Trace: Web Server setup

Web Server setup

Table of Contents

Web Server setup

Basic Web Server setup on VM

I am moving away from Ubuntu to Debian. I find the instruction for here are good to setup a basic web server Digitalocean's LAMP on Debian 11 and Computing for Geeks LAMP on Debian.

Old, tl;dr;

As installing on a virtual machine (VM) it is important to also have set up the NFS to allow access to the main storage. Also consider aligning the appropriate file system user and groups between the VM server and VM guests. (For the Ubuntu Network Filing System, NFS, see Havetheknowhow.com - How to configure NFS Version 4, that contains configuration information for both the VM server and clients.
I really need to create some of my own notes on this.

Adding Users

  • Basic: sudo useradd name
  • Check /etc/default/useradd for defaults on the useradd command.
  • -g group1 group2 to create user and add to additional group

Aligning Group and User IDs across Virtual Machines on Same LAN

Unfortunately, Havetheknowhow.com does not seem to cover the alignment of user and groups between the main OS and VMs. I create a basic template machine and manual update the group and user id numbers to align, a use the basic information given in Linux: Changing UIDs and GIDs for a user. The process is tedious and takes a bit of care to complete, but once setup properly allows better operation between the server and virtual machines.

The following scripts assist with changing the uid and gid of files on a system. These scripts are reasonably basic with basic commenting and understanding of function can be easily seen from the script text. I got these of the internet somewhere, I do not remember where now.

changegid.sh

Usage: changeGID.sh [groupname] [oldGID] [newGID]

changeuid.sh

Usage: changeUID.sh [username] [oldUID] [newUID]

Seems there are tools to directly manually edit the /etc/group and /etc/passwd files and their shadow files. The commands are sudo vipw and sudo vigr.


LDPA

I have not got around to working with this yet. Not sure if it is merited on a small home network.

Web Server Change Basic Default Settings

old, tl;dr;

As per workaround.org I will change my Apache main configuration files to “example.org-http.conf” for http, port 80 and example.org-https.conf for https, port 443 services.

Hostname

  • Systemd seems to use the control function hostnamectl to control hostname. It used to be simply modify the text Hostname in the file “/etc/hostname” was all that was required. Now the system overwrites this. The following procedure is now required.
    • Use the command hostnamectl to check current Hostname
    • To change the Hosename: sudo hostnamectl set-hostname New_Hostname
    • Ubuntu as 18.04 and up to 20.4 complicates further, another file needs to be modified to prevent automated changes, if present the file sudo vim /etc/cloud/cloud.cfg, configuration variable within must be changed as follow: preserve_hostname: true
    • Last the /etc/hosts file should be updated to include the Hostname, this is same procedure as previous
      • 127.0.0.1 localhost
      • 127.0.0.1 New_Hostname
    • Additional system hosts can be placed in /etc/hosts to provide basic local host name resolution. I prefer to install a separate DNS server to provide this functionality.

Apache2 Setup

  • Copy the current html files to the proposed new location: sudo rsync -av /var/www/html /mnt/shared/www16/
  • Change the /var/www.html reference in the following apache2 configuration files:
    • sudo vim /etc/apache2/apache2.conf, in particular change ‹Directory /var/www/› to ‹Directory /mnt/shared/www16/› (This defines file system access, add /var/www/ temporarily if necessary.)
    • sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/kptree.net-http.conf then sudo vim /etc/apache2/sites-available/kptree.net-https.conf, in particular change DocumentRoot /var/www/html to DocumentRoot /mnt/shared/www16/html/kptree.net/public_html. Also change ServerName kptree.net and add-in directly after this line ServerAlias *.kptree.net.
    • sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/kptree.net-https.conf then sudo vim /etc/apache2/sites-available/kptree.net-https.conf, in particular change DocumentRoot /var/www/html to DocumentRoot /mnt/shared/www16/html/kptree.net/public_html
  • After making these changes:
    • Test the apache2 configuration: sudo apachectl configtest, ensure the statement “syntax ok” in output
    • To enable the new website configuration: sudo a2ensite kpbtree.net-http.conf and sudo a2ensite kpbtree.net-https.conf, also disable the default website configuration sudo a2dissite example.com.conf
    • Reload or restart apache2 to enable configuration changes: sudo systemctl reload apache2 or sudo systemctl restart apache2
    • Test the web page by typing in the local ip address of the apache2 server in a web browser

The MySQL (Maria) database data directory can also be moved, however the database sizes are not so large, nor need to be often changed after initial setup to merit this move. Also move mysql data directory How to Change a MySQL Data Directory to a New Location Using a Symlink.

