Web server setup

From Smith family

Server setup
← Previous	Next →
MySQL config	Mediawiki farm

I have Apache2 running on both the server and desktop machines. The webserver on the server serves public pages, while the one on the desktop is for pages private to my LAN. The server webserver hosts a number of virtual sites. Most of them are various Mediawiki instances. For those things that don't fit within in a Mediawiki, there is also a basic HTML site set up. Finally, I have a webmail interface to my mail server, running over a SSL connection. Mediawiki and webmail setup are discussed on other pages; here I'll just describe the basic HTML setup, including allowing a secure connection.

Contents 1 Getting Apache2 running 2 Name-based virtual hosts 2.1 Setting a default virtual host 3 Stopping version number leakage 4 Secure HTTP 5 See also

Getting Apache2 running

Apache2 should already be running as part of the LAMP stack installed when the OS was installed. If not, add it with

root@server:~# apt-get install apache2-mpm-worker

Name-based virtual hosts

Name-based virtual hosts allow one webserver, with one IP number, to server multiple websites depending on the server name used to request the page.

Enable name-based virtual hosts by modifying the end of /etc/apache2/ports.conf to include the two NameVirtualHost lines:

NameVirtualHost *:80
NameVirtualHost *:443

There will be one virtual host for each site. The files for each site will reside in a separate directory under /var/www and each site will have a separate configuration file in /etc/apache2/sites-available. A typical configuration file is below:

<VirtualHost *:80>
       ServerAdmin webmaster@localhost

       DocumentRoot /var/www/site.domain.tld
       ServerName site.domain.tld

       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>
       <Directory /var/www/>
               Options Indexes FollowSymLinks MultiViews
               AllowOverride None
               Order allow,deny
               Allow from all
       </Directory>

       ScriptAlias /cgi-bin/ /var/www/cgi.site.domain.tld/
       <Directory "/var/www/cgi.site.domain.tld">
               AllowOverride None
               Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog /var/log/apache2/error.log

       LogLevel warn
       CustomLog /var/log/apache2/site.domain.tld.access.log combined

       ServerSignature Off

       Alias /doc/ "/usr/share/doc/"
       <Directory "/usr/share/doc/">
               Options Indexes MultiViews FollowSymLinks
               AllowOverride None
               Order deny,allow
               Deny from all
               Allow from 127.0.0.0/255.0.0.0 192.168.1.0/255.255.255.0 ::1/128
       </Directory>
</VirtualHost>

Repeat this file for each virtual host you want to set up. Change the ServerName, DocumentRoot, and CustomLog settings to reflect the site's name and location of files. Also note the non-default location of the cgi-bin directory. This directory is outside the document root of any website (to prevent its contents being viewed directly via Apache), is owned by root, and permissions of 755. Also note that the contents of the /usr/share/doc/ directory are only available to users on the LAN.

When a site is ready, enable it with the command:

root@server:~# a2ensite /etc/apache2/sites-available/site-settings-file

then reload the configuration:

root@server:~# /etc/init.d/apache2 reload

Setting a default virtual host

If you want one virtual host to be the default site served when nothing else matches, remove the default site from the list of available sites:

root@server:~# a2dissite /etc/apache2/sites-available/default

Then, for the site you want to be the default one, modify its configuration file to start with the line:

<VirtualHost _default_:80>

and remove the ServerName line. Then reload the configuration:

root@server:~# /etc/init.d/apache2 reload

Stopping version number leakage

By default, Apache reveals the full version number of itself, the OS, and all modules attached, whenever there's an error. This can make life easier for someone wanting to hack your system. You can prevent Apache revealing all this information with a couple of settings.

In /etc/apache2/apache2.conf, set the following directives:

ServerTokens Prod
ServerSignature Off

In each virtual host configuration file, set:

ServerSignature Off

(it's already set in the sample above) Finally, reload the configuration:

root@server:~# /etc/init.d/apache2 reload

Secure HTTP

I use the Secure HTTP server for my webmail You'll need to look at the Webmail setup page for the rest of the configuration.

The first step is to enable the Apache rewriting engine and the SSL module:

root@server:~# a2enmod ssl

Copy the SSL certificate and insecure key file generated earlier to /etc/apache2/ssl/certs. Make sure that this directory is not visible to the world, as that could compromise the security of the SSL traffic if the certificate is read by anyone else.

Now, create the configuration file for the squirrelmail.domain.tld site, /etc/apache2/sites-available/squirrelmail.domain.tld

<VirtualHost *:80>
       ServerAdmin webmaster@localhost

       DocumentRoot /var/www/site.domain.tld
       ServerName squirrelmail.domain.tld

       Redirect permanent / https://squirrelmail.domain.tld/

       CustomLog /var/log/apache2/access.squirrelmail.domain.tld.log combined
       ServerSignature Off
</VirtualHost>

<VirtualHost *:443>
       ServerAdmin webmaster@localhost

       SSLEngine On
       SSLCertificateFile /etc/apache2/ssl/certs/squirrelmail-cert.pem
       SSLCertificateKeyFile /etc/apache2/ssl/certs/squirrelmail-key.insecure.pem

       DocumentRoot /var/www/www.domain.tld
       ServerName squirrelmail.domain.tld

       <Directory />
               Options FollowSymLinks
               AllowOverride None
       </Directory>

       ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
       <Directory "/usr/lib/cgi-bin">
               AllowOverride None
               Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
               Order allow,deny
               Allow from all
       </Directory>

       ErrorLog /var/log/apache2/error.log

       # Possible values include: debug, info, notice, warn, error, crit,
       # alert, emerg.
       LogLevel warn

       CustomLog /var/log/apache2/access.squirrelmail.domain.tld.log combined 
       ServerSignature Off
</VirtualHost>

Note that this file contains the settings for both a secure and an insecure site. The insecure site, on port 80, causes an immediate redirections to the secure site on port 443.

Finally, ask Apache to listen to port 443. Add this line to /etc/apache2/ports.conf

Listen 443

Enable the site:

root@server:~# a2ensite /etc/apache2/sites-available/squirrelmail.domain.tld

then restart the server:

root@server:~# /etc/init.d/apache2 restart

Restart Apache and you should be able to see the secure site. It should show the same content as the base site, www.domain.tld. We'll do Webmail setup later.

See also

Here are a few pages that are useful guides or provide background and context.

• How to set up virtual hosts with Apache
• SSL + Apache on Ubuntu
• Another guide to SSL + Apache on Ubuntu
• A step-by-step guide to SSL + Apache on Ubuntu
• General guide to SSL + Apache

• How To Save Traffic With Apache2's mod_deflate (Not discussed here: if you use the Deflate module, remember to enable it (a2enmod deflate) and create an empty log file (touch /var/log/apache2/project_deflate.log) before restarting Apache.)