Web Server setup
Basic Web Server setup on VM
I am moving away from Ubuntu to Debian. I find the instruction for here are good to setup a basic web server Digitalocean's LAMP on Debian 11 and Computing for Geeks LAMP on Debian.
As installing on a virtual machine (VM) it is important to also have set up the NFS to allow access to the main storage. Also consider aligning the appropriate file system user and groups between the VM server and VM guests. (For the Ubuntu Network Filing System, NFS, see Havetheknowhow.com - How to configure NFS Version 4, that contains configuration information for both the VM server and clients.
I really need to create some of my own notes on this.
Adding Users
- Basic:
sudo useradd name
- Check
/etc/default/useradd
for defaults on the useradd command. -g group1 group2
to create user and add to additional group
Aligning Group and User IDs across Virtual Machines on Same LAN
Unfortunately, Havetheknowhow.com does not seem to cover the alignment of user and groups between the main OS and VMs. I create a basic template machine and manual update the group and user id numbers to align, a use the basic information given in Linux: Changing UIDs and GIDs for a user. The process is tedious and takes a bit of care to complete, but once setup properly allows better operation between the server and virtual machines.
The following scripts assist with changing the uid and gid of files on a system. These scripts are reasonably basic with basic commenting and understanding of function can be easily seen from the script text. I got these of the internet somewhere, I do not remember where now.
Usage: changeGID.sh [groupname] [oldGID] [newGID]
Usage: changeUID.sh [username] [oldUID] [newUID]
Seems there are tools to directly manually edit the /etc/group and /etc/passwd files and their shadow files. The commands are sudo vipw
and sudo vigr
.
LDPA
I have not got around to working with this yet. Not sure if it is merited on a small home network.
- Apache Directory Apache Eclipse-based LDAP browser and directory client
- How To Configure OpenLDAP and Perform Administrative LDAP Tasks (A DigitalOcean Tutorial.)
Web Server Change Basic Default Settings
As per workaround.org I will change my Apache main configuration files to “example.org-http.conf” for http, port 80 and example.org-https.conf for https, port 443 services.
Hostname
- Systemd seems to use the control function hostnamectl to control hostname. It used to be simply modify the text Hostname in the file “/etc/hostname” was all that was required. Now the system overwrites this. The following procedure is now required.
- Use the command
hostnamectl
to check current Hostname - To change the Hosename:
sudo hostnamectl set-hostname New_Hostname
- Ubuntu as 18.04 and up to 20.4 complicates further, another file needs to be modified to prevent automated changes, if present the file
sudo vim /etc/cloud/cloud.cfg
, configuration variable within must be changed as follow:preserve_hostname: true
- Last the
/etc/hosts
file should be updated to include the Hostname, this is same procedure as previous- 127.0.0.1 localhost
- 127.0.0.1 New_Hostname
- Additional system hosts can be placed in
/etc/hosts
to provide basic local host name resolution. I prefer to install a separate DNS server to provide this functionality.
Apache2 Setup
- Copy the current html files to the proposed new location:
sudo rsync -av /var/www/html /mnt/shared/www16/
- Change the /var/www.html reference in the following apache2 configuration files:
sudo vim /etc/apache2/apache2.conf
, in particular change‹Directory /var/www/›
to‹Directory /mnt/shared/www16/›
(This defines file system access, add /var/www/ temporarily if necessary.)sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/kptree.net-http.conf
thensudo vim /etc/apache2/sites-available/kptree.net-https.conf
, in particular changeDocumentRoot /var/www/html
toDocumentRoot /mnt/shared/www16/html/kptree.net/public_html
. Also changeServerName kptree.net
and add-in directly after this lineServerAlias *.kptree.net
.sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/kptree.net-https.conf
thensudo vim /etc/apache2/sites-available/kptree.net-https.conf
, in particular changeDocumentRoot /var/www/html
toDocumentRoot /mnt/shared/www16/html/kptree.net/public_html
- After making these changes:
- Test the apache2 configuration:
sudo apachectl configtest
, ensure the statement “syntax ok” in output - To enable the new website configuration:
sudo a2ensite kpbtree.net-http.conf
andsudo a2ensite kpbtree.net-https.conf
, also disable the default website configurationsudo a2dissite example.com.conf
- Reload or restart apache2 to enable configuration changes:
sudo systemctl reload apache2
orsudo systemctl restart apache2
- Test the web page by typing in the local ip address of the apache2 server in a web browser
The MySQL (Maria) database data directory can also be moved, however the database sizes are not so large, nor need to be often changed after initial setup to merit this move. Also move mysql data directory How to Change a MySQL Data Directory to a New Location Using a Symlink.
