Apache2 web server
Apache is a thread-per-request server, that is steadily being replaced by event-driven servers such as Nginx or Node.js.
$ sudo apt install apache2
Apache's configuration is found at /etc/apache2/apache2.conf
.
π You may use an emulator instead of directly installing Apache
- WAMP server (Windows Apache MySQL PHP) | Notes π
- LAMP server (Linux Apache MySQL PHP)
- MAMP server (macOS Apache MySQL PHP) | Notes β οΈ
- XAMPP (Cross-platform Apache MySQL PHP Perl)
Where to learn?
- digitalocean (π€)
List of commands
You can use systemctl
to handle the apache2
service.
$ sudo systemctl stop apache2
$ sudo systemctl start apache2
$ sudo systemctl reload apache2
$ sudo systemctl restart apache2
$ systemctl status apache2
Apache2 files are located in
$ cd /etc/apache2/conf-available/ # configurations
$ cd /etc/apache2/conf-enabled/ # copies
$ cd /etc/apache2/sites-available/ # websites
$ cd /etc/apache2/sites-enabled/ # copies
$ tail /var/log/apache2/access.log
$ tail /var/log/apache2/error.log
Enable a website
$ cp 000-default.conf example.com.conf # one per website
$ sudo a2ensite example.com.conf
$ sudo a2dissite example.com.conf
$ sudo apache2ctl configtest
Enable a configuration
$ sudo a2enconf some_header.conf
Some modules
$ sudo a2enmod http2
$ sudo a2enmod headers
$ sudo a2enmod ssl
$ sudo a2enmod rewrite
Create a folder xxx
for a website, in /var/www/
(usual folder that www-data can read/edit) for a non-root user yyy
.
$ sudo mkdir -p /var/www/xxx/
$ sudo chown -R yyy:yyy /var/www/xxx/
$ sudo chmod -R 755 /var/www/xxx/
Sometimes, you may have permission problems. You need to investigate the problem, but one way to fix it is to give www-data
the ownership over a directory (allowing them to create/edit files).
$ sudo chown -R www-data:www-data folder/
HTTP2
See also http2.pro.
First, you must indicate that your server supports HTTP2, or HTTP1.1 as a fallback. You must add this to your virtual hosts .conf
.
Protocols h2 http/1.1
$ sudo a2enmod http2
$ sudo systemctl start apache2 # β don't
If you try to start the server, you will see an error in error.log
.
$ version=7.1
$ sudo apt install php-fpm
$ sudo a2enmod proxy_fcgi setenvif
$ sudo a2enconf php${version}-fpm
$ sudo a2dismod php${version}
$ sudo a2dismod mpm_prefork
$ sudo a2enmod mpm_event
$ sudo systemctl restart apache2
Apache .htaccess
This is a file used to edit the virtual host configuration locally. Simply create a file .htaccess
with some instructions inside.
# add to your configuration
<Directory /path/to/our/website>
AllowOverride All
Require all granted
</Directory>
A .htaccess
is applied to a directory and its subdirectories. Every .htaccess
in the path to the resource will be loaded. β‘οΈ In cases of conflict, the nearest (latest) instruction is used.
β‘οΈ See htaccess cheatsheet.
Random instructions
# Disable directory browsing
Options All -Indexes
# Redirect everything (aside from direct access)
# to index.php (when mod_rewrite is not installed)
<IfModule !mod_rewrite.c>
ErrorDocument 404 index.php
</IfModule>
# Add a redirection
Redirect 301 /duck https://duckduckgo.com/
# Deny access to some directories/files
RewriteEngine on
RewriteRule ^/?(\.git|logs|temp|vendor - [F]
RewriteRule /?(README.*|.ht*)$ - [F]
# Limit the size of uploads
LimitRequestBody 512000
Example: block access to everyone aside from localhost
This could be used to only allow a website to access some files such as uploaded avatars. Only 127.0.0.1
can request a resource.
order deny,allow
deny from all
allow from 127.0.0.1
Example: prompt for basic authentication
The server shows a popup asking for a username, and a password.
AuthUserFile /path/to/some/.htpasswd
AuthName "Protected Files"
AuthType Basic
# username allowed: xxx
Require user xxx
And you need an additional file: /path/to/some/.htpasswd
# username:hashed_password (htpasswd command?)
xxx:$apr1$8KSS.TIW$qWKI88AFeMSl3iemCuUCk/
π» To-do π»
Stuff that I found, but never read/used yet.
-
/etc/apache2/envvars
-
apache2ctl restart
- Apache Security
AllowOverride All
- Disable all ssl aside from TLS 1.2+
# edit /etc/apache2/sites-available/some_config.conf
# Protocols: TLS 1.2, TLS 1.3
SSLProtocol -all +TLSv1.3 +TLSv1.2
# restart: sudo service apache2 restart
# edit /etc/apache2/sites-available/some_config.conf
# append either 1) 2), 3) or sometime else
# don't forget to restart when you're done
# sudo service apache2 restart
SSLCipherSuite SOME_ALGS_HERE
SSLHonorCipherOrder on
Headers
sudo nano /etc/apache2/conf-enabled/security.conf
# ServerSignature Off
# ServerTokens Prod
$ sudo a2query -m
$ sudo a2enconf # select a conf
$ sudo a2enmod # select a mod
OCSP Stapling
# use either 1) or 2), don't forget to restart
# restart: sudo service apache2 restart
# Proposition 1)
# edit /etc/apache2/sites-available/some_config.conf
# near the end
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# Proposition 2)
# in /etc/apache2/mods-available/ssl.conf
# near the end
SSLUseStapling On
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)
-
SSLCompression disabled by default, should stay disabled to prevent attacks such as CRIME.
-
SSLSessionTickets: MUST BE DISABLED (enabled by default) if you are not restarting your server periodically
SSLSessionTickets off
Permissions for files/folders.
# β‘οΈ If you're using public_html
$ chmod 711 ~
$ chmod 711 ~/public_html
# β‘οΈ The least permissions
$ chmod 600 file.php # for a .php
$ chmod 644 file.html # for a .html
$ chmod 711 folder # for a folder