Apache Configuration Files

I have been caught out too often with configuration files in apache, particularly not checking which are enable or disabled.

  1. Edit configuration files in la -ls /etc/apache2/sites-available/
    1. main http (port 80) setup file: sudo vim /etc/apache2/sites-available/example.org-http.conf
    2. main https (port 443) setup file: sudo vim /etc/apache2/sites-available/example.org-https.conf
  2. The main apache2 configuration file is: sudo vim /etc/apache2/apache2.conf
  3. Always check the enable apache configuration files: la -ls /etc/apache2/sites-enabled/
  4. Enable configuration files as required with for example: sudo a2dissite example.com.conf
  5. Disable configuration files as required with for example: sudo a2dissite example.com.conf
  6. Check configuration files with: sudo apachectl configtest
  7. After changes are made reload or restart apache2: sudo systemctl reload apache2 or sudo systemctl restart apache2

To further add to confusion it would seem some Linux distributions refer to httpd instead of apache2, e.g.:

  • /etc/httpd/httpd.conf or /etc/apache2/httpd.conf instead of /etc/apache2/apache2.conf
  • systemd service: httpd.service instead of apache2.service

Note that these examples are presumption based upon documentation references. Basically Debian and related downstream distributions do not reference 'httpd'.

Secure Web Server Settings

There are a number of ways the various certificate files are handle and the nomenclature and file names used can be confusing. Basically there are 3 (+1) components to a central authority trusted key.

  1. The public key, which actually acts as a lock to encrypt a file. The public key (lock) is made freely available to the public to be used to encrypt a file that only the matching private key can decrypt (unlock).
  2. The private key, which is the only key that can unlock a file that is encrypted with the matching public key (lock). The private key must be kept absolutely private.
  3. The Certificate Authority's (CA) Public Key (lock) which is used to encrypt communications with the CA to confirm that public key (lock) and the certificate embedded websites actually belongs to whoever hold the matching private key and hence the website belongs to the person that controls the private key.
  4. (+1) The CA must have a corresponding private key to unlock the encryption of their certificates and their public keys used to lock them. They need to do this to verify the Certificate data and corresponding public key.

Some points about secure web sites:

  1. A secure website really only means that the website used encryption to secure it and the certificate authority has performed basic checks to confirm ownership/control of the website. This does not necessarily guarantee the honesty of the owner/controller. There are certificates that the authorities issue that require greater ownership checks and hence cost more money and require greater verification upon the owner/controller to achieve. These tend to be used by larger organisations. The greater checking and costs tend to
  2. The public/private encryption system is not proven and relies upon large keys numbers to prevent brute force cracking. There is no guarantee that in the future the may not be developments that require even larger keys or make the current system otherwise ineffective.

The following is a list of Apache SSL directives used to handle certificates:

  1. SSLCertificateFile, refers to the the public key (lock) file, it sometimes also contains the CA certificate and lock.
  2. SSLCertificateKeyFile, refers to the private key file. This must be key securely private and never made public, even to the CA.
  3. SSLCertificateChainFile, refers to the CA certificate and lock file, it is sometimes combined with the SSLCertificateFile and is then not used.

StartSSL and Godaddy use all 3 directives mentioned above, whereas LetsEncrypt use only the first 2, with the CA certificate combined with the public key in the SSLCertificateFile directive.

See the Apache HTTP Server Version 2.4 documentation on Apache Module mod_ssl. This reference also has information on the directives mentioned above as well as a number of other SSL Certificate directive not discussed herein.

See the wikipedia article X.509, as a general reference / background on CAs.

