Server Administration Manual [[https://docs.nextcloud.com/server/stable/admin_manual/maintenance/index.html|Maintenance]]. (This also discusses database management, backup and restore) ====mariadb binary log files==== The mysql binary log files are located here: ''var/log/mysql''. Some time they fill up the file system and the system then fails to operate. * ''sudo mysql -p -u root'' - Login in to mysql, need root password * ''SHOW BINARY LOGS;'' - to list current binary log files * ''%%PURGE BINARY LOGS TO 'mariadb-bin.003071';%%'' - to purge all binary log files before listed log file, in example ''%%'mariadb-bin.003071'%%'' * ''%%show variables like "sql_log_bin";%%'' - to see current setting of variable ''%%"sql_log_bin"%%'' * ''%%SET sql_log_bin = 0;%%'' - to set a variable * ''exit'' or ^d - to exit ---- ====Nextcloud OCC Comand==== This is the Nextcloud CLI (command line interface), the documentation can be found at [[https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/occ_command.html?highlight=occ|Using the occ command]]. The occ command must be run in directory where the Nextcloud occ file is located, in my case ''cd /var/www/html''. The key commands are: *''sudo -u www-data php occ maintenance:mode %%--%%off'' to turn off maintenance mode (Should "turn on" Nextcloud) *''sudo -u www-data php occ maintenance:mode %%--%%on'' to turn on maintenance mode (Should "turn off" Nextcloud) Some keypoint to using this CLI: *The php command application is called occ, hence the ''php occ'' *The command needs to be run as the same user as the webserver and Next cloud, hence the ''sudo -u www-data'' *The occ command is located the nextcloud htlm server directory, normally in ''/var/www/nextcloud'', but in my current case ''/var/www/html'' as this is a virtual server dedicated to operating Nextcloud. The seems to be an issue with the Nextcloud builtin updater. Sometimes the process stalls when downloading the update files, as presumably the download takes too long and the process times out. Next time trying to run the update comes up with a message that it is at step 4 (downloading) and seems to stick at this point. ---- =====PHP===== ====Latest PHP===== In general I like to use the latest server packaged PHP release. Sometimes it may be necessary to get a later release. I have previously had a problem with the latest release of PHP not working with the current version of Nextcloud, so some care and consideration is required. [[https://www.linuxshelltips.com/install-php-8-debian/|How to Install Latest PHP 8.1 on Debian 11/10]] ====php.ini==== * ''php -i | grep php.ini'' or ''%%php -r "echo php_ini_loaded_file().PHP_EOL;"%%'' to find the active php.ini file * ''%%php -r 'print php_ini_loaded_file(); print_r(php_ini_scanned_files());'%%'' to list the active php files * ''memory_limit'' Nextcloud requires minimum 512MB. Setting to ''-1'' make this unlimited, however this could allow machine to run out of memory. Suggest setting is ''512m'' or ''1g''. This value should also generally be bigger than ''post_max_size''. * ''upload_max_filesize'' sets a limit on maximum upload file size, default is 2M, suggest setting to at least 256M. * ''post_max_size'' sets alimit on maximum post data allowed. This value should be larger than ''upload_max_filesize'' =====HTTP & HTTPS Apache redirect to internal IP Virtual Machine & Related===== ====HTTP & HTTPS Apache Reverse Proxy to internal IP Virtual Machine==== The goal is to setup two (or more) Apache2 virtual web servers, each on separate virtual machines (VMs), each with a separate distinct LAN IP address. However there is only one WAN static Internet address, with the router setup to forward the web ports 80 and 443 to only one primary virtual web server. The primary virtual web server is setup to handle certain sub-domains directly and to forward, via reverse proxy other the subdomain(s) to "secondary" virtual web servers. The setup must operate on a "standard" Ubuntu 16.04 with this distribution's "standard" LAMP (Linux, Apache, Mariadb(MySQL) PHP) setup. Unfortunately a web search on this matter does not provide much clarity. There are a number of reasons for this, including without limitation: *Outdated information, for older web server and virtual machine set-ups *Different goals and associated scopes *The Apache documentation, while authoritative, is difficult to use as it seems to have limited relevant examples It is assumed that the domain name provide DNS information points to the WAN Internet address (A Record) for the domain name and all related sub-domains (CNAME Record). ====Forward Proxy not Required and to be Disabled==== A forwarding proxy with its associated security risks is not required. These ProxyRequests directive should be off, so we could add the line "ProxyRequests Off" in "/etc/apache2/mods-enabled/proxy.conf". However as [[https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyrequests|ProxyRequests]] Off is default, this is not necessary. Be careful to ensure this directive is not otherwise inadvertently turned on! See references: Apache HTTP Server Version 2.4 - [[http://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxyrequests|Apache Module mod_proxy]] ====Reverse Proxy is required and must be Enabled==== The proxy_module mod_proxy must be enabled for a reverse (or forward) proxy to function. *"ProxyPreserveHost on" (default off) is required where the original Host header needs to be evaluated by the proxy server. *"ProxyPass" *"ProxyPassReverse" The ProxyPass and ProxyReversePass directives are enclosed within the <location> directive to limit their scope. See Apache HTTP Server Version 2.4 - [[http://httpd.apache.org/docs/2.4/mod/core.html#location|Apache Core Features - <Location>]] See references: Apache HTTP Server Version 2.4 - [[http://httpd.apache.org/docs/2.4/mod/mod_proxy.html|Apache Module mod_proxy]] ====SSL Reverse Proxy is required and must be Enabled==== In the prime VirtualHost definition for each reverse proxy sub-domain for https the following additional parameters need to be considered. The SSL module, mod_ssl must be turned on. *"SSLEngine on" (default off) must be turned on in https virtual host definition *"SSLProxyEngine On" (default is off) is required to allow reverse proxy with SSL to function *"SSLProxyVerify none" (default is none) *none: no remote server Certificate is required at all *optional: the remote server may present a valid Certificate *require: the remote server has to present a valid Certificate *optional_no_ca: the remote server may present a valid Certificate, but it need not to be (successfully) verifiable. *SSLProxyCheckPeerCN off (default is on), leave on if the remote server certificate CN field is to be check against the hostname of the requested URL. (only the primary CN field is checked.) *SSLProxyCheckPeerName off (default is on), leave on if the remote server certificate CN field, or subjectAltName extention are to be check against the hostname of the requested URL. (Basic wildcard matching supported too.) SSLProxyCheckPeerExpire off (default is on), leave on if remote server certificate expiry check is to be performed. Reverse proxy will not work where SSLProxyEngine is off or any set SSLProxyChecks fail. See references: Apache HTTP Server Version 2.4 - [[http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxyengine|Apache Module mod_ssl]] and Server Fault - [[http://serverfault.com/questions/538086/proxyerror-ah00898-error-during-ssl-handshake-with-remote-server|proxy:error AH00898: Error during SSL Handshake with remote server]]. ====The Alias and Redirect Directives and <Directory> Directive may be required==== The Alias Directive may need to be used with <Directory> Directive to allow other access to local file system outside DocumentRoot. The Alias and Redirect Directives are included in the mod_alias module. <Directory> is a core feature and hence always available. See references: Apache HTTP Server Version 2.4 - [[http://httpd.apache.org/docs/2.4/mod/mod_alias.html#alias|Apache Module mod_alias]] and [[http://httpd.apache.org/docs/2.4/mod/core.html#directory|Apache Core Features - Directory]]. ====Apache modules requirements==== *The following is a list of additional apache modules that will need to be installed: *sudo a2enmod proxy *sudo a2enmod proxy_http *sudo a2enmod rewrite (The secondary virtual web server only requires for this setup.) *sudo a2enmod xml2enc (This is not mandatory, but gets rid of some warnings.) *These modules should have been installed by default and