Install and configure Apache2
Install apache2 and configure the firewall:sudo apt install apache2 sudo ufw app list sudo ufw allow 'Apache Full' systemctl status apache2Apache2 status should look like:
<user>@<hostname>:~$ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor prese>
Active: active (running) since Thu 2022-07-14 11:27:14 UTC; 1h 7min ago
Docs: https://httpd.apache.org/docs/2.4/
Main PID: 1749 (apache2)
Tasks: 55 (limit: 956)
Memory: 5.4M
CPU: 268ms
CGroup: /system.slice/apache2.service
├─1749 /usr/sbin/apache2 -k start
├─1751 /usr/sbin/apache2 -k start
└─1752 /usr/sbin/apache2 -k start
Firewall status should now look like:
<user>@<hostname>:~$ sudo ufw app list Available applications: Apache Apache Full Apache Secure OpenSSHAppend a ServerName to /etc/apache2/apache2.conf:
# ServerName ServerName <hostname>Disable directory listings:
sudo a2dismod --force autoindexThat should look like:
sudo a2dismod --force autoindex Module autoindex disabled. To activate the new configuration, you need to run: systemctl restart apache2Restart:
sudo systemctl restart apache2Within Apache create a virtual domain:
sudo mkdir /var/www/<YOUR_DOMAIN> sudo chown -R $USER:$USER /var/www/<YOUR_DOMAIN> sudo chmod -R 755 /var/www/<YOUR_DOMAIN>Create a test index.html for this domain:
cat << EOT > /var/www/<YOUR_DOMAIN>/index.html
<html>
<head>
<title>Welcome to <YOUR_DOMAIN>!</title>
</head>
<body>
<h1>Success! The <YOUR_DOMAIN> virtual host is working!</h1>
</body>
</html>
EOT
Configure the domain:
cat << EOT > /tmp/<YOUR_DOMAIN>.conf
<VirtualHost *:80>
ServerAdmin <YOUR_MAIL>
ServerName <YOUR_DOMAIN>
ServerAlias www.<YOUR_DOMAIN>
DocumentRoot /var/www/<YOUR_DOMAIN>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
EOT
sudo mv /tmp/<YOUR_DOMAIN>.conf /etc/apache2/sites-available/
(For some reason sudo and 'here documents' don't go well together, so 2 steps.)Enable the domain:
sudo a2ensite <YOUR_DOMAIN>That should look like:
<user>@<hostname>:~$ sudo a2ensite <YOUR_DOMAIN> Enabling site <YOUR_DOMAIN>. To activate the new configuration, you need to run: systemctl reload apache2Now disable the default end reload Apache2:
sudo a2dissite 000-default.conf sudo systemctl reload apache2Test using a browser or by running:
curl http://127.0.0.1:80The curl should return the index page.
Setup https using Let’s Encrypt
Requirement to use Let's Enrypt https is that your system name is resolvable in public DNS.Follow the steps described here at letsencrypt:
sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot sudo certbot --apacheYour website should now be configured for https.
Additional security
And now... I ran:https://developer.mozilla.org/en-US/observatory/analyze?host=jvdm.infoAnd it complains about Content Security Policy (CSP)... A reasonable amount of information can be found here: https://www.invicti.com/blog/web-security/content-security-policy/.
/etc/apache2/sites-available First thing is to add
Header always set Content-Security-Policy "default-src 'self'to the sites 'conf' file in '/etc/apache2/sites-available' to prevent any cross site content (lets be blunt) and restart apache. Then also add:
Header always set Strict-Transport-Security max-age=31536000To this config file and restart apache.
Remains:
Header always set X-Content-Type-Options nosniffAnd:
Header always append X-Frame-Options SAMEORIGINNow the site gets 'A+ 100+' on https://developer.mozilla.org/en-US/observatory/analyze?host=jvdm.info.