LetEncrypt Certificate Settings

Old TL;DR;

To install Certbot: sudo apt install certbot (Unfortunately Cerbot site recommends use of snap package, unbelievable…..)
Make sure the basic web site domain/sub-domain is working and accessible off internet.
I now prefer to use the following instructions, Creating a TLS encryption key and certificate. Once setup, the basic commands are:

  • To create a new certificate with sub-domains: certbot-auto –apache -d example.com -d www.example.com -d mail.example.com. This assume that all these domains and sub-domains are existing accessible Apache web pages.
  • certbot certonly --webroot --webroot-path /var/www/example.org -d example.org
  • To manually auto renewal: sudo certbot-auto renew. Set up auto renew using a cron job.

The Cerbot process seems to be fairly automated. And worked immediately for my existing sites. I had to update my domain DNS records to add additional sub-domains for these to work correctly with this Certbot command.

The cerbot documentation can be found at: User Guide

  • To check systemd times: systemctl list-timers (Cerbot used this in systemd enables systems)
  • To list cerbot related certificates: sudo certbot certificates
  • To delete cerbot certificats not required sudo certbot delete --cert-name certname
  • To check certbot auto renew script sudo certbot renew
  • To check certbot auto renew functionality sudo certbot renew --dry-run (The --dry-run option provides additional test of functionality)

I needed to check and delete incorrect cerbot certificate set-up due to copying across virtual machines setup and changing.

Web Server Applications Setup

Nextcloud setup

The following references show how to install Nextcloud on Ubuntu 20.04

To move / redeploy Nextcloud from one server to another, backup and restore instructions, Nextcloud Maintenance. Also check the mariadb help on mysqldump and mysql Command-line Client. Also the DigitalOcean - How To Backup MySQL Databases on an Ubuntu VPS is a handy reference.

  • To back up use, where moving deployment from the old server virtual machine:
    • For the database: sudo mysqldump -l -h localhost -u root -p nextcloud > ~/nextcloud-dbbackup_`date +“%Y%m%d”`.bak (Then move to the oc-backdir: sudo mv ~/nextcloud-dbbackup_`date +“%Y%m%d”`.bak /mnt/shared/temp/oc-backupdir/).
    • For the config files: sudo rsync -Aax /var/www/owncloud/config /mnt/shared/temp/oc-backupdir/
    • For the relocated data: sudo rsync -Aax /mnt/shared/www/owncloud/data /mnt/shared/temp/oc-backupdir/
  • To restore use, where moving deployment from the new server virtual machine:
    • If required create the nextcloud database in MySQL:
      • Enter MySQL as root: mysql -u root -p, you will be prompted for MySQL root password.
      • Create the NextCloud database in MySQL: CREATE DATABASE nextcloud;
      • Create a separate MySQL account for NextCloud, obviously using your own assigned password: GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'set_database_password';
      • Make current MySQL session know of the recent privilege change: FLUSH PRIVILEGES;
      • Last, exit MySQL command line with: exit.
    • (First copy to the local VM home directory from the backup directory, oc-backdir: sudo cp /mnt/shared/temp/oc-backupdir/owncloud-dbbackup_`date +“%Y%m%d”`.bak ~) For the database: mysql -h localhost -u root -p nextcloud < owncloud-dbbackup_`date +“%Y%m%d”`.bak.
    • For the config files: sudo rsync -Aax /mnt/shared/temp/oc-backupdir/config /var/www/nextcloud/, add the -n flag for a test run.
    • For the relocated data: sudo rsync -Aax /mnt/shared/temp/oc-backupdir/data /mnt/shared/www16/nextcloud/

*Ensure the path to your nextcloud directory is included in the /etc/apache2/apache2.conf, e.g. statement.

Nextcloud Updating

*Nextcloud Stable Server Administration Manual Maintenance. (This also discusses database management, backup and restore)

mariadb binary log files

The mysql binary log files are located here: var/log/mysql. Some time they fill up the file system and the system then fails to operate.