are required. (To check installed modules "sudo a2dismod"): *sudo a2enmod alias *sudo a2enmod deflate *sudo a2enmod headers *These modules do not need to be installed on this setup: *sudo a2dismod proxy_ajp *sudo a2dismod proxy_balancer *sudo a2dismod proxy_connect *sudo a2dismod proxy_html =====Virtualhost Files Setup===== I do not recommend excessive separate multiple virtual machine configuration files, there is a balance. ====HTTP virtual host on primary server, example.com:==== Virtualhost file /etc/apache2/sites-available/example.com.conf <code> <VirtualHost *:80> ServerName example.com ServerAlias www.example.com ServerAdmin webmaster@localhost #DocumentRoot /mnt/shared/www/html #ErrorLog ${APACHE_LOG_DIR}/error.log #CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined Redirect permanent / https://example.com/ #Added by Certbot RewriteEngine on RewriteCond %{SERVER_NAME} =kptree.net [OR] RewriteCond %{SERVER_NAME} =www.kptree.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> </code> The only function is to redirect HTTP queries to http://example.com and http://www.example.com to the HTTPS virtual machine for https://example.com. ====HTTP virtual host on primary proxy server, sub1.example.com:==== Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf <code> <VirtualHost *:80> ServerName sub1.example.com #ServerAlias #ServerAdmin webmaster@localhost #DocumentRoot /mnt/shared/www/html ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined Redirect permanent / https://sub1.example.com/ #Added by Certbot RewriteEngine on RewriteCond %{SERVER_NAME} =kptree.net [OR] RewriteCond %{SERVER_NAME} =www.kptree.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost></code> The only function is to redirect HTTP queries to http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com. ====HTTPS virtual host on primary server, example.com:==== Virtualhost file /etc/apache2/sites-available/example.com-SSL.conf <code> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com ServerAlias www.example.com ServerAdmin webmaster@localhost DocumentRoot /mnt/shared/www/html #Some optimisation and security directives (requires mod_headers enabled) Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem #SSLCertificateChainFile <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule> </code> This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a "standard" virtual machine setup for HTTPS. ====HTTPS virtual host on primary proxy server, sub1.example.com:==== Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf <code> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName sub1.example.com #ServerAlias #ServerAdmin webmaster@localhost #DocumentRoot /mnt/shared/www/html ProxyPreserveHost on <Location /> ProxyPass https://192.168.1.18/ ProxyPassReverse https://192.168.1.18/ </Location> #Some optimisation and security directives Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined SSLEngine on SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem #SSLCertificateChainFile <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule> </code> This is the virtual machine to reverse proxy HTTPS queries to https://sub1.example.com to a separate local LAN apache server, hence the reference to the local LAN address: https://192.168.1.18. (Does not seem to function correctly or at all without the ProxyPreserveHost and SSLProxyEngine directives on. Similarly the ProxyPass and ProxyPassReverse references must be to the https://LAN_IP_address (192.168.1.18/), not a server name (sub1.example.com), as shown.) HTTP virtual host on secondary server, sub1.example.com: ====Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf==== <code> <VirtualHost *:80> ServerName sub1.example.com #ServerAlias ServerAdmin webmaster@localhost Redirect permanent / https://sub1.example.com/ DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> </code> The only function is to redirect HTTP queries from http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com. (It would normally never be called as the primary server reverse proxy only calls the https address. Not WAN accessible except via primary reverse proxy.) ====HTTPS virtual host on secondary server, sub1.example.com:==== Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf <code> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName sub1.example.com #ServerAlias ServerAdmin webmaster@localhost Redirectmatch ^/$ https://sub1.example.com/sub1 DocumentRoot /var/www/html #Some optimisation and security directives Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/PUBLIC_KEY_FILE SSLCertificateKeyFile /etc/ssl/private/PRIVATE_KEY_FILE SSLCertificateChainFile /etc/ssl/PUBLIC_CHAIN_KEY_FILE <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule> </code> This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a "standard" virtual machine setup for HTTPS. (Not WAN accessible except via primary reverse proxy.) ====Setup of application on secondary server virtualhost, sub1.example.com:==== Virtualhost file /etc/apache2/sites-available/sub1.app.conf <code> Alias /app1 "/mnt/shared/app1/" <Directory /mnt/shared/html/app1/> Options FollowSymLinks AllowOverride All #AllowOverrideList None <RequireAll> Require all granted </RequireAll> </Directory> <Directory /mnt/shared/html/app1/installer> Options FollowSymLinks AllowOverride None #AllowOverrideList None <RequireAll> Require all denied </RequireAll> </Directory> </code> This allows application access control to various sub-directories. It can also be used to give access to directories outside the DocumentRoot directive. ====Notes:==== In relation to the HSTS directive 'Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"', refer to the following references; The Chromium Projects [[https://www.chromium.org/hsts/|HTTP Strict Transport Security]] and [[https://hstspreload.org/|HSTS preload]]. As this web site does **not** perform funds transactions it has been elected not to use the preload function. Hence the HSTS "preload" option is removed. ====Password Protecting HTTP/HTTPS Pages==== The apache2 module auth_basic is required to be loaded. To enable "sudo a2enmod auth_basic" To make a html secure page subdirectory add the following to "sudo vim /etc/apache2/apache2.conf" <code> <Location "/mnt/shared/www/html/secure"> AuthType basic AuthName "Private Area" AuthUserFile "/mnt/shared/www/.htpasswd" Require valid-user </Location> </code> To create the authuserfile with one user, 'user': "htpasswd -c /mnt/shared/www/.htpasswd user", to add another user or change an existing user password "htpasswd /mnt/shared/www/.htpasswd user" The following are related links: *Apache HTTP Server Version 2.4 [[http://httpd.apache.org/docs/current/mod/mod_auth_basic.html|Apache Module mod_auth_basic, mod_authn_file]] to create password, [[http://httpd.apache.org/docs/current/programs/htpasswd.html|htpasswd]] - Manage user files for basic authentication *Elated - Password Protecting [[http://www.elated.com/articles/password-protecting-your-pages-with-htaccess/|Your Pages with htaccess]] *Stackoverflow [[https://stackoverflow.com/questions/6441578/how-secure-is-htaccess-password-protection|How secure is .htaccess password protection?]] =====Web Based Applications===== ====Install Zenphoto==== I used Zenphoto form circa 2017 - 2020. I found it a bit clunky and slow and could not be bothered to upgrade. It may be better now.\\ ++++old tl;dr;|[[http://www.zenphoto.org/|Zenphoto]] The simpler media website CMS. The Zenphoto [[http://www.zenphoto.org/news/category/installation-upgrade/|User guide for installation and upgrade]]. Some additional helpful links: [[http://www.zenphoto.org/news/an-overview-of-zenphoto-users/|An overview of zenphoto users (Rights management)]], [[http://www.zenphoto.org/news/permissions-for-zenphoto-files-and-folders/|Permissions for Zenphoto files and folders]], and [[http://www.zenphoto.org/news/database-scheme/|Database scheme]]. Following the same outline as the Zenphoto [[http://www.zenphoto.org/news/category/installation-upgrade/|installation guide.]]:\\ 1. Download the latest version of Zenphoto\\ Move to the proposed installation directory, as required: *cd /var/www/html *sudo mkdir zenphoto *cd zenphoto The latest version of Zenphoto can be downloaded by: ''sudo wget https://github.com/zenphoto/zenphoto/archive/zenphoto-1.5.6.tar.gz'' <fs smaller>(The latest version of Zenphoto can be found on the Zenphoto [[http://www.zenphoto.org/|main page]]. As of writing it is Zenphoto 1.5.6)</fs> 2. Extract the files to your computer *Extract the