Apache - HVboom/HowTo-DigitalOcean GitHub Wiki

Description

The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for various modern desktop and server operating systems, such as UNIX and Windows NT. The goal of this project is to provide a secure, efficient and extensible server which provides HTTP services in sync with the current HTTP standards. The 2.x branch of Apache Web Server includes several improvements like threading, use of APR, native IPv6 and SSL support, and many more.

💬 copied from package description

Setup Apache on Ubuntu

  • Follow the instruction to setup Apache:

    sudo apt install apache2
sudo ufw app list
sudo ufw allow 'Apache Full'
sudo ufw status
sudo systemctl status apache2

  • On Ubuntu the configuration files are located in /etc/apache2/. The different aspects can be enabled with a2enmod, a2dismod, a2ensite, a2dissite, and a2enconf, a2disconf.

  • All configuration files can be found in my GitHub repository UbuntuApacheConfiguration

Security Setting

The main settings for secure HTTPS connections with strong encryption are defined in /etc/apache2/mods-available/ssl.conf

...

# see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM

SSLHonorCipherOrder on 

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProxyProtocol -all +TLSv1.3 +TLSv1.2

SSLCertificateFile      /etc/letsencrypt/live/hvboom.biz/fullchain.pem
SSLCertificateKeyFile   /etc/letsencrypt/live/hvboom.biz/privkey.pem

<IfModule headers_module>
  Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
  Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>

...

Ensure all request are redirected to HTTPS connections

  • Defining a Redirect configuration /etc/apache2/sites-available/000_vhost_080_default.conf

    <VirtualHost *:80>
  ServerName HVboom.biz
  ServerAlias *.HVboom.biz
  RewriteEngine on
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

  • Defining a Home Page configuration /etc/apache2/sites-available/999_vhost_443_default.conf

    <VirtualHost *:443>
  ServerName HVboom.biz
  ServerAlias www.HVboom.biz
  DocumentRoot "/var/www/HVboom.biz"
  <Directory "/var/www/HVboom.biz">
    Options FollowSymLinks MultiViews
    AllowOverride All 
    Require all granted
  </Directory>
  SSLEngine on
</VirtualHost>

  • Create the Home Page in /var/www/HVboom.biz/index.html

  • Restrict the access to the sites to a very restrictive user www-data:

    sudo chown -R www-data:www-data /var/www
sudo chmod -R 755 /var/www
sudo find /var/www -type f -exec chmod 644 {} \;
sudo chmod +t /var/www
sudo find /var/www -type d -exec chmod +t {} \;

Enable Modules & Sites

  • The adjusted files need to be enabled with following commands:

    sudo a2enmod headers
sudo a2enmod ssl
sudo a2enmod rewrite

sudo a2dissite 000-default           # disable default page
sudo a2ensite 000_vhost_080_default  # enable redirect to HTTPS
sudo a2ensite 999_vhost_443_default  # enable Home page located in /var/www/HVboom.biz

  • Restart Apache to use the new configuration files sudo systemctl restart apache2

Setup Apache on FreeBSD

  • Follow the instruction to setup Apache:

    sudo pkg install apache24
sudo sysrc apache24_enable=yes
sudo service apache24 start

  • All configuration files can be found in my GitHub repository ApacheConfiguration

Note

All files in the /usr/local/etc/apache24/Includes directory are automatically sourced into the configuration (see end of file /usr/local/etc/apache24/httpd.conf)

Security Setting

The main settings for secure HTTPS connections with strong encryption are defined in /usr/local/etc/apache24/extra/httpd-ssl.conf

...

# see ciphers(1) http://www.openssl.org/docs/apps/ciphers.html
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM

SSLHonorCipherOrder on 

SSLProtocol -all +TLSv1.3 +TLSv1.2
SSLProxyProtocol -all +TLSv1.3 +TLSv1.2

SSLCertificateFile      /usr/local/etc/letsencrypt/live/hvboom.org/fullchain.pem
SSLCertificateKeyFile   /usr/local/etc/letsencrypt/live/hvboom.org/privkey.pem

<IfModule headers_module>
  Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
  Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
</IfModule>

...