Apache Configuration Files
I have been caught out too often with configuration files in apache, particularly not checking which are enable or disabled.
- Edit configuration files in
la -ls /etc/apache2/sites-available/
- main http (port 80) setup file:
sudo vim /etc/apache2/sites-available/example.org-http.conf
- main https (port 443) setup file:
sudo vim /etc/apache2/sites-available/example.org-https.conf
- The main apache2 configuration file is:
sudo vim /etc/apache2/apache2.conf
- Always check the enable apache configuration files:
la -ls /etc/apache2/sites-enabled/
- Enable configuration files as required with for example:
sudo a2dissite example.com.conf
- Disable configuration files as required with for example:
sudo a2dissite example.com.conf
- Check configuration files with:
sudo apachectl configtest
- After changes are made reload or restart apache2:
sudo systemctl reload apache2
orsudo systemctl restart apache2
To further add to confusion it would seem some Linux distributions refer to httpd
instead of apache2
, e.g.:
/etc/httpd/httpd.conf
or/etc/apache2/httpd.conf
instead of/etc/apache2/apache2.conf
- systemd service:
httpd.service
instead ofapache2.service
Note that these examples are presumption based upon documentation references. Basically Debian and related downstream distributions do not reference 'httpd'.
Secure Web Server Settings
There are a number of ways the various certificate files are handle and the nomenclature and file names used can be confusing. Basically there are 3 (+1) components to a central authority trusted key.
- The public key, which actually acts as a lock to encrypt a file. The public key (lock) is made freely available to the public to be used to encrypt a file that only the matching private key can decrypt (unlock).
- The private key, which is the only key that can unlock a file that is encrypted with the matching public key (lock). The private key must be kept absolutely private.
- The Certificate Authority's (CA) Public Key (lock) which is used to encrypt communications with the CA to confirm that public key (lock) and the certificate embedded websites actually belongs to whoever hold the matching private key and hence the website belongs to the person that controls the private key.
- (+1) The CA must have a corresponding private key to unlock the encryption of their certificates and their public keys used to lock them. They need to do this to verify the Certificate data and corresponding public key.
Some points about secure web sites:
- A secure website really only means that the website used encryption to secure it and the certificate authority has performed basic checks to confirm ownership/control of the website. This does not necessarily guarantee the honesty of the owner/controller. There are certificates that the authorities issue that require greater ownership checks and hence cost more money and require greater verification upon the owner/controller to achieve. These tend to be used by larger organisations. The greater checking and costs tend to
- The public/private encryption system is not proven and relies upon large keys numbers to prevent brute force cracking. There is no guarantee that in the future the may not be developments that require even larger keys or make the current system otherwise ineffective.
The following is a list of Apache SSL directives used to handle certificates:
- SSLCertificateFile, refers to the the public key (lock) file, it sometimes also contains the CA certificate and lock.
- SSLCertificateKeyFile, refers to the private key file. This must be key securely private and never made public, even to the CA.
- SSLCertificateChainFile, refers to the CA certificate and lock file, it is sometimes combined with the SSLCertificateFile and is then not used.
StartSSL and Godaddy use all 3 directives mentioned above, whereas LetsEncrypt use only the first 2, with the CA certificate combined with the public key in the SSLCertificateFile directive.
