Nethence Documentation Lab Webmail Your IP BBDock  

Those documents are obsolete, please use the Nethence Documentation instead.


Setting up Apache 2.4 with SSL
Setting up Apache 2.4 on Ubuntu Server 14 LTS
First, define the FQDN in /etc/hosts at first place, before the short name,
cd /etc/
vi hosts
ip fqdn short
Fetch your ssl certs,
cd /etc/apache2/
scp -r storage:/path/to/ssl/ .
apt install apache2
rm -f /var/www/html/index.html
touch /var/www/html/robots.txt
touch /var/www/html/favicon.ico
cd /etc/
cp -Rp apache2/ apache2.dist/
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl.conf
cd ../sites-available/
cp 000-default.conf 000-default.conf.dist
cp default-ssl.conf default-ssl.conf.dist
vi 000-default.conf
<VirtualHost *:80>
ServerAdmin abuse@domain.tld
DocumentRoot /var/www/html

Redirect / https://ADDRESS/

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
vi default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.pem 
SSLCertificateKeyFile /etc/apache2/ssl/cert.priv.nopass.pem 

ServerAdmin abuse@domain.tld
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error-ssl.log
CustomLog ${APACHE_LOG_DIR}/access-ssl.log combined

<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
/etc/init.d/apache2 restart
Minimal setup with SSL and virtual hosts
Here's a minimal httpd.conf with FreeBSD paths (fix /usr/local paths for other systems),
ServerRoot "/usr/local"
DirectoryIndex index.html index.php
User nobody
Group nobody
TypesConfig etc/apache24/mime.types
Listen *:443
LogFormat "%h %l %u %t \"%r\" >s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
ErrorLog /var/log/apache24/error.log
CustomLog /var/log/apache24/access.log combined
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/cert.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/cert.key
Redirect /
LogLevel warn
ErrorLog /var/log/apache24/error-ssl.log
CustomLog /var/log/apache24/access-ssl.log combined
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/cert.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/cert.key
DocumentRoot /data/www.apache/
LogLevel warn
ErrorLog /var/log/apache24/mail.error-ssl.log
CustomLog /var/log/apache24/mail.access-ssl.log combined
<Directory /data/www.apache/>
AllowOverride All
Order allow,deny
Allow from all
Include etc/apache24/modules.conf
with modules.conf,
LoadModule mpm_prefork_module libexec/apache24/
#LoadModule mpm_event_module libexec/apache24/
LoadModule dir_module libexec/apache24/
LoadModule unixd_module libexec/apache24/
LoadModule mime_module libexec/apache24/
LoadModule access_compat_module libexec/apache24/
LoadModule ssl_module libexec/apache24/
LoadModule authz_core_module libexec/apache24/
LoadModule alias_module libexec/apache24/
LoadModule log_config_module libexec/apache24/
LoadModule php5_module libexec/apache24/
Testing PHP
Check that php is working fine,
  cd /var/www/vhosts/local.example.apache/
cat > hello.php <<EOF9
<?php echo 'Hello world'; ?>
cat > info.php << EOF
<?php phpinfo(); ?>
cat > error.php <<EOF9
ini_set("display_errors", 1);
Note. if you also need to be informed of the strict php coding standards use 'E_ALL|E_STRICT' (see php.ini comments)
Enabling CGI
Enable CGI,
<Directory "/path/to/">
  Options +ExecCGI
  AddHandler cgi-script .cgi .pl
For any redirect :
- for folder destinations, add the trailing slash (otherwise you may have e.g. example.netfilename.html)
<VirtualHost *:80>
Redirect / http: //
For multiple redirects :
- the trailing slash url should be first
- the root dir should be at last
<VirtualHost *:80>
Redirect /dir/ http: //
Redirect /dir http: //
Redirect / http: //
Directory index
In case directory indexing is disabled (enabled by default...), you might want to force it,
  <Directory "/path/to/">
Options +Indexes
Basic authentication
Inside apache's or virtualhost's configuration,
<Location /exampledir>
  AuthType basic
  AuthName "private area"
  AuthUserFile /etc/httpd/passwd.example
  Require valid-user
Note. it's also possible to use ".htaccess" for that. In that case, without the "Location" tag.
Create the password file,
cd /etc/httpd
htpasswd -h
htpasswd -c /etc/httpd/passwd.example username
chown apache:apache passwd.example
chmod 400 passwd.example
IP/hostname restrictions
Secure some folders,
<Directory "/var/www/html/ldap">
order allow,deny
allow from
404 and development error tracking
The user should get a custom 404 page,
ErrorDocument 404 http: //
Note the trailing slash.
On server side, track the 404s down,
grep 404 /var/log/httpd/*errors* | grep -v favicon.ico | grep -v robots.txt
Eventually provide those errors to the web designers and programmers :
- fix the log file perms to let the Apache daemon read them,
chgrp apache /var/log/httpd/example_error.log
chmod g+r /var/log/httpd/example_error.log
- make a PHP or CGI script to print those file in a web page
.htaccess tips and tricks
To allow dotfiles in directory listings, remove .??* from the IndexIgnore directive.

Last update: Mar 04, 2016