Devops: Installing PHP & Apache - maple-dev-team/docs GitHub Wiki

Table of Contents

PHP & APACHE 

sudo apt update
sudo apt upgrade
sudo apt install apache2
sudo apt install php7.4 libapache2-mod-php php-xml php-mbstring php-gd php-zip php-curl
// for postgres php-pgsql 
sudo vim /etc/apache2/mods-enabled/dir.conf 
	- move "index.php" at the beginning (e.g: DirectoryIndex index.php index.html ...)
sudo vim /etc/apache2/conf-enabled/security.conf
	- change -> "ServerSignature Off"
	- change -> "ServerTokens Prod"
sudo vim /etc/apache2/apache2.conf
	- add at the end of the file
	# security
	FileETag None
sudo vim /etc/php/7.x/apache2/php.ini
	- change -> opcache.enable=1
	- change -> opcache.memory_consumption=128
	- change -> opcache.max_accelerated_files=10000
sudo service apache2 restart

ADD HOST 

sudo usermod -a -G www-data ubuntu
sudo mkdir /var/www/[domain]
	- copy your files
sudo chown -R ubuntu:www-data /var/www/[domain]
sudo chmod -R ug+rwx /var/www/[domain]/storage/
sudo chmod -R ug+rwx /var/www/[domain]/bootstrap/cache/
sudo vim /etc/apache2/sites-available/[domain].conf
	e.g.
	<VirtualHost *:80>
		ServerAdmin webmaster@localhost
		ServerName [domain]
		ServerAlias www.[domain]
		DocumentRoot /var/www/[domain]
		ErrorLog ${APACHE_LOG_DIR}/[domain]_error.log
		CustomLog ${APACHE_LOG_DIR}/[domain]_access.log combined
		<Directory /var/www/[domain]>
			Options Indexes FollowSymLinks
                        AllowOverride All
                        Require all granted
		</Directory>
	</VirtualHost>
sudo a2enmod rewrite
sudo a2ensite [domain].conf
sudo systemctl restart apache2

SSL 

sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache
sudo certbot --apache -d your_domain -d www.your_domain
	- chose 2 to redirect

Mod Security 

sudo apt install libapache2-mod-security2
sudo cp /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo vim /etc/modsecurity/modsecurity.conf
	- change "SecRuleEngine = DetectionOnly" to "SecRuleEngine = on"
sudo mv /usr/share/modsecurity-crs /usr/share/modsecurity-crs.bk
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
sudo cp /usr/share/modsecurity-crs/crs-setup.conf.example /usr/share/modsecurity-crs/crs-setup.conf
sudo vim /etc/apache2/mods-enabled/security2.conf
	- add two lines in the end of the directive
	IncludeOptional /usr/share/modsecurity-crs/*.conf
	IncludeOptional /usr/share/modsecurity-crs/rules/*.conf
sudo service apache2 restart
	- testing
	when accessing -> http://server-ip/index.html?exec=/bin/bash
	You should get a forbidden error message

Mod Evasive (DDOS) 

sudo apt install libapache2-mod-evasive
	- chose local only 
sudo vim /etc/apache2/mods-enabled/evasive.conf
	- uncomment all lines
	- change "someuser" to "ubuntu"
	- change "DOSBlockingPeriod 10" to "DOSBlockingPeriod 100"
sudo mkdir /var/log/mod_evasive
sudo chown -R www-data:www-data /var/log/mod_evasive
sudo service apache2 restart
	- testing
	on the server run: sudo tail -f /var/log/apache2/access.log
	on the client run: ab -n 1000 -c 20 http://server-url/
	it is expected to see 403 responses

FIREWALL 

sudo ufw allow in "Apache Full"
sudo ufw allow OpenSSH
sudo ufw enable

Security Scan

https://sitecheck.sucuri.net/?cjevent=fad7e8b4dd7a11ea813a00950a24060f&cj_aid=13948096&cj_pid=8092889&cj_cid=4761150

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️