See the Apache HTTP Server Version 2.4 documentation on Apache Module mod_ssl. This reference also has information on the directives mentioned above as well as a number of other SSL Certificate directive not discussed herein.
See the wikipedia article X.509, as a general reference / background on CAs.
LetEncrypt Certificate Settings
To install Certbot: sudo apt install certbot
(Unfortunately Cerbot site recommends use of snap package, unbelievable…..)
Make sure the basic web site domain/sub-domain is working and accessible off internet.
I now prefer to use the following instructions, Creating a TLS encryption key and certificate. Once setup, the basic commands are:
- To create a new certificate with sub-domains:
certbot-auto –apache -d example.com -d www.example.com -d mail.example.com
. This assume that all these domains and sub-domains are existing accessible Apache web pages. certbot certonly --webroot --webroot-path /var/www/example.org -d example.org
- To manually auto renewal:
sudo certbot-auto renew
. Set up auto renew using a cron job.
The Cerbot process seems to be fairly automated. And worked immediately for my existing sites. I had to update my domain DNS records to add additional sub-domains for these to work correctly with this Certbot command.
The cerbot documentation can be found at: User Guide
- To check systemd times:
systemctl list-timers
(Cerbot used this in systemd enables systems) - To list cerbot related certificates:
sudo certbot certificates
- To delete cerbot certificats not required
sudo certbot delete --cert-name certname
- To check certbot auto renew script
sudo certbot renew
- To check certbot auto renew functionality
sudo certbot renew --dry-run
(The --dry-run option provides additional test of functionality)
I needed to check and delete incorrect cerbot certificate set-up due to copying across virtual machines setup and changing.
Web Server Applications Setup
Nextcloud setup
The following references show how to install Nextcloud on Ubuntu 20.04
To move / redeploy Nextcloud from one server to another, backup and restore instructions, Nextcloud Maintenance. Also check the mariadb help on mysqldump and mysql Command-line Client. Also the DigitalOcean - How To Backup MySQL Databases on an Ubuntu VPS is a handy reference.
- To back up use, where moving deployment from the old server virtual machine:
- For the database:
sudo mysqldump -l -h localhost -u root -p nextcloud > ~/nextcloud-dbbackup_`date +“%Y%m%d”`.bak
(Then move to the oc-backdir:sudo mv ~/nextcloud-dbbackup_`date +“%Y%m%d”`.bak /mnt/shared/temp/oc-backupdir/
). - For the config files:
sudo rsync -Aax /var/www/owncloud/config /mnt/shared/temp/oc-backupdir/
- For the relocated data:
sudo rsync -Aax /mnt/shared/www/owncloud/data /mnt/shared/temp/oc-backupdir/
- To restore use, where moving deployment from the new server virtual machine:
- If required create the nextcloud database in MySQL:
- Enter MySQL as root:
mysql -u root -p
, you will be prompted for MySQL root password. - Create the NextCloud database in MySQL:
CREATE DATABASE nextcloud;
- Create a separate MySQL account for NextCloud, obviously using your own assigned password:
GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'set_database_password'
; - Make current MySQL session know of the recent privilege change:
FLUSH PRIVILEGES;
- Last, exit MySQL command line with:
exit
.
- (First copy to the local VM home directory from the backup directory, oc-backdir:
sudo cp /mnt/shared/temp/oc-backupdir/owncloud-dbbackup_`date +“%Y%m%d”`.bak ~
) For the database:mysql -h localhost -u root -p nextcloud < owncloud-dbbackup_`date +“%Y%m%d”`.bak
. - For the config files:
sudo rsync -Aax /mnt/shared/temp/oc-backupdir/config /var/www/nextcloud/
, add the -n flag for a test run. - For the relocated data:
sudo rsync -Aax /mnt/shared/temp/oc-backupdir/data /mnt/shared/www16/nextcloud/
*Ensure the path to your nextcloud directory is included in the /etc/apache2/apache2.conf, e.g. statement.
