Apache: Difference between revisions

From 太極
Jump to navigation Jump to search
Line 760: Line 760:
** [https://www.rplumber.io/ plumber] package
** [https://www.rplumber.io/ plumber] package
** [https://github.com/jeffreyhorner/Rook Rook] package
** [https://github.com/jeffreyhorner/Rook Rook] package
= Resources =
* https://httpd.apache.org/docs/
* https://www.lynda.com/Apache-tutorials/Welcome/164983/186356-4.html

Revision as of 10:44, 20 November 2019

Installation on Ubuntu

Ubuntu

How To Set Up Apache Virtual Hosts on Ubuntu 14.04/16.04

How To Configure Apache Virtual Hosts In Ubuntu 18.04 LTS

  1. Install apache2 (sudo apt-get install apache2)
  2. Create the directory structure (sudo mkdir -p /var/www/example.com/public_html)
  3. Grant Permissions (sudo chown -R $USER:$USER /var/www/example.com/public_html)
  4. Create Demo Pages for Each Virtual Host (nano /var/www/example.com/public_html/index.html)
  5. Create a virtual host (sudo nano /etc/apache2/sites-available/example.com.conf)
  6. Enable a virtual host (sudo a2ensite example.com.conf)

Cloudflare

  • SSH service and R Shiny service should use DNS only (no HTTP proxy).
  • Remember on Ubuntu we should open the necessary port using ufw.

SSL certificate vs key

Disable SSL

  1. sudo nano /etc/apache2/sites-available/default-ssl.conf and change SSLEngine flag from on to off
  2. sudo nano /etc/apache2/ports.conf and comment out sections containing port 443
  3. sudo service apache2 restart

At this time, if I install Let's Encrypt I'll get an error message

$ sudo certbot --apache -d DOMAINAME
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for taichimd.us
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. DOMAINNAME (tls-sni-01): urn:acme:error:connection :: The server could not connect 
to the client to verify the domain :: Failed to connect to XX.XXX.XX.XX:443 for tls-sni-01 challenge

Domain: DOMAINNAME
   Type:   connection
   Detail:  Failed to connect to XX.XXX.XX.XX:443 for tls-sni-01
   challenge

To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Let's Encrypt

Apache with Let's Encrypt

It seems a real working domain is needed to install Let's Encrypt.

  1. Download the Let’s Encrypt Client
  2. Set Up the SSL Certificate
  3. Set Up Auto Renewal

To check the certificate expiration date, run sudo certbot certificates

For some reason (related to the Challenge type), my domain is verified by cloudflare instead of let's encrypt. I receive an email reminding the expiration before 20 days. I can manually run sudo certbot renew --dry-run --preferred-challenges http to renew my certificate (remove the option --dry-run to make the command effective).

Configuration file

/etc/letsencrypt/renewal/DOMAIN_NAME.conf

Nginx with Let's Encrypt

How to Install Nginx with Let's encrypt and get A+ from SSLLabs Test

Installing fail2ban

Secure an Ubuntu server

How to secure an Ubuntu 16.04 LTS server - Part 1 The Basics

Optimize Apache on Ubuntu

https://thishosting.rocks/how-to-install-optimize-apache-ubuntu/

  • Check if Apache is running
systemctl status apache2
  • check what version you’re using with
apachectl -V
  • Update your firewall. To allow traffic through both the 80 (http) and 443 (https) ports.
ufw allow 'Apache Full'

Install common Apache modules

  • Speed up your website with the PageSpeed module
wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
dpkg -i mod-pagespeed-stable_current_amd64.deb 
apt-get -f install
systemctl restart apache2
a2enmod rewrite
systemctl restart apache2
  • Secure your Apache with the ModSecurity module
apt-get install libapache2-modsecurity
systemctl restart apache2
  • Block DDoS attacks using the mod_evasive module
apt-get install libapache2-mod-evasive
nano /etc/apache2/mods-enabled/evasive.conf