  • sudo mysql -p -u root - Login in to mysql, need root password
  • SHOW BINARY LOGS; - to list current binary log files
  • PURGE BINARY LOGS TO 'mariadb-bin.003071'; - to purge all binary log files before listed log file, in example 'mariadb-bin.003071'
  • show variables like "sql_log_bin"; - to see current setting of variable "sql_log_bin"
  • SET sql_log_bin = 0; - to set a variable
  • exit or ^d - to exit

Nextcloud OCC Comand

This is the Nextcloud CLI (command line interface), the documentation can be found at Using the occ command. The occ command must be run in directory where the Nextcloud occ file is located, in my case cd /var/www/html. The key commands are:

  • sudo -u www-data php occ maintenance:mode --off to turn off maintenance mode (Should “turn on” Nextcloud)
  • sudo -u www-data php occ maintenance:mode --on to turn on maintenance mode (Should “turn off” Nextcloud)

Some keypoint to using this CLI:

  • The php command application is called occ, hence the php occ
  • The command needs to be run as the same user as the webserver and Next cloud, hence the sudo -u www-data
  • The occ command is located the nextcloud htlm server directory, normally in /var/www/nextcloud, but in my current case /var/www/html as this is a virtual server dedicated to operating Nextcloud.

The seems to be an issue with the Nextcloud builtin updater. Sometimes the process stalls when downloading the update files, as presumably the download takes too long and the process times out. Next time trying to run the update comes up with a message that it is at step 4 (downloading) and seems to stick at this point.


PHP

Latest PHP

In general I like to use the latest server packaged PHP release. Sometimes it may be necessary to get a later release. I have previously had a problem with the latest release of PHP not working with the current version of Nextcloud, so some care and consideration is required. How to Install Latest PHP 8.1 on Debian 11/10

php.ini

  • php -i | grep php.ini or php -r "echo php_ini_loaded_file().PHP_EOL;" to find the active php.ini file
  • php -r 'print php_ini_loaded_file(); print_r(php_ini_scanned_files());' to list the active php files
  • memory_limit Nextcloud requires minimum 512MB. Setting to -1 make this unlimited, however this could allow machine to run out of memory. Suggest setting is 512m or 1g. This value should also generally be bigger than post_max_size.
  • upload_max_filesize sets a limit on maximum upload file size, default is 2M, suggest setting to at least 256M.
  • post_max_size sets alimit on maximum post data allowed. This value should be larger than upload_max_filesize

HTTP & HTTPS Apache Reverse Proxy to internal IP Virtual Machine

The goal is to setup two (or more) Apache2 virtual web servers, each on separate virtual machines (VMs), each with a separate distinct LAN IP address. However there is only one WAN static Internet address, with the router setup to forward the web ports 80 and 443 to only one primary virtual web server. The primary virtual web server is setup to handle certain sub-domains directly and to forward, via reverse proxy other the subdomain(s) to “secondary” virtual web servers. The setup must operate on a “standard” Ubuntu 16.04 with this distribution's “standard” LAMP (Linux, Apache, Mariadb(MySQL) PHP) setup.

Unfortunately a web search on this matter does not provide much clarity. There are a number of reasons for this, including without limitation:

  • Outdated information, for older web server and virtual machine set-ups
  • Different goals and associated scopes
  • The Apache documentation, while authoritative, is difficult to use as it seems to have limited relevant examples

It is assumed that the domain name provide DNS information points to the WAN Internet address (A Record) for the domain name and all related sub-domains (CNAME Record).

Forward Proxy not Required and to be Disabled

A forwarding proxy with its associated security risks is not required. These ProxyRequests directive should be off, so we could add the line “ProxyRequests Off” in “/etc/apache2/mods-enabled/proxy.conf”. However as ProxyRequests Off is default, this is not necessary. Be careful to ensure this directive is not otherwise inadvertently turned on!

See references: Apache HTTP Server Version 2.4 - Apache Module mod_proxy

Reverse Proxy is required and must be Enabled

The proxy_module mod_proxy must be enabled for a reverse (or forward) proxy to function.

  • “ProxyPreserveHost on” (default off) is required where the original Host header needs to be evaluated by the proxy server.
  • “ProxyPass”
  • “ProxyPassReverse”

The ProxyPass and ProxyReversePass directives are enclosed within the <location> directive to limit their scope. See Apache HTTP Server Version 2.4 - Apache Core Features - <Location>

See references: Apache HTTP Server Version 2.4 - Apache Module mod_proxy

SSL Reverse Proxy is required and must be Enabled

In the prime VirtualHost definition for each reverse proxy sub-domain for https the following additional parameters need to be considered. The SSL module, mod_ssl must be turned on.