Nextcloud Updating
*Nextcloud Stable Server Administration Manual Maintenance. (This also discusses database management, backup and restore)
mariadb binary log files
The mysql binary log files are located here: var/log/mysql
. Some time they fill up the file system and the system then fails to operate.
sudo mysql -p -u root
- Login in to mysql, need root passwordSHOW BINARY LOGS;
- to list current binary log filesPURGE BINARY LOGS TO 'mariadb-bin.003071';
- to purge all binary log files before listed log file, in example'mariadb-bin.003071'
show variables like "sql_log_bin";
- to see current setting of variable"sql_log_bin"
SET sql_log_bin = 0;
- to set a variableexit
or ^d - to exit
Nextcloud OCC Comand
This is the Nextcloud CLI (command line interface), the documentation can be found at Using the occ command. The occ command must be run in directory where the Nextcloud occ file is located, in my case cd /var/www/html
. The key commands are:
sudo -u www-data php occ maintenance:mode --off
to turn off maintenance mode (Should “turn on” Nextcloud)sudo -u www-data php occ maintenance:mode --on
to turn on maintenance mode (Should “turn off” Nextcloud)
Some keypoint to using this CLI:
- The php command application is called occ, hence the
php occ
- The command needs to be run as the same user as the webserver and Next cloud, hence the
sudo -u www-data
- The occ command is located the nextcloud htlm server directory, normally in
/var/www/nextcloud
, but in my current case/var/www/html
as this is a virtual server dedicated to operating Nextcloud.
The seems to be an issue with the Nextcloud builtin updater. Sometimes the process stalls when downloading the update files, as presumably the download takes too long and the process times out. Next time trying to run the update comes up with a message that it is at step 4 (downloading) and seems to stick at this point.
PHP
Latest PHP
In general I like to use the latest server packaged PHP release. Sometimes it may be necessary to get a later release. I have previously had a problem with the latest release of PHP not working with the current version of Nextcloud, so some care and consideration is required. How to Install Latest PHP 8.1 on Debian 11/10
php.ini
php -i | grep php.ini
orphp -r "echo php_ini_loaded_file().PHP_EOL;"
to find the active php.ini filephp -r 'print php_ini_loaded_file(); print_r(php_ini_scanned_files());'
to list the active php filesmemory_limit
Nextcloud requires minimum 512MB. Setting to-1
make this unlimited, however this could allow machine to run out of memory. Suggest setting is512m
or1g
. This value should also generally be bigger thanpost_max_size
.upload_max_filesize
sets a limit on maximum upload file size, default is 2M, suggest setting to at least 256M.post_max_size
sets alimit on maximum post data allowed. This value should be larger thanupload_max_filesize
HTTP & HTTPS Apache redirect to internal IP Virtual Machine & Related
HTTP & HTTPS Apache Reverse Proxy to internal IP Virtual Machine
The goal is to setup two (or more) Apache2 virtual web servers, each on separate virtual machines (VMs), each with a separate distinct LAN IP address. However there is only one WAN static Internet address, with the router setup to forward the web ports 80 and 443 to only one primary virtual web server. The primary virtual web server is setup to handle certain sub-domains directly and to forward, via reverse proxy other the subdomain(s) to “secondary” virtual web servers. The setup must operate on a “standard” Ubuntu 16.04 with this distribution's “standard” LAMP (Linux, Apache, Mariadb(MySQL) PHP) setup.
Unfortunately a web search on this matter does not provide much clarity. There are a number of reasons for this, including without limitation:
- Outdated information, for older web server and virtual machine set-ups
- Different goals and associated scopes
- The Apache documentation, while authoritative, is difficult to use as it seems to have limited relevant examples
It is assumed that the domain name provide DNS information points to the WAN Internet address (A Record) for the domain name and all related sub-domains (CNAME Record).