Optimize Apache with the Apache2Buddy script

apt-get install curl
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | perl

CentOS

Apache2 Structure

/etc/apache2/
|-- apache2.conf
|-- envvars
|-- httpd.conf
|-- magic
|-- ports.conf
|-- conf-enabled
|       `-- *.conf
|-- mods-available
|       |-- *.load
|       `-- *.conf
|-- mods-enabled
|       |-- *.load
|       `-- *.conf
|-- sites-available
|       default, default-ssl
|-- sites-enabled
|       |-- 000-default  # points to ../sites-available/default
|       `-- default-ssl  # points to ../sites-available/default-ssl
|-- ssl
|       *.crt, *.key
  • apache2.conf is the main configuration file. It puts the pieces together by including all remaining configuration files when starting up the web server.
  • ports.conf is always included from the main configuration file. It is used to determine the listening ports for incoming connections, and this file can be customized anytime.
  • Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/ directories contain particular configuration snippets which manage modules, global configuration fragments, or virtual host configurations, respectively.
  • They are activated by symlinking available configuration files from their respective *-available/ counterparts. These should be managed by using our helpers a2enmod, a2dismod, a2ensite, a2dissite, and a2enconf, a2disconf . See their respective man pages for detailed information.
  • The binary is called apache2. Due to the use of environment variables, in the default configuration, apache2 needs to be started/stopped with /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not work with the default configuration.

Document Root

By default, Ubuntu does not allow access through the web browser to any file apart of those located in /var/www, public_html directories (when enabled) and /usr/share (for web applications). If your site is using a web document root located elsewhere (such as in /srv) you may need to whitelist your document root directory in /etc/apache2/apache2.conf.

The default Ubuntu document root is /var/www/html (Ubuntu 14.04) or /var/www (Ubuntu 12.04). You can make your own virtual hosts under /var/www. This is different to previous releases which provides better security out of the box. In my case, the document roots for http and https are specified in the files

Important files

/etc/apache2/apache2.conf (important)

Main configuration file

/etc/apache2/httpd.conf

By default, this file is empty

/etc/apache2/envvars

/etc/apache2/ports.conf (important)

NameVirtualHost *:80
Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

/etc/apache2/mods-available/

Contains all the modules installed for your server.

/etc/apache2/mods-enabled/

Symbolic link in this directory that refers to the module file in /mods-available above to enable it.

/etc/apache2/sites-available/ (important)

Stores all the configuration files for the web sites serviced by Apache server. By default, only one file available, a default virtual host configuration file.

/etc/apache2/sites-available/default

This is the place to set up the document root for http port 80.

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
        ServerName taichimd.us
	DocumentRoot /var/www/
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>
...
</VirtualHost>

/etc/apache2/sites-available/default-ssl

This is the place to set up the document root for https port 443.

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        ServerName taichimd.us
        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
...
        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on
        SSLCertificateFile    /FullPathTo/CAName.crt
        SSLCertificateKeyFile /FullPathTo/KeyName.key
        SSLCACertificateFile "/FullPathTo/bundle.crt"
...
</VirtualHost>

/etc/apache2/sites-enabled/

Create a symbolic link to enable sites in /etc/apache2/sites-available.

udooer@udoo:~$ ls -l /etc/apache2/sites-enabled/
total 0
lrwxrwxrwx 1 root root 35 Dec 24 13:44 000-default.conf -> ../sites-available/000-default.conf

/etc/apache2/conf-available/, /etc/apache2/conf-enabled/

In UDOO, the dashboard webpage is pre-installed and the directory /var/www/html is empty. In Beaglebone, the apache is pre-installed (http://localhost/bone101/Support/bone101/) and /var/www/html is empty.


These directories have the same relationship as the sites-available and sites-enabled directories, but are used to store configuration fragments that do not belong in a Virtual Host. Files in the conf-available directory can be enabled with the a2enconf command and disabled with the a2disconf command.

udooer@udoo:~$ ls -lah /etc/apache2/conf-enabled/
total 8.0K
drwxr-xr-x 2 root root 4.0K Dec 25 08:15 .
drwxr-xr-x 8 root root 4.0K Dec 24 13:44 ..
lrwxrwxrwx 1 root root   30 Dec 24 13:44 charset.conf -> ../conf-available/charset.conf
lrwxrwxrwx 1 root root   40 Dec 25 08:13 javascript-common.conf -> ../conf-available/javascript-common.conf
lrwxrwxrwx 1 root root   44 Dec 24 13:44 localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
lrwxrwxrwx 1 root root   46 Dec 24 13:44 other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
lrwxrwxrwx 1 root root   33 Dec 25 08:15 phpmyadmin.conf -> ../conf-available/phpmyadmin.conf
lrwxrwxrwx 1 root root   31 Dec 24 13:44 security.conf -> ../conf-available/security.conf
lrwxrwxrwx 1 root root   36 Dec 24 13:44 serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf

See

Commands

sudo a2ensite default      # activate the default site /etc/apache2/sites-available/default 
sudo a2ensite domain2.com  # activate each virtual host
sudo service apache2 reload

service apache2 status     # check if apache2 is running 
sudo service apache2 start # run this if apache2 is not running

Register a new domain

List of Internet top-level domains

Free dynamic dns/domain name

Some free domain service provided by dot.tk

  • .cf
  • .ga
  • .gq
  • .ma
  • .ml
  • .nr
  • .tk

Verify your domain

How to Verify Your Domain on Google Search Console

Multiple websites

Overview: Four steps

  1. Create "site1.conf" and "site2.conf" under /etc/apache2/sites-available
  2. sudo a2ensite site1.conf; sudo a2ensite site2.conf
  3. sudo service apache2 reload
  4. Modify DNS or change /etc/hosts to see the effect locally

Optionally use sudo apache2ctl -S to see a list of virtual hosts

How To Enable And Run Multiple Websites Using Apache2 & /etc/hosts

The examples here assume you have multiple domain names pointing to 1 server with one IP. The end result is you can use different domain names to access websites hosted on the same server using the default port 80. Hint: you can change /etc/hosts file if you just want to do testing.

If we use nginx as a reverse proxy, we can even use the same domain name to have multiple applications running with different ports.

We’re going to be using example.com and myexample.com domain names on a single Ubuntu server. See here.

sudo apt-get install apache2
sudo mkdir -p /var/www/html/example.com/public_html
sudo mkdir -p /var/www/html/myexample.com/public_html

sudo nano /var/www/html/example.com/public_html/index.html
cat /var/www/html/example.com/public_html/index.html
<html>
  <head>
    <title>Welcome to Example.com!</title>
  </head>
  <body>
    <h1>Success!  The example.com virtual host is working!</h1>
  </body>
</html>
sudo nano /var/www/html/myexample.com/public_html/index.html
sudo chown www-data:www-data /var/www/html
sudo chmod -R 755 /var/www/html

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/myexample.com.conf

# Change ServerName, ServerAlias and DocumentRoot entries
sudo nano /etc/apache2/sites-available/example.com.conf
cat /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
sudo nano /etc/apache2/sites-available/myexample.com.conf

sudo a2dissite 000-default.conf
sudo a2ensite example.com.conf
sudo a2ensite myexample.com.conf
sudo service apache2 restart 

sudo apache2ctl -S  # Get a list of all virtual hosts which are defined in all apache configuration files
ls -l /etc/apache2/sites-enabled/

sudo nano /etc/hosts
# 127.0.0.1    example.com
# 127.0.0.1    myexample.com

How to create multiple virtual hosts

One IP two websites, Two IPs and two websites

Apache Web Server Complete Guide Dedoimedo

Misc

Add a User To Group www-data

Add a User To Group www-data. We can add an existing user or a new user to the www-data group.

Restrict Apache Information Leakage

https://www.thefanclub.co.za/how-to/how-secure-ubuntu-1604-lts-server-part-1-basics

How to Check Which Apache Modules are Enabled/Loaded in Linux

http://www.tecmint.com/check-apache-modules-enabled/

Running different sites on different ports

http://httpd.apache.org/docs/2.2/vhosts/examples.html#port

.htaccess file

Set Up Mod_Rewrite

Forbidden You don't have permission to access /xxx/yyy on this server.

When I add a symbolic link file in /var/www/html to link to a sub-directory /home/$USER/Downloads/xxx, it does not work.

The detail error can be found in /var/log/apache2/error.log

Error: Symbolic link not allowed or link target not accessible

This post gives an explanation.

The solution in this case is to run

chmod 755 ~/Downloads

The problem seems to be specific to the attribute of the Downloads folder. If we untar/unzip to the $HOME folder, it does not have this problem because the attribute is already 755. The default attribute of Downloads in my Debian 8.4 is 700.