Ensure all request are redirected to HTTPS connections

  • Defining a default configuration /usr/local/etc/apache24/Includes/000_vhost_080_default.conf

    <VirtualHost *:80>
  ServerName HVboom.org
  ServerAlias *.HVboom.org
  RewriteEngine on
  RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

    • ensure, that the configuration file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/000_vhost_080_default.conf

  • Restart Apache to use the new configuration files sudo service apache24 restart

Serving Rails applications

Activate Phusion Passenger

  • Phusion Passenger installation instructions

  • Create a configuration file /usr/local/etc/apache24/modules.d/080_mod_passenger.conf

    LoadModule passenger_module /usr/local/lib/ruby/gems/3.1/gems/passenger/buildout/apache2/mod_passenger.so

<IfModule mod_passenger.c>
  # Write a debug file with warnings
  # https://www.phusionpassenger.com/library/config/apache/reference/#logging-and-debugging-options
  # Log level from 0 (crit) - 7 (debug 3)
  PassengerLogLevel 2
  PassengerLogFile /var/log/passenger_debug.log
  
  # Turn on extended error pages
  # https://www.phusionpassenger.com/library/config/apache/reference/#passengerfriendlyerrorpages
  PassengerFriendlyErrorPages on
  
  PassengerRoot /usr/local/lib/ruby/gems/3.1/gems/passenger
  # Do not set the default ruby, because otherwise you have to set the ruby version in the vhost too
  # PassengerDefaultRuby /home/passenger/.rvm/gems/ruby-3.1.0@PhusionPassenger/wrappers/ruby
</IfModule>

Define virtual hosts for each application

  • Create a configuration file /usr/local/etc/apache24/Includes/020_vhost_443_rails.conf

    <Macro RailsProduction $user $application>
  <VirtualHost *:443>
    # Serve rails applications in production like mode
  
    UseCanonicalName Off
  
    ServerName $application.HVboom.org
    VirtualDocumentRoot "/home/$user/RubyOnRails/$application/public"
  
    PassengerAppEnv "production"
  
    RailsBaseURI "/"
    <Directory "/home/$user/RubyOnRails/$application/public">
      Require all granted
      Options -MultiViews 
    </Directory>
  
    SSLEngine on
  </VirtualHost>
</Macro>

<Macro Rails $environment $user $application>
  <VirtualHost *:443>
    # Serve rails applications in production like mode
  
    UseCanonicalName Off
  
    ServerName $application.$user.HVboom.org
    VirtualDocumentRoot "/home/$user/RubyOnRails/$application/public"
  
    PassengerAppEnv "$environment"
  
    RailsBaseURI "/"
    <Directory "/home/$user/RubyOnRails/$application/public">
      Require all granted
      Options -MultiViews 
    </Directory>
  
    SSLEngine on
  </VirtualHost>
</Macro>

Use Rails development mario            HVDigitalSafe
Use Rails demo        demo             HVDigitalSafe
Use RailsProduction   hvdigitalsafe    HVDigitalSafe

Use Rails development mario            HVKeyGuard
Use Rails demo        demo             HVKeyGuard
Use RailsProduction   hvkeyguard       HVKeyGuard

Use Rails development mario            HVPlayground
Use Rails demo        demo             HVPlayground
Use RailsProduction   hvplayground     HVPlayground

Use Rails development mario            HVMembership
Use Rails demo        demo             HVMembership
Use RailsProduction   hvmembership     HVMembership

Use Rails development mario            HVControlTower
Use Rails demo        demo             HVControlTower
Use RailsProduction   hvcontroltower   HVControlTower

Use Rails development mario            HVEntitlement
Use Rails demo        demo             HVEntitlement
Use RailsProduction   hventitlement    HVEntitlement

Use Rails development mario            HVLogger
Use Rails demo        demo             HVLogger
Use Rails production  hvlogger         HVLogger

Use Rails development mario            HVLookBook
Use Rails demo        demo             HVLookBook
Use Rails production  hvlookbook       HVLookBook

Use Rails development mario            HVTurtleGraphics
Use Rails demo        demo             HVTurtleGraphics
Use Rails production  hvturtlegraphics HVTurtleGraphics

UndefMacro RailsProduction
UndefMacro Rails

Caution

Everything below is outdated and not used anymore

Activate PHP

  • PHP installation instructions

  • Create a new configuration file /usr/local/etc/apache24/Includes/php.conf

    <IfModule php7_module>
  #
  # DirectoryIndex: sets the file that Apache will serve if a directory
  # is requested.
  #
  # Override the default behaviour
  #
  <IfModule dir_module>
    DirectoryIndex index.php index.html
  </IfModule>

  #
  # Special treatment of PHP files
  #
  <FilesMatch "\.php$">
    SetHandler application/x-httpd-php
  </FilesMatch>
  <FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
  </FilesMatch>
</IfModule>

    • ensure, that the ini file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/php.conf

  • Restart Apache to use the new configuration files sudo service apache24 restart

Activate GitLab

  • GitLab installation instructions

  • Create an Apache configuration file /usr/local/etc/apache24/Includes/020_vhost_080_gitlab.conf:

    <VirtualHost *:80>
  ServerName GitLab.HVboom.org
  DocumentRoot "/home/git/gitlab/public"
  # Necessary to find used scripts like the "bash" shell
  PassengerLoadShellEnvvars on

