Tag Archives: Apache

Let’s Encrypt with Apache on Ubuntu

Clone the Let’s Encrypt repository
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

Access the letsencrypt directory
cd /opt/letsencrypt

Auto install all