Web server setup
|← Previous||Next →|
|PostgreSQL config||Mediawiki farm|
I have Apache2 running on both the server and desktop machines. The webserver on the server serves public pages, while the one on the desktop is for pages private to my LAN. The server webserver hosts a number of virtual sites. Most of them are various Mediawiki instances. For those things that don't fit within in a Mediawiki, there is also a basic HTML site set up. Finally, I have a webmail interface to my mail server, running over a SSL connection. Mediawiki and webmail setup are discussed on other pages; here I'll just describe the basic HTML setup, including allowing a secure connection.
Getting Apache2 running
Apache2 should already be running as part of the LAMP stack installed when the OS was installed. If not, add it with
root@server:~# apt-get install apache2-mpm-worker
Name-based virtual hosts
Name-based virtual hosts allow one webserver, with one IP number, to server multiple websites depending on the server name used to request the page.
Enable name-based virtual hosts by modifying the end of
/etc/apache2/ports.conf to include the two
NameVirtualHost *:80 NameVirtualHost *:443
There will be one virtual host for each site. The files for each site will reside in a separate directory under
/var/www and each site will have a separate configuration file in
/etc/apache2/sites-available. A typical configuration file is below:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/site.domain.tld ServerName site.domain.tld <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ /var/www/cgi.site.domain.tld/ <Directory "/var/www/cgi.site.domain.tld"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log LogLevel warn CustomLog /var/log/apache2/site.domain.tld.access.log combined ServerSignature Off Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 192.168.1.0/255.255.255.0 ::1/128 </Directory> </VirtualHost>
Repeat this file for each virtual host you want to set up. Change the
CustomLog settings to reflect the site's name and location of files. Also note the non-default location of the
cgi-bin directory. This directory is outside the document root of any website (to prevent its contents being viewed directly via Apache), is owned by
root, and permissions of 755. Also note that the contents of the
/usr/share/doc/ directory are only available to users on the LAN.
When a site is ready, enable it with the command:
root@server:~# a2ensite /etc/apache2/sites-available/site-settings-file
then reload the configuration:
root@server:~# systemctl reload apache2.service
Setting a default virtual host
When there are several virtual hosts with servernames (or aliases) that could match a request, Apache2 uses the first one it comes across. That means the server defined in the configuration file earliest in lexicographical order. Therefore, make sure that the virtual host you want as the default is defined in a file with a 00 prefix, such as
You'll probably also want to disable the default host that comes with Apache2.
root@server:~# a2dissite default root@server:~# a2ensite 00-default.domain.tld root@server:~# ssystemctl reload apache2.service
Stopping version number leakage
By default, Apache reveals the full version number of itself, the OS, and all modules attached, whenever there's an error. This can make life easier for someone wanting to hack your system. You can prevent Apache revealing all this information with a couple of settings.
/etc/apache2/apache2.conf, set the following directives:
ServerTokens Prod ServerSignature Off
In each virtual host configuration file, set:
(it's already set in the sample above) Finally, reload the configuration:
root@server:~# systemctl reload apache2.service
I use the Secure HTTP server for my webmail You'll need to look at the Webmail setup page for the rest of the configuration.
The first step is to enable the Apache rewriting engine and the SSL module:
root@server:~# a2enmod ssl
Now, create the configuration file for the
<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName squirrelmail.domain.tld Redirect permanent / https://squirrelmail.domain.tld/ CustomLog /var/log/apache2/access.squirrelmail.domain.tld.log combined ServerSignature Off </VirtualHost> <VirtualHost *:443> ServerAdmin webmaster@localhost SSLEngine On SSLCertificateChainFile /etc/letsencrypt/live/webmail.domain.tld/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/webmail.domain.tld/privkey.pem SSLCertificateFile /etc/letsencrypt/live/webmail.domain.tld/cert.pem DocumentRoot /var/www/www.domain.tld ServerName squirrelmail.domain.tld <Directory /> Options FollowSymLinks AllowOverride None </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.squirrelmail.domain.tld.log combined ServerSignature Off </VirtualHost>
Note that this file contains the settings for both a secure and an insecure site. The insecure site, on port 80, causes an immediate redirections to the secure site on port 443.
Finally, ask Apache to listen to port 443. Add this line to
Enable the site:
root@server:~# a2ensite /etc/apache2/sites-available/squirrelmail.domain.tld
then restart the server:
root@server:~# systemctl restart apache2.service
Restart Apache and you should be able to see the secure site. It should show the same content as the base site,
www.domain.tld. We'll do Webmail setup later.
Note to self
On Apache version 2.4.8 and above, replace:
SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem SSLCertificateFile /etc/letsencrypt/live/domain.tld/fullchain.pem
Fix security holes
/etc/apache2/conf-enabled/security.confto turn off server signatures:
Add modules needed
root@server:~# a2enmod headers root@server:~# a2enmod cgi root@server:~# systemctl restart apache2.service
Here are a few pages that are useful guides or provide background and context.
- How to set up virtual hosts with Apache
- SSL + Apache on Ubuntu
- Another guide to SSL + Apache on Ubuntu
- A step-by-step guide to SSL + Apache on Ubuntu
- General guide to SSL + Apache
- Strong SSL Security on Apache2
- How To Save Traffic With Apache2's mod_deflate (Not discussed here: if you use the Deflate module, remember to enable it (a2enmod deflate) and create an empty log file (touch /var/log/apache2/project_deflate.log) before restarting Apache.)