  # Do not use the default ruby
  # PassengerRuby /home/git/.rvm/wrappers/ruby-2.3.3/ruby

  RailsBaseURI "/"
  <Directory "/home/git/gitlab/public">
    Require all granted
    Options -MultiViews 
  </Directory>
</VirtualHost>

    • ensure, that the include file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/020_vhost_080_gitlab.conf

  • Restart Apache to use the new configuration files sudo service apache24 restart

Setup virtual host for phpMyAdmin

  • phpMyAdmin installation instructions

  • Create an Apache configuration file /usr/local/etc/apache24/Includes/030_vhost_080_phpmyadmin.conf:

    <VirtualHost *:80>
  ServerName phpMyAdmin.HVboom.org
  DocumentRoot "/usr/local/www/apache24/data/admin/phpMyAdmin"

  <Directory "/usr/local/www/apache24/data/admin/phpMyAdmin">
    Require all granted
    Options -MultiViews 
  </Directory>
</VirtualHost>

    • ensure, that the include file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/030_vhost_080_phpmyadmin.conf

  • Restart Apache to use the new configuration files sudo service apache24 restart

Setup virtual host for user specific Ruby On Rails applications

  • Create an Apache configuration file /usr/local/etc/apache24/Includes/040_vhost_080_rails_development.conf:

    Remark: [Rails](Ruby On Rails) application served through Phusion Passenger

    • The application has to be located in /home/user/RubyOnRails/application
    • The URL to serve the application will be user.application.ror.HVboom.org
    LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so

<VirtualHost *:80>
  # Serve user specific rails applications in development mode
  #
  # The application has to be located in /home/<user>/RubyOnRails/<application>
  # The URL to serve the application will be <user>.<application>.ror.HVboom.org
  #
  # ATTENTION: <user> and <application> have to be all lowercase

  UseCanonicalName Off

  ServerAlias *.ror.HVboom.org
  VirtualDocumentRoot "/home/%1/RubyOnRails/%2/public"

  PassengerAppEnv "development"
  RailsBaseURI "/"
  <Directory "/home/*/RubyOnRails/*/public">
    Require all granted
    Options -MultiViews 
  </Directory>
</VirtualHost>

    • ensure, that the include file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/040_vhost_080_rails_development.conf

    • Restart Apache to use the new configuration files sudo service apache24 restart

Setup virtual host for productive Ruby On Rails applications

  • Create an Apache configuration file /usr/local/etc/apache24/Includes/050_vhost_080_rails_production.conf:

    Remark: [Rails](Ruby On Rails) application served through Phusion Passenger

    • The application has to be located in /home/application/RubyOnRails/application
    • The URL to serve the application will be application.HVboom.org
    LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so

<VirtualHost *:80>
  # Serve user specific rails applications in development mode
  #
  # The application has to be located in /home/<application>/RubyOnRails/<application>
  # The URL to serve the application will be <application>.HVboom.org
  #
  # ATTENTION: <application> has to be all lowercase

  UseCanonicalName Off

  ServerAlias *.HVboom.org
  VirtualDocumentRoot "/home/%1/RubyOnRails/%1/public"

  PassengerAppEnv "production"
  RailsBaseURI "/"
  <Directory "/home/*/RubyOnRails/*/public">
    Require all granted
    Options -MultiViews 
  </Directory>
</VirtualHost>

    • ensure, that the include file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/050_vhost_080_rails_production.conf

    • Restart Apache to use the new configuration files sudo service apache24 restart

Setup basic authentication for restricted areas

  • Create a .htaccess file in the directory you want to secure, e.g. /usr/local/www/apache24/data/admin:

    AuthType Basic
AuthName "Restricted Files"
AuthUserFile /usr/local/etc/apache24/.admin.htpasswd
Require valid-user
    • Tip: use different password files to be even more secure

  • Create the password file /usr/local/etc/apache24/.admin.htpasswd:

    sudo touch /usr/local/etc/apache24/.admin.htpasswd
sudo chmod o+r /usr/local/etc/apache24/.admin.htpasswd

  • Create the credentials: sudo htpasswd /usr/local/etc/apache24/.admin.htpasswd <username>

  • Enable the .htaccess feature for the directory you want to secure /usr/local/etc/apache24/Includes/admin.conf:

    <Directory "/usr/local/www/apache24/data/admin">
  # AllowOverride controls what directives may be placed in .htaccess files.
  # It can be "All", "None", or any combination of the keywords:
  #   AllowOverride FileInfo AuthConfig Limit
  #
  AllowOverride AuthConfig
</Directory>

    • ensure, that the include file is readable by the apache process

      sudo chmod o+r /usr/local/etc/apache24/Includes/admin.conf

    • Restart Apache to use the new configuration files sudo service apache24 restart

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️