  • “SSLEngine on” (default off) must be turned on in https virtual host definition
  • “SSLProxyEngine On” (default is off) is required to allow reverse proxy with SSL to function
  • “SSLProxyVerify none” (default is none)
    • none: no remote server Certificate is required at all
    • optional: the remote server may present a valid Certificate
    • require: the remote server has to present a valid Certificate
    • optional_no_ca: the remote server may present a valid Certificate, but it need not to be (successfully) verifiable.
  • SSLProxyCheckPeerCN off (default is on), leave on if the remote server certificate CN field is to be check against the hostname of the requested URL. (only the primary CN field is checked.)
  • SSLProxyCheckPeerName off (default is on), leave on if the remote server certificate CN field, or subjectAltName extention are to be check against the hostname of the requested URL. (Basic wildcard matching supported too.)

SSLProxyCheckPeerExpire off (default is on), leave on if remote server certificate expiry check is to be performed.

Reverse proxy will not work where SSLProxyEngine is off or any set SSLProxyChecks fail.

See references: Apache HTTP Server Version 2.4 - Apache Module mod_ssl and Server Fault - proxy:error AH00898: Error during SSL Handshake with remote server.

The Alias and Redirect Directives and <Directory> Directive may be required

The Alias Directive may need to be used with <Directory> Directive to allow other access to local file system outside DocumentRoot. The Alias and Redirect Directives are included in the mod_alias module. <Directory> is a core feature and hence always available.

See references: Apache HTTP Server Version 2.4 - Apache Module mod_alias and Apache Core Features - Directory.

Apache modules requirements

  • The following is a list of additional apache modules that will need to be installed:
    • sudo a2enmod proxy
    • sudo a2enmod proxy_http
    • sudo a2enmod rewrite (The secondary virtual web server only requires for this setup.)
    • sudo a2enmod xml2enc (This is not mandatory, but gets rid of some warnings.)
  • These modules should have been installed by default and are required. (To check installed modules “sudo a2dismod”):
    • sudo a2enmod alias
    • sudo a2enmod deflate
    • sudo a2enmod headers
  • These modules do not need to be installed on this setup:
    • sudo a2dismod proxy_ajp
    • sudo a2dismod proxy_balancer
    • sudo a2dismod proxy_connect
    • sudo a2dismod proxy_html

Virtualhost Files Setup

I do not recommend excessive separate multiple virtual machine configuration files, there is a balance.

HTTP virtual host on primary server, example.com:

Virtualhost file /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
    ServerName example.com
    ServerAlias www.example.com
    ServerAdmin webmaster@localhost
    #DocumentRoot /mnt/shared/www/html

    #ErrorLog ${APACHE_LOG_DIR}/error.log
    #CustomLog ${APACHE_LOG_DIR}/access.log combined
    ErrorLog /mnt/shared/www/html/logs/error.log
    CustomLog /mnt/shared/www/html/logs/access.log combined

    Redirect permanent / https://example.com/
    #Added by Certbot
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =kptree.net [OR]
    RewriteCond %{SERVER_NAME} =www.kptree.net
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost> 

The only function is to redirect HTTP queries to http://example.com and http://www.example.com to the HTTPS virtual machine for https://example.com.

HTTP virtual host on primary proxy server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf

<VirtualHost *:80>
    ServerName sub1.example.com
    #ServerAlias
    #ServerAdmin webmaster@localhost
    #DocumentRoot /mnt/shared/www/html

    ErrorLog /mnt/shared/www/html/logs/error.log
    CustomLog /mnt/shared/www/html/logs/access.log combined
    
    Redirect permanent / https://sub1.example.com/
    #Added by Certbot
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =kptree.net [OR]
    RewriteCond %{SERVER_NAME} =www.kptree.net
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

The only function is to redirect HTTP queries to http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com.

