this is obsolete doc -- see http://doc.nethence.com/ instead
Setting up Apache 2.4 with SSL
http://pbraun.nethence.com/unix/www/apache2.html
http://pbraun.nethence.com/unix/databases/mysql.html
Setting up Apache 2.4 on Ubuntu Server 14 LTS
First, define the FQDN in /etc/hosts at first place, before the short name,
cd /etc/
vi hosts
ip fqdn short
Fetch your ssl certs,
cd /etc/apache2/
scp -r storage:/path/to/ssl/ .
Proceed,
apt install apache2
rm -f /var/www/html/index.html
touch /var/www/html/robots.txt
touch /var/www/html/favicon.ico
cd /etc/
cp -Rp apache2/ apache2.dist/
cd /etc/apache2/sites-enabled/
ln -s ../sites-available/default-ssl.conf
cd ../sites-available/
cp 000-default.conf 000-default.conf.dist
cp default-ssl.conf default-ssl.conf.dist
vi 000-default.conf
<VirtualHost *:80>
ServerAdmin abuse@domain.tld
DocumentRoot /var/www/html
Redirect / https://ADDRESS/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
vi default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/cert.priv.nopass.pem
ServerAdmin abuse@domain.tld
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error-ssl.log
CustomLog ${APACHE_LOG_DIR}/access-ssl.log combined
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
apply,
/etc/init.d/apache2 restart
Minimal setup with SSL and virtual hosts
Here's a minimal httpd.conf with FreeBSD paths (fix /usr/local paths for other systems),
ServerName bsd.example.net
ServerRoot "/usr/local"
DirectoryIndex index.html index.php
User nobody
Group nobody
TypesConfig etc/apache24/mime.types
Listen *:443
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
ErrorLog /var/log/apache24/error.log
CustomLog /var/log/apache24/access.log combined
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/cert.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/cert.key
Redirect / http://pbraun.example.net/
LogLevel warn
ErrorLog /var/log/apache24/error-ssl.log
CustomLog /var/log/apache24/access-ssl.log combined
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/cert.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/cert.key
ServerName mail.example.net
DocumentRoot /data/www.apache/mail.example.net
LogLevel warn
ErrorLog /var/log/apache24/mail.error-ssl.log
CustomLog /var/log/apache24/mail.access-ssl.log combined
<Directory /data/www.apache/mail.example.net>
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Include etc/apache24/modules.conf
with modules.conf,
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule dir_module libexec/apache24/mod_dir.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule php5_module libexec/apache24/libphp5.so
Testing PHP
Check that php is working fine,
cd /var/www/vhosts/local.example.apache/
cat > hello.php <<EOF9
<?php echo 'Hello world'; ?>
EOF9
cat > info.php << EOF
<?php phpinfo(); ?>
EOF
cat > error.php <<EOF9
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include("hello.php");
?>
EOF9
Note. if you also need to be informed of the strict php coding standards use 'E_ALL|E_STRICT' (see php.ini comments)
Enabling CGI
Enable CGI,
<Directory "/path/to/www.example.com">
Options +ExecCGI
AddHandler cgi-script .cgi .pl
</Directory>
Redirect
For any redirect :
- for folder destinations, add the trailing slash (otherwise you may have e.g. example.netfilename.html)
e.g.,
<VirtualHost *:80>
ServerName example.net
Redirect / http: //www.example.net/
</VirtualHost>
For multiple redirects :
- the trailing slash url should be first
- the root dir should be at last
e.g.,
<VirtualHost *:80>
ServerName www.example.net
Redirect /dir/ http: //alt.example.net/dir/file.html
Redirect /dir http: //alt.example.net/dir/file.html
Redirect / http: //alt.example.net/
</VirtualHost>
Directory index
In case directory indexing is disabled (enabled by default...), you might want to force it,
<Directory "/path/to/">
Options +Indexes
</Directory>
Basic authentication
Inside apache's or virtualhost's configuration,
<Location /exampledir>
AuthType basic
AuthName "private area"
AuthUserFile /etc/httpd/passwd.example
Require valid-user
</Location>
Note. it's also possible to use ".htaccess" for that. In that case, without the "Location" tag.
Create the password file,
cd /etc/httpd
htpasswd -h
htpasswd -c /etc/httpd/passwd.example username
chown apache:apache passwd.example
chmod 400 passwd.example
IP/hostname restrictions
Secure some folders,
<Directory "/var/www/html/ldap">
order allow,deny
allow from 10.1.1.10
</Directory>
404 and development error tracking
The user should get a custom 404 page,
ServerName...
ErrorDocument 404 http: //pbraun.nethence.com/
Note the trailing slash.
On server side, track the 404s down,
grep 404 /var/log/httpd/*errors* | grep -v favicon.ico | grep -v robots.txt
Eventually provide those errors to the web designers and programmers :
- fix the log file perms to let the Apache daemon read them,
chgrp apache /var/log/httpd/example_error.log
chmod g+r /var/log/httpd/example_error.log
- make a PHP or CGI script to print those file in a web page
Misc
.htaccess tips and tricks : http://corz.org/serv/tricks/htaccess.php
To allow dotfiles in directory listings, remove .??* from the IndexIgnore directive.