Apache2 web server ¶

Apache is a thread-per-request server, that is steadily being replaced by event-driven servers such as Nginx or Node.js.

$ sudo apt install apache2

Apache's configuration is found at /etc/apache2/apache2.conf.

👉 You may use an emulator instead of directly installing Apache

• WAMP server (Windows Apache MySQL PHP) | Notes 🚀
• LAMP server (Linux Apache MySQL PHP)
• MAMP server (macOS Apache MySQL PHP) | Notes ☠️
• XAMPP (Cross-platform Apache MySQL PHP Perl)

Where to learn?

• digitalocean (🤗)

You can use systemctl to handle the apache2 service.

$ sudo systemctl stop apache2
$ sudo systemctl start apache2
$ sudo systemctl reload apache2
$ sudo systemctl restart apache2
$ systemctl status apache2

Apache2 files are located in

$ cd /etc/apache2/conf-available/  # configurations
$ cd /etc/apache2/conf-enabled/    # copies
$ cd /etc/apache2/sites-available/ # websites
$ cd /etc/apache2/sites-enabled/   # copies
$ tail /var/log/apache2/access.log
$ tail /var/log/apache2/error.log

Enable a website

$ cp 000-default.conf example.com.conf # one per website
$ sudo a2ensite example.com.conf
$ sudo a2dissite example.com.conf
$ sudo apache2ctl configtest

Enable a configuration

$ sudo a2enconf some_header.conf

Some modules

$ sudo a2enmod http2
$ sudo a2enmod headers
$ sudo a2enmod ssl
$ sudo a2enmod rewrite

Create a folder xxx for a website, in /var/www/ (usual folder that www-data can read/edit) for a non-root user yyy.

$ sudo mkdir -p /var/www/xxx/
$ sudo chown -R yyy:yyy /var/www/xxx/
$ sudo chmod -R 755 /var/www/xxx/

Sometimes, you may have permission problems. You need to investigate the problem, but one way to fix it is to give www-data the ownership over a directory (allowing them to create/edit files).

$ sudo chown -R www-data:www-data folder/

See also http2.pro.

First, you must indicate that your server supports HTTP2, or HTTP1.1 as a fallback. You must add this to your virtual hosts .conf.

Protocols h2 http/1.1

$ sudo a2enmod http2
$ sudo systemctl start apache2 # ❌ don't

If you try to start the server, you will see an error in error.log.

$ version=7.1
$ sudo apt install php-fpm
$ sudo a2enmod proxy_fcgi setenvif
$ sudo a2enconf php${version}-fpm
$ sudo a2dismod php${version}
$ sudo a2dismod mpm_prefork
$ sudo a2enmod mpm_event
$ sudo systemctl restart apache2

This is a file used to edit the virtual host configuration locally. Simply create a file .htaccess with some instructions inside.

    # add to your configuration
    <Directory /path/to/our/website>
        AllowOverride All
        Require all granted
    </Directory>

A .htaccess is applied to a directory and its subdirectories. Every .htaccess in the path to the resource will be loaded. ➡️ In cases of conflict, the nearest (latest) instruction is used.

➡️ See htaccess cheatsheet.

Random instructions ¶

# Disable directory browsing
Options All -Indexes

# Redirect everything (aside from direct access)
# to index.php (when mod_rewrite is not installed)
<IfModule !mod_rewrite.c>
	ErrorDocument 404 index.php
</IfModule>

# Add a redirection
Redirect 301 /duck https://duckduckgo.com/

# Deny access to some directories/files
RewriteEngine on
RewriteRule ^/?(\.git|logs|temp|vendor - [F]
RewriteRule /?(README.*|.ht*)$ - [F]

# Limit the size of uploads
LimitRequestBody 512000

Example: block access to everyone aside from localhost ¶

This could be used to only allow a website to access some files such as uploaded avatars. Only 127.0.0.1 can request a resource.

order deny,allow
deny from all
allow from 127.0.0.1

Example: prompt for basic authentication ¶

The server shows a popup asking for a username, and a password.

AuthUserFile /path/to/some/.htpasswd
AuthName "Protected Files"
AuthType Basic
# username allowed: xxx
Require user xxx

And you need an additional file: /path/to/some/.htpasswd

# username:hashed_password (htpasswd command?)
xxx:$apr1$8KSS.TIW$qWKI88AFeMSl3iemCuUCk/

• /etc/apache2/envvars
• apache2ctl restart
• Apache Security

AllowOverride All

• Disable all ssl aside from TLS 1.2+

# edit /etc/apache2/sites-available/some_config.conf
# Protocols: TLS 1.2, TLS 1.3
SSLProtocol -all +TLSv1.3 +TLSv1.2
# restart: sudo service apache2 restart

# edit /etc/apache2/sites-available/some_config.conf
# append either 1) 2), 3) or sometime else
# don't forget to restart when you're done
# sudo service apache2 restart
SSLCipherSuite SOME_ALGS_HERE
SSLHonorCipherOrder on

Headers

sudo nano /etc/apache2/conf-enabled/security.conf
# ServerSignature Off
# ServerTokens Prod

$ sudo a2query -m
$ sudo a2enconf # select a conf
$ sudo a2enmod  # select a mod

OCSP Stapling

# use either 1) or 2), don't forget to restart
# restart: sudo service apache2 restart

# Proposition 1)
# edit /etc/apache2/sites-available/some_config.conf
# near the end
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

# Proposition 2)
# in /etc/apache2/mods-available/ssl.conf
# near the end
SSLUseStapling On
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)

• SSLCompression disabled by default, should stay disabled to prevent attacks such as CRIME.

• SSLSessionTickets: MUST BE DISABLED (enabled by default) if you are not restarting your server periodically

SSLSessionTickets off

Permissions for files/folders.

# ➡️ If you're using public_html
$ chmod 711 ~
$ chmod 711 ~/public_html
# ➡️ The least permissions
$ chmod 600 file.php # for a .php
$ chmod 644 file.html # for a .html
$ chmod 711 folder # for a folder