Error. Could not determine the server’s fully qualified domain name

http://tuxtweaks.com/2009/07/how-to-configure-apache-linux/

echo "ServerName localhost" | sudo tee /etc/apache2/conf.d/fqdn
sudo service apache2 reload

How to set up a secure Apache webserver on Ubuntu

http://xmodulo.com/secure-apache-webserver-ubuntu.html

  • Update TimeZone and Check Correct Time
  • Disable AppArmor Conflicts
  • Stop DDoS Attacks
  • Stop Slowloris Attacks
  • Stop DNS Injection Attacks
  • Turn off Server Signature

Redirecting entire website to https

http://www.tecmint.com/apache-htaccess-tricks/4/

HSTS vs https

What Is HSTS and How Does It Protect HTTPS From Hackers?

sites-enabled vs sites-available directory

What is the difference between sites-enabled and sites-available directory?

The difference is that virtual sites listed in the sites-enabled directory are served by apache. In the sites-available directory there are the virtual sites that exist on your server but people can't access them because they are not enabled yet.

  • sites-available: this directory has configuration files for Apache2 Virtual Hosts. Virtual Hosts allow Apache2 to be configured for multiple sites that have separate configurations.
  • sites-enabled: like mods-enabled, sites-enabled contains symlinks to the /etc/apache2/sites-available directory.

A custom redirection example

http://www.tecmint.com/apache-htaccess-tricks/4/

How to Redirect Users to Maintenance Page

http://www.tecmint.com/apache-htaccess-tricks/4/

How to Perform Internal Redirection with mod_rewrite in Apache

http://www.tecmint.com/redirection-with-mod_rewrite-in-apache/

Redirect a Website URL from One Server to Different Server in Apache

http://www.tecmint.com/redirect-website-url-from-one-server-to-different-server/

Apache Virtual Hosting: IP Based and Name Based Virtual Hosts in RHEL/CentOS/Fedora

http://www.tecmint.com/apache-ip-based-and-name-based-virtual-hosting/


Virtual host file

Forward proxy vs reverse proxy

Difference between proxy server and reverse proxy server

Proxy and reverse proxy

ProxyPass directive from the proxy module.

25 Apache Interview Questions for Beginners and Intermediates

http://www.tecmint.com/apache-interview-questions/

Redirecting a non-www URL to a www URL

http://www.tecmint.com/apache-htaccess-tricks/3/

Add www to your domain name for your website

Disable directory browsing

Remove word Indexes from the following line in the file </etc/apache2/sites-available/default> & </etc/apache2/sites-available/default-ssl>

Options Includes Indexes FollowSymLinks MultiViews

Or try the following commands

sudo a2dismod autoindex
sudo service apache2 restart

List of all virtual hosts

sudo apache2ctl -S

Diable a website through virtual host

sudo a2dissite 000-default

Show all loaded modules

$ sudo apache2ctl -M

/usr/sbin/apache2ctl: 87: ulimit: error setting limit (Operation not permitted)
Loaded Modules:
 core_module (static)
 log_config_module (static)
 logio_module (static)
 mpm_prefork_module (static)
 http_module (static)
 so_module (static)
 alias_module (shared)
 auth_basic_module (shared)
 authn_file_module (shared)
 authz_default_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 cgi_module (shared)
 deflate_module (shared)
 dir_module (shared)
 env_module (shared)
 mime_module (shared)
 negotiation_module (shared)
 php5_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 status_module (shared)
Syntax OK

favicon.ico

For some reason, if I just rename an animated gif file to <favicon.ico>, the file can be viewed locally and works when I put it on /var/www (http). For https, the default favicon does not show up and I have to manually put the favicon in the index.html file (good if you wish your pages to use different favicon sets).

<head>
...
<link rel="icon" href="yinyang_rot.gif" type="image/x-icon">
</head>

For mediawiki, I don't need to rename to <favicon.ico>.

See also Create an animated gif file on how I create an animated gif file from a single png file.

Note that chrome browser does not support animated gif favicons. IE does not support either. Firefox does support animated gif favicons.

Password Authentication

  • Set Apache Password Protected Directories With .htaccess File (2015, Old)
    1. Make sure Apache is configured to use .htaccess file. Modify httpd.conf
    2. Create a password file with the htpasswd command and make the password file readable by Apache web server.
    3. Create .htaccess file under the directory where we want it to be protected. The username and the password file are specified here.
    4. Test it
  • How To Set Up Password Authentication with Apache on Ubuntu 16.04
    1. Installing the Apache Utilities Package (apache2-utils)
    2. Creating the Password File using the htpasswd command
    3. Configuring Apache Password Authentication. Authentication is done on a per-directory basis.
      • Option 1: Configuring Access Control within the Virtual Host Definition 000-default.conf (Preferred)
      • Option 2: Configuring Access Control with .htaccess Files
    4. Restart apache2 and test it

Monitor Apache

Reverse proxy

(Excerpt from thegeekstuff) For example, let us say we have an enterprise application that is running on Apache and PHP on app.thegeekstuff.com, and we also have Nginx running on example.com.