Forward Proxy not Required and to be Disabled
A forwarding proxy with its associated security risks is not required. These ProxyRequests directive should be off, so we could add the line “ProxyRequests Off” in “/etc/apache2/mods-enabled/proxy.conf”. However as ProxyRequests Off is default, this is not necessary. Be careful to ensure this directive is not otherwise inadvertently turned on!
See references: Apache HTTP Server Version 2.4 - Apache Module mod_proxy
Reverse Proxy is required and must be Enabled
The proxy_module mod_proxy must be enabled for a reverse (or forward) proxy to function.
- “ProxyPreserveHost on” (default off) is required where the original Host header needs to be evaluated by the proxy server.
- “ProxyPass”
- “ProxyPassReverse”
The ProxyPass and ProxyReversePass directives are enclosed within the <location> directive to limit their scope. See Apache HTTP Server Version 2.4 - Apache Core Features - <Location>
See references: Apache HTTP Server Version 2.4 - Apache Module mod_proxy
SSL Reverse Proxy is required and must be Enabled
In the prime VirtualHost definition for each reverse proxy sub-domain for https the following additional parameters need to be considered. The SSL module, mod_ssl must be turned on.
- “SSLEngine on” (default off) must be turned on in https virtual host definition
- “SSLProxyEngine On” (default is off) is required to allow reverse proxy with SSL to function
- “SSLProxyVerify none” (default is none)
- none: no remote server Certificate is required at all
- optional: the remote server may present a valid Certificate
- require: the remote server has to present a valid Certificate
- optional_no_ca: the remote server may present a valid Certificate, but it need not to be (successfully) verifiable.
- SSLProxyCheckPeerCN off (default is on), leave on if the remote server certificate CN field is to be check against the hostname of the requested URL. (only the primary CN field is checked.)
- SSLProxyCheckPeerName off (default is on), leave on if the remote server certificate CN field, or subjectAltName extention are to be check against the hostname of the requested URL. (Basic wildcard matching supported too.)
SSLProxyCheckPeerExpire off (default is on), leave on if remote server certificate expiry check is to be performed.
Reverse proxy will not work where SSLProxyEngine is off or any set SSLProxyChecks fail.
See references: Apache HTTP Server Version 2.4 - Apache Module mod_ssl and Server Fault - proxy:error AH00898: Error during SSL Handshake with remote server.
The Alias and Redirect Directives and <Directory> Directive may be required
The Alias Directive may need to be used with <Directory> Directive to allow other access to local file system outside DocumentRoot. The Alias and Redirect Directives are included in the mod_alias module. <Directory> is a core feature and hence always available.
See references: Apache HTTP Server Version 2.4 - Apache Module mod_alias and Apache Core Features - Directory.
Apache modules requirements
- The following is a list of additional apache modules that will need to be installed:
- sudo a2enmod proxy
- sudo a2enmod proxy_http
- sudo a2enmod rewrite (The secondary virtual web server only requires for this setup.)
- sudo a2enmod xml2enc (This is not mandatory, but gets rid of some warnings.)
- These modules should have been installed by default and are required. (To check installed modules “sudo a2dismod”):
- sudo a2enmod alias
- sudo a2enmod deflate
- sudo a2enmod headers
- These modules do not need to be installed on this setup:
- sudo a2dismod proxy_ajp
- sudo a2dismod proxy_balancer
- sudo a2dismod proxy_connect
- sudo a2dismod proxy_html
Virtualhost Files Setup
I do not recommend excessive separate multiple virtual machine configuration files, there is a balance.
HTTP virtual host on primary server, example.com:
Virtualhost file /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80> ServerName example.com ServerAlias www.example.com ServerAdmin webmaster@localhost #DocumentRoot /mnt/shared/www/html #ErrorLog ${APACHE_LOG_DIR}/error.log #CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined Redirect permanent / https://example.com/ #Added by Certbot RewriteEngine on RewriteCond %{SERVER_NAME} =kptree.net [OR] RewriteCond %{SERVER_NAME} =www.kptree.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>
The only function is to redirect HTTP queries to http://example.com and http://www.example.com to the HTTPS virtual machine for https://example.com.