archive into zenphoto directory: ''sudo tar -xzvf zenphoto-1.5.6.tar.gz'' *Move contents to preferred directory: ''sudo mv zenphoto-1.5.6/* ./'' *The archive can be deleted after successfully extracting it: ''sudo rm -rf zenphoto-1.5.6.tar.gz zenphoto-1.5.6'' *Setup apache2 to recognise example.com/zenphoto/: *Create ''sudo vim /etc/apache2/sites-available/zenphoto.conf'' and copy following into it: <code> Alias /zenphoto "/var/www/zenphoto/" <Directory /var/www/zenphoto/> Options +FollowSymlinks AllowOverride All </Directory> </code> *Then ''sudo a2ensite zenphoto.conf'' to enable configuration *Then ''sudo systemctl reload apache2'' to reload apache2 with updated configuration file *Create a MySQL database *The Zenphoto instructions do not give any details here, presumably it just needs a MYSQL database with local permissions. *Enter MySQL as root: ''mysql -u root -p'', you will be prompted for MySQL root password. *Create the Zenphoto database in MySQL: ''CREATE DATABASE zenphoto;'' *Create a separate MySQL account for Zenphoto, using your own assigned password if desired: ''GRANT ALL ON zenphoto.* to 'zenphoto'@'localhost' IDENTIFIED BY 'zenphoto_pass';'' *Make current MySQL session know of the recent privilege change: ''FLUSH PRIVILEGES;'' *Last, exit MySQL command line with: ''exit''. *Remember the MySQL credentials above to configure Zenphoto *database name: zenphoto *user name: zenphoto *password: zenphoto_pass *Navigate to the zenphoto gallery *"example.com/zenphoto/" and Setup.php should run. *If it does not run, navigate directly to example.com/zenphoto/zp-core/setup.php. Refer to info about the required permissions if you run into issues. *Enter the MySQL credentials and make sure everything checks out *Click GO!* ++++ ====Install FluxBB==== FluxBB seemed like a well written BB system.\\ I used FluxBB from circa 2017 to 2020. Interestingly in that period I had no serious people using it, just a whole pile of spam users trying to advertise or basic users simply saying hello and never posting again. So basically I stopped running a Bulletin board, it was a waste of my time.\\ ++++old tl;dr;|[[http://fluxbb.org/|FluxBB]] is lightweight forum software for a website. A forum gives readers a chance to interact. See the following FluxBB reference links [[http://fluxbb.org/docs/v1.4/installing|Installing]] and [[http://fluxbb.org/downloads/upgrade.html|Upgrading]]. To install, it assumed that an operating LAMP server is already operational. Follow the FluxBB [[http://fluxbb.org/docs/v1.4/installing|Installing]] instruction. I have "clarified" the first 3 steps below. 1. Create a database for the forum to use <code> mysql -u root -p create database fluxbb; create user 'fluxbbadmin' identified by 'fluxbbadmin'; grant all privileges on fluxbb.* to 'fluxbbadmin'; FLUSH PRIVILEGES; exit </code> 2.Copy/upload all contents into the directory where you want to run your forums <code> Move to the proposed installation directory, as required: cd /var/www/html sudo mkdir fluxbb cd fluxbb The latest version of FluxBB can be downloaded by "sudo wget http://fluxbb.org/download/releases/1.5.10/fluxbb-1.5.10.tar.gz" Extract the archive into fluxbb directory: "sudo tar -xzvf fluxbb-1.5.10.tar.gz" Move contents to preferred directory: "sudo mv fluxbb-1.5.10/* ./" The archive can be deleted after successfully extracting it: "sudo rm -rf fluxbb-1.5.10.tar.gz fluxbb-1.5.10" </code> 3. Run install.php from the forum root directory and follow the on-screen instructions ++++ ====The following is a list web subject references:==== *Perishable Press [[https://perishablepress.com/stupid-htaccess-tricks/|stupid-htaccess-tricks]] *Serverfault [[http://serverfault.com/questions/749768/http-https-apache-redirect-to-internal-ip-virtual-machine|HTTP & HTTPS Apache redirect to internal IP Virtual Machine]] *Serverfault [[http://serverfault.com/questions/789383/apache2-reverse-proxy-to-access-multiple-lan-servers-from-wan|Apache2 reverse proxy to access multiple LAN servers from wan]] *DigitalOcean [[https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension|How To Use Apache HTTP Server As Reverse-Proxy Using mod_proxy Extension]] *Apache.org HTTP Server Version 2.4 links: *[[https://httpd.apache.org/docs/2.4/vhosts/ip-based.html|Apache