Nethence Newdoc Olddoc Lab Your IP BBDock  

Warning: those guides are mostly obsolete, please have a look at the new documentation.


Setting up Apache 2.4 with SSL
Setting up Apache 2.4 on Ubuntu Server 14 LTS
First, define the FQDN in /etc/hosts at first place, before the short name,
cd /etc/
vi hosts
ip fqdn short
Fetch your ssl certs,
cd /etc/apache2/
scp -r storage:/path/to/ssl/ .
apt install apache2
rm -f /var/www/html/index.html
touch /var/www/html/robots.txt
touch /var/www/html/favicon.ico
cd /etc/
cp -Rp apache2/ apache2.dist/
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl.conf
cd ../sites-available/
cp 000-default.conf 000-default.conf.dist
cp default-ssl.conf default-ssl.conf.dist
vi 000-default.conf
<VirtualHost *:80>
ServerAdmin abuse@domain.tld
DocumentRoot /var/www/html
Redirect / https://ADDRESS/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
vi default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.pem 
SSLCertificateKeyFile /etc/apache2/ssl/cert.priv.nopass.pem 
ServerAdmin abuse@domain.tld
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error-ssl.log
CustomLog ${APACHE_LOG_DIR}/access-ssl.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
/etc/init.d/apache2 restart
Minimal setup with SSL and virtual hosts
Here's a minimal httpd.conf with FreeBSD paths (fix /usr/local paths for other systems),
ServerRoot "/usr/local"
DirectoryIndex index.html index.php
User nobody
Group nobody
TypesConfig etc/apache24/mime.types
Listen *:443
LogFormat "%h %l %u %t \"%r\" >s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
ErrorLog /var/log/apache24/error.log
CustomLog /var/log/apache24/access.log combined
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/cert.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/cert.key
Redirect /
LogLevel warn
ErrorLog /var/log/apache24/error-ssl.log
CustomLog /var/log/apache24/access-ssl.log combined
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/cert.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/cert.key
DocumentRoot /data/www.apache/
LogLevel warn
ErrorLog /var/log/apache24/mail.error-ssl.log
CustomLog /var/log/apache24/mail.access-ssl.log combined
<Directory /data/www.apache/>
AllowOverride All
Order allow,deny
Allow from all
Include etc/apache24/modules.conf
with modules.conf,
LoadModule mpm_prefork_module libexec/apache24/
#LoadModule mpm_event_module libexec/apache24/
LoadModule dir_module libexec/apache24/
LoadModule unixd_module libexec/apache24/
LoadModule mime_module libexec/apache24/
LoadModule access_compat_module libexec/apache24/
LoadModule ssl_module libexec/apache24/
LoadModule authz_core_module libexec/apache24/
LoadModule alias_module libexec/apache24/
LoadModule log_config_module libexec/apache24/
LoadModule php5_module libexec/apache24/
Testing PHP
Check that php is working fine,
  cd /var/www/vhosts/local.example.apache/
cat > hello.php <<EOF9
<?php echo 'Hello world'; ?>
cat > info.php << EOF
<?php phpinfo(); ?>
cat > error.php <<EOF9
ini_set("display_errors", 1);
Note. if you also need to be informed of the strict php coding standards use 'E_ALL|E_STRICT' (see php.ini comments)
Enabling CGI
Enable CGI,
<Directory "/path/to/">
  Options +ExecCGI
  AddHandler cgi-script .cgi .pl
For any redirect :
- for folder destinations, add the trailing slash (otherwise you may have e.g. example.netfilename.html)
<VirtualHost *:80>
Redirect / http: //
For multiple redirects :
- the trailing slash url should be first
- the root dir should be at last
<VirtualHost *:80>
Redirect /dir/ http: //
Redirect /dir http: //
Redirect / http: //
Directory index
In case directory indexing is disabled (enabled by default...), you might want to force it,
  <Directory "/path/to/">
Options +Indexes
Basic authentication
Inside apache's or virtualhost's configuration,
<Location /exampledir>
  AuthType basic
  AuthName "private area"
  AuthUserFile /etc/httpd/passwd.example
  Require valid-user
Note. it's also possible to use ".htaccess" for that. In that case, without the "Location" tag.
Create the password file,
cd /etc/httpd
htpasswd -h
htpasswd -c /etc/httpd/passwd.example username
chown apache:apache passwd.example
chmod 400 passwd.example
IP/hostname restrictions
Secure some folders,
<Directory "/var/www/html/ldap">
order allow,deny
allow from
404 and development error tracking
The user should get a custom 404 page,
ErrorDocument 404 http: //
Note the trailing slash.
On server side, track the 404s down,
grep 404 /var/log/httpd/*errors* | grep -v favicon.ico | grep -v robots.txt
Eventually provide those errors to the web designers and programmers :
- fix the log file perms to let the Apache daemon read them,
chgrp apache /var/log/httpd/example_error.log
chmod g+r /var/log/httpd/example_error.log
- make a PHP or CGI script to print those file in a web page
.htaccess tips and tricks :
To allow dotfiles in directory listings, remove .??* from the IndexIgnore directive.

(obsolete, see the new doc)