HTTP virtual host on primary proxy server, sub1.example.com:
Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf
<VirtualHost *:80> ServerName sub1.example.com #ServerAlias #ServerAdmin webmaster@localhost #DocumentRoot /mnt/shared/www/html ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined Redirect permanent / https://sub1.example.com/ #Added by Certbot RewriteEngine on RewriteCond %{SERVER_NAME} =kptree.net [OR] RewriteCond %{SERVER_NAME} =www.kptree.net RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>
The only function is to redirect HTTP queries to http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com.
HTTPS virtual host on primary server, example.com:
Virtualhost file /etc/apache2/sites-available/example.com-SSL.conf
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName example.com ServerAlias www.example.com ServerAdmin webmaster@localhost DocumentRoot /mnt/shared/www/html #Some optimisation and security directives (requires mod_headers enabled) Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem #SSLCertificateChainFile <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a “standard” virtual machine setup for HTTPS.
HTTPS virtual host on primary proxy server, sub1.example.com:
Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName sub1.example.com #ServerAlias #ServerAdmin webmaster@localhost #DocumentRoot /mnt/shared/www/html ProxyPreserveHost on <Location /> ProxyPass https://192.168.1.18/ ProxyPassReverse https://192.168.1.18/ </Location> #Some optimisation and security directives Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" ErrorLog /mnt/shared/www/html/logs/error.log CustomLog /mnt/shared/www/html/logs/access.log combined SSLEngine on SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem #SSLCertificateChainFile <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
This is the virtual machine to reverse proxy HTTPS queries to https://sub1.example.com to a separate local LAN apache server, hence the reference to the local LAN address: https://192.168.1.18. (Does not seem to function correctly or at all without the ProxyPreserveHost and SSLProxyEngine directives on. Similarly the ProxyPass and ProxyPassReverse references must be to the https://LAN_IP_address (192.168.1.18/), not a server name (sub1.example.com), as shown.) HTTP virtual host on secondary server, sub1.example.com:
Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf
<VirtualHost *:80> ServerName sub1.example.com #ServerAlias ServerAdmin webmaster@localhost Redirect permanent / https://sub1.example.com/ DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
The only function is to redirect HTTP queries from http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com. (It would normally never be called as the primary server reverse proxy only calls the https address. Not WAN accessible except via primary reverse proxy.)
HTTPS virtual host on secondary server, sub1.example.com:
Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName sub1.example.com #ServerAlias ServerAdmin webmaster@localhost Redirectmatch ^/$ https://sub1.example.com/sub1 DocumentRoot /var/www/html #Some optimisation and security directives Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/PUBLIC_KEY_FILE SSLCertificateKeyFile /etc/ssl/private/PRIVATE_KEY_FILE SSLCertificateChainFile /etc/ssl/PUBLIC_CHAIN_KEY_FILE <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule>
This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a “standard” virtual machine setup for HTTPS. (Not WAN accessible except via primary reverse proxy.)
Setup of application on secondary server virtualhost, sub1.example.com:
Virtualhost file /etc/apache2/sites-available/sub1.app.conf
Alias /app1 "/mnt/shared/app1/" <Directory /mnt/shared/html/app1/> Options FollowSymLinks AllowOverride All #AllowOverrideList None <RequireAll> Require all granted </RequireAll> </Directory> <Directory /mnt/shared/html/app1/installer> Options FollowSymLinks AllowOverride None #AllowOverrideList None <RequireAll> Require all denied </RequireAll> </Directory>
This allows application access control to various sub-directories. It can also be used to give access to directories outside the DocumentRoot directive.
Notes:
In relation to the HSTS directive 'Header always set Strict-Transport-Security “max-age=15552000; includeSubDomains; preload”', refer to the following references; The Chromium Projects HTTP Strict Transport Security and HSTS preload. As this web site does not perform funds transactions it has been elected not to use the preload function. Hence the HSTS “preload” option is removed.