IP-based Virtual Host Support]] *[[http://httpd.apache.org/docs/current/mod/mod_ssl.html|Apache Module mod_ssl]] *[[https://httpd.apache.org/docs/2.4/rewrite/|Apache mod_rewrite]] *[[https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html|Reverse Proxy Guide]] *[[https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse|Apache Module mod_proxy]] *[[http://httpd.apache.org/docs/current/mod/core.html#location|Apache Core Features]], lists the various apache configuration directives *[[http://httpd.apache.org/docs/current/sections.html|Apache Configuration Sections]], lists the various apache configuration directives ===Older web reference links, that are either outdated or not aligned with the proposed goal and scope:=== *Serverfault [[http://serverfault.com/questions/415780/how-to-point-sub-domains-to-different-local-ip|How to point sub-domains to different local IP]] *Serverfault [[http://serverfault.com/questions/413102/apache-rewrite-or-proxy-to-internal-server|Apache Rewrite or Proxy to internal server]] *Stackoverflow [[http://stackoverflow.com/questions/6643852/error-403-forbidden-permissions-on-apache2-tomcat6-mod-proxy|Error 403 Forbidden - permissions on apache2, tomcat6, mod_proxy]] *Ubuntu questions [[http://askubuntu.com/questions/172937/how-to-make-subdomains-point-to-different-local-ip-addresses|How to make subdomains point to different local IP addresses?]] *Atlassian Documentation [[https://confluence.atlassian.com/kb/proxying-atlassian-server-applications-with-apache-http-server-mod_proxy_http-806032611.html|Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http)]] *Apache HTTP Server Version 2.2 (Old Apache version) [[http://httpd.apache.org/docs/2.2/vhosts/examples.html|VirtualHost Examples]] Some information on Wikis: *[[https://www.dokuwiki.org/dokuwiki|Dokuwiki]] is simpler than media wiki, and does not use a database *[[https://www.mediawiki.org/wiki/MediaWiki|Mediawiki]] is was developed for Wikipedia *[[https://tiddlywiki.com/|Tiddlywiki]] is more a personal wiki ====The following is a list of related commonly used commands and scripts:==== *To open the main web page ''%%http://server-ip-address/%%'' *To open the PHP test page ''%%http://server-ip-address/testphp.php%%'' *To label list current IPTABLES configuration, verbose ''sudo iptables -L -v'' or simple ''sudo iptables -S'' *To check running process with sql (/ apa for apache2) in the name ''ps -A | grep sql'' *To start (/stop /enable) the SQL database daemon ''sudo systemctl stop mysql'' *Systemd common commands (start / stop / restart / status) (enable / disable for boot control) *Reload or restart apache2 to enable configuration changes: ''sudo systemctl reload apache2'' or ''sudo systemctl restart apache2'' *Apache2 related: *To show the current apache VirtualHost configuration: ''apache2ctl -S'' *To enable / disable apache module: ''sudo a2enmod module_name'' / ''sudo a2dismod module_name'', if module name is not given available modules will be listed *To enable / disable apache virtual host (configuration file): ''sudo a2ensite VH.conf'' / ''sudo a2dissite VH.conf'' *Site configuration files stored in directory: ''/etc/apache2/sites-available'' ====The following is a list of related commonly used SQL commands:==== *To open the current SQL database configuration web page ''%%http://server-ip-address/phpmyadmin/%%'' *To confirm the status (start, stop and restart) mysql ''sudo systemctl status apache2'' *To login into mysql as root, with password prompt: ''sudo mysql -u root -p'' *Database commands: *To show databases: ''show databases;'' *To create database (where new database name is: dBase_NAME): ''create dBase_NAME'' *To list mySQL database sizes: ''%%SELECT table_schema "DB Name", Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB Size in MB" FROM information_schema.tables GROUP BY table_schema;%%'' *To use a database: ''use databasename;'' ======ipv6====== *[[https://www.cyberciti.biz/faq/ipv6-apache-configuration-tutorial/|Apache IPv6 Configuration: Dual Stacked IPv4 & IPv6 Virtual Hosts]] *[[https://fedingo.com/how-to-enable-ipv6-in-apache-web-server/|How To Enable IPv6 in Apache Web Server]] <- home_server:media_vm_setup|prev page ^ home_server:index|Start page ^ home_server:mswindows_notes|next page ->