HTTPS virtual host on primary server, example.com:

Virtualhost file /etc/apache2/sites-available/example.com-SSL.conf

<IfModule mod_ssl.c>
   <VirtualHost *:443>
      ServerName example.com
      ServerAlias www.example.com
      ServerAdmin webmaster@localhost
      DocumentRoot /mnt/shared/www/html
     
      #Some optimisation and security directives (requires mod_headers enabled)
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"
      Header set X-Frame-Options "SAMEORIGIN"
      Header set X-Content-Type-Options "nosniff"
      ErrorLog /mnt/shared/www/html/logs/error.log
      CustomLog /mnt/shared/www/html/logs/access.log combined

      SSLEngine on
      SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

      #SSLCertificateChainFile

      <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
      </FilesMatch>
      
      <Directory /usr/lib/cgi-bin>
         SSLOptions +StdEnvVars
      </Directory>
   </VirtualHost>
</IfModule>

This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a “standard” virtual machine setup for HTTPS.

HTTPS virtual host on primary proxy server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf

<IfModule mod_ssl.c>
   <VirtualHost *:443>
      ServerName sub1.example.com
      #ServerAlias
      #ServerAdmin webmaster@localhost
      #DocumentRoot /mnt/shared/www/html

      ProxyPreserveHost on

      <Location />
      ProxyPass https://192.168.1.18/
      ProxyPassReverse https://192.168.1.18/
      </Location>

      #Some optimisation and security directives
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"
      Header set X-Frame-Options "SAMEORIGIN"
      Header set X-Content-Type-Options "nosniff"
      
      ErrorLog /mnt/shared/www/html/logs/error.log
      CustomLog /mnt/shared/www/html/logs/access.log combined

      SSLEngine on
      SSLProxyEngine On
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off

      SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
      #SSLCertificateChainFile

      <FilesMatch "\.(cgi|shtml|phtml|php)$">
         SSLOptions +StdEnvVars
      </FilesMatch>

      <Directory /usr/lib/cgi-bin>
         SSLOptions +StdEnvVars
      </Directory>

   </VirtualHost>
</IfModule>

This is the virtual machine to reverse proxy HTTPS queries to https://sub1.example.com to a separate local LAN apache server, hence the reference to the local LAN address: https://192.168.1.18. (Does not seem to function correctly or at all without the ProxyPreserveHost and SSLProxyEngine directives on. Similarly the ProxyPass and ProxyPassReverse references must be to the https://LAN_IP_address (192.168.1.18/), not a server name (sub1.example.com), as shown.) HTTP virtual host on secondary server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf

<VirtualHost *:80>
   ServerName sub1.example.com
   #ServerAlias
   ServerAdmin webmaster@localhost

   Redirect permanent / https://sub1.example.com/
   DocumentRoot /var/www/html
   ErrorLog ${APACHE_LOG_DIR}/error.log
   CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

The only function is to redirect HTTP queries from http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com. (It would normally never be called as the primary server reverse proxy only calls the https address. Not WAN accessible except via primary reverse proxy.)

HTTPS virtual host on secondary server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf

<IfModule mod_ssl.c>
   <VirtualHost *:443>
      ServerName sub1.example.com
      #ServerAlias
      ServerAdmin webmaster@localhost

      Redirectmatch ^/$ https://sub1.example.com/sub1
      DocumentRoot /var/www/html

      #Some optimisation and security directives
      Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"
      Header set X-Frame-Options "SAMEORIGIN"
      Header set X-Content-Type-Options "nosniff"

      ErrorLog ${APACHE_LOG_DIR}/error.log
      CustomLog ${APACHE_LOG_DIR}/access.log combined

      SSLEngine on
      SSLCertificateFile /etc/ssl/PUBLIC_KEY_FILE
      SSLCertificateKeyFile /etc/ssl/private/PRIVATE_KEY_FILE
      SSLCertificateChainFile /etc/ssl/PUBLIC_CHAIN_KEY_FILE

      <FilesMatch "\.(cgi|shtml|phtml|php)$">
          SSLOptions +StdEnvVars
      </FilesMatch>

      <Directory /usr/lib/cgi-bin>
          SSLOptions +StdEnvVars
      </Directory>
      
   </VirtualHost>
</IfModule>

This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a “standard” virtual machine setup for HTTPS. (Not WAN accessible except via primary reverse proxy.)