In this example scenario, when someone goes to example.com, we can setup Nginx as a reverse proxy so that it will serve the enterprise apache/php application that is running on app.thegeekstuff.com.

But, for the end-user, they’ll only see example.com, they won’t even know anything about app.thegeekstuff.com. End-user will think the whole apache/php application is getting served directly from example.com.

Nginx

Use proxy_pass in /etc/nginx/sites-available/default and a symbolic link is created under /etc/nginx/sites-enabled.

Run both Nginx and Apache at the same time

  • How can i run both nginx and apache together on Ubuntu? Go to /etc/nginx/sites-available then modify the host file which should listen to a different port (if you didn't change anything here you will find a default file, enter to change it. In the file change listen: 80 to the port you want to listen to. Don't forget to reload the service: service nginx reload
  • How To Configure Nginx as a Web Server and Reverse Proxy for Apache on One Ubuntu 16.04 Server. Here we assume there are two websites w/ different servernames hosted by Apache using port 8080. We want to use Nginx as a reverse proxy using the default port 80.
    1. Install Apache
    2. Change Apache to use port 81 (/etc/apache2/ports.conf & /etc/apache2/sites-available/000-default.conf files)
    3. (optional) Create two document root directories & two virtual host files (port 81 for both, different servername)
    4. (optional) Reload apache2 (sudo service apache2 restart)
    5. Check open ports (sudo apt install net-tools; sudo netstat -tlpn)
    6. Install nginx
    7. Remove the default virtual host's symlink (/etc/nginx/sites-enabled/default)
    8. (optional) Create virtual hosts for Nginx using the same procedure we used for Apache
    9. (optional) Create a virtual host file for the domain example.com (/etc/nginx/sites-available/example.com & nano /etc/nginx/sites-available/sample.org)
    10. (optional) creating symbolic links to the sites-enabled directory
    11. (optional) Do an Nginx configuration test (sudo nginx -t) & reload Nginx (sudo service nginx restart)
    12. Create apache's virtual host (/etc/nginx/sites-available/apache)
    13. Create a symbolic link (/etc/nginx/sites-enabled/apache)
    14. Do an Nginx configuration test (sudo nginx -t) & reload Nginx (sudo service nginx restart)
    15. Open a browser and go to http://localhost or http://localhost/subdir to test
server {
    listen 80;
    location / {
       proxy_pass http://127.0.0.1:81;
    }
    # location /shiny {
    #   proxy_pass http://127.0.0.1:3838;
    # }
    # location /rstudio {
    #   proxy_pass http://127.0.0.1:8787;
    # }
}

Apache: ProxyPass & ProxyPassReverse to hide the right port

Use ProxyPass and ProxyPassReverse in /etc/apache2/sites-available/default

sudo a2enmod proxy && sudo a2enmod proxy_http && sudo service apache2 restart

Varnish Reverse Proxy

How to Install Varnish Reverse Proxy with Nginx on Ubuntu 16.04 LTS

Shorten URL

phpMyAdmin

How To Install and Secure phpMyAdmin on Ubuntu 18.04 LTS

Make your website load faster

7 Ways to Make Your Website or Blog Load Faster for Visitors

Nginx

Default root directory

nginx -V

Look up the --prefix value. On Ubuntu 16.04, it is /usr/share/nginx.

Virtual host file

Others

Secure Your Nginx Web Server

Tips and Tricks to Secure Your Nginx Web Server

How to Enable HTTP/2 in Nginx

https://www.howtoforge.com/how-to-enable-http-2-in-nginx/

Pitfalls and common mistakes

Reverse proxy

A Guide to running a Reverse proxy for HTTP(S), SSH and MySQL/MariaDB using NGINX

Books

  • Nginx HTTP Server - Third Edition by Clement Nedelcu

PHP-FPM

Exploring Nginx workers load arbitration using R/Shiny

Exploring Nginx workers load arbitration

Quick HTTP server using command line

Resources