Password Protecting HTTP/HTTPS Pages
The apache2 module auth_basic is required to be loaded. To enable “sudo a2enmod auth_basic”
To make a html secure page subdirectory add the following to “sudo vim /etc/apache2/apache2.conf”
<Location "/mnt/shared/www/html/secure"> AuthType basic AuthName "Private Area" AuthUserFile "/mnt/shared/www/.htpasswd" Require valid-user </Location>
To create the authuserfile with one user, 'user': “htpasswd -c /mnt/shared/www/.htpasswd user”, to add another user or change an existing user password “htpasswd /mnt/shared/www/.htpasswd user”
The following are related links:
- Apache HTTP Server Version 2.4 Apache Module mod_auth_basic, mod_authn_file to create password, htpasswd - Manage user files for basic authentication
- Elated - Password Protecting Your Pages with htaccess
- Stackoverflow How secure is .htaccess password protection?
Web Based Applications
Install Zenphoto
I used Zenphoto form circa 2017 - 2020. I found it a bit clunky and slow and could not be bothered to upgrade. It may be better now.
Install FluxBB
FluxBB seemed like a well written BB system.
I used FluxBB from circa 2017 to 2020. Interestingly in that period I had no serious people using it, just a whole pile of spam users trying to advertise or basic users simply saying hello and never posting again. So basically I stopped running a Bulletin board, it was a waste of my time.
The following is a list web subject references:
- Perishable Press stupid-htaccess-tricks
- Apache.org HTTP Server Version 2.4 links:
- Apache Core Features, lists the various apache configuration directives
- Apache Configuration Sections, lists the various apache configuration directives
Older web reference links, that are either outdated or not aligned with the proposed goal and scope:
- Serverfault How to point sub-domains to different local IP
- Serverfault Apache Rewrite or Proxy to internal server
- Ubuntu questions How to make subdomains point to different local IP addresses?
- Atlassian Documentation Proxying Atlassian server applications with Apache HTTP Server (mod_proxy_http)
- Apache HTTP Server Version 2.2 (Old Apache version) VirtualHost Examples
Some information on Wikis:
- Dokuwiki is simpler than media wiki, and does not use a database
- Mediawiki is was developed for Wikipedia
- Tiddlywiki is more a personal wiki
The following is a list of related commonly used commands and scripts:
- To open the main web page
http://server-ip-address/
- To open the PHP test page
http://server-ip-address/testphp.php
- To label list current IPTABLES configuration, verbose
sudo iptables -L -v
or simplesudo iptables -S
- To check running process with sql (/ apa for apache2) in the name
ps -A | grep sql
- To start (/stop /enable) the SQL database daemon
sudo systemctl stop mysql
- Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
- Reload or restart apache2 to enable configuration changes:
sudo systemctl reload apache2
orsudo systemctl restart apache2
- Apache2 related:
- To show the current apache VirtualHost configuration:
apache2ctl -S
- To enable / disable apache module:
sudo a2enmod module_name
/sudo a2dismod module_name
, if module name is not given available modules will be listed - To enable / disable apache virtual host (configuration file):
sudo a2ensite VH.conf
/sudo a2dissite VH.conf
- Site configuration files stored in directory:
/etc/apache2/sites-available
The following is a list of related commonly used SQL commands:
- To open the current SQL database configuration web page
http://server-ip-address/phpmyadmin/
- To confirm the status (start, stop and restart) mysql
sudo systemctl status apache2
- To login into mysql as root, with password prompt:
sudo mysql -u root -p
- Database commands:
- To show databases:
show databases;
- To create database (where new database name is: dBase_NAME):
create dBase_NAME
- To list mySQL database sizes:
SELECT table_schema "DB Name", Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB Size in MB" FROM information_schema.tables GROUP BY table_schema;
- To use a database:
use databasename;