Setup of application on secondary server virtualhost, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.app.conf

Alias /app1 "/mnt/shared/app1/"
<Directory /mnt/shared/html/app1/>
   Options FollowSymLinks
   AllowOverride All
   #AllowOverrideList None
   <RequireAll>
      Require all granted
   </RequireAll>
</Directory>

<Directory /mnt/shared/html/app1/installer>
   Options FollowSymLinks
   AllowOverride None
   #AllowOverrideList None
   <RequireAll>
      Require all denied
   </RequireAll>
</Directory>

This allows application access control to various sub-directories. It can also be used to give access to directories outside the DocumentRoot directive.

Notes:

In relation to the HSTS directive 'Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains; preload”', refer to the following references; The Chromium Projects HTTP Strict Transport Security and HSTS preload. As this web site does not perform funds transactions it has been elected not to use the preload function. Hence the HSTS “preload” option is removed.

Password Protecting HTTP/HTTPS Pages

The apache2 module auth_basic is required to be loaded. To enable “sudo a2enmod auth_basic”

To make a html secure page subdirectory add the following to “sudo vim /etc/apache2/apache2.conf”

<Location "/mnt/shared/www/html/secure">
   AuthType basic
   AuthName "Private Area"
   AuthUserFile "/mnt/shared/www/.htpasswd"
   Require valid-user
</Location>

To create the authuserfile with one user, 'user': “htpasswd -c /mnt/shared/www/.htpasswd user”, to add another user or change an existing user password “htpasswd /mnt/shared/www/.htpasswd user”

The following are related links:

Web Based Applications

Install Zenphoto

I used Zenphoto form circa 2017 - 2020. I found it a bit clunky and slow and could not be bothered to upgrade. It may be better now.

old tl;dr;

Install FluxBB

FluxBB seemed like a well written BB system.
I used FluxBB from circa 2017 to 2020. Interestingly in that period I had no serious people using it, just a whole pile of spam users trying to advertise or basic users simply saying hello and never posting again. So basically I stopped running a Bulletin board, it was a waste of my time.

old tl;dr;

The following is a list web subject references:

Some information on Wikis:

  • Dokuwiki is simpler than media wiki, and does not use a database
  • Mediawiki is was developed for Wikipedia
  • Tiddlywiki is more a personal wiki
  • To open the main web page http://server-ip-address/
  • To open the PHP test page http://server-ip-address/testphp.php
  • To label list current IPTABLES configuration, verbose sudo iptables -L -v or simple sudo iptables -S
  • To check running process with sql (/ apa for apache2) in the name ps -A | grep sql
  • To start (/stop /enable) the SQL database daemon sudo systemctl stop mysql
  • Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
  • Reload or restart apache2 to enable configuration changes: sudo systemctl reload apache2 or sudo systemctl restart apache2
  • Apache2 related:
    • To show the current apache VirtualHost configuration: apache2ctl -S
    • To enable / disable apache module: sudo a2enmod module_name / sudo a2dismod module_name, if module name is not given available modules will be listed
    • To enable / disable apache virtual host (configuration file): sudo a2ensite VH.conf / sudo a2dissite VH.conf
    • Site configuration files stored in directory: /etc/apache2/sites-available
  • To open the current SQL database configuration web page http://server-ip-address/phpmyadmin/
  • To confirm the status (start, stop and restart) mysql sudo systemctl status apache2
  • To login into mysql as root, with password prompt: sudo mysql -u root -p
  • Database commands:
    • To show databases: show databases;
    • To create database (where new database name is: dBase_NAME): create dBase_NAME
    • To list mySQL database sizes: SELECT table_schema "DB Name", Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB Size in MB" FROM information_schema.tables GROUP BY table_schema;
    • To use a database: use databasename;

ipv6

/app/www/public/data/pages/home_server/web_server_setup.txt · Last modified: 2024-12-07 Sat wk49 11:13
CC Attribution-Share Alike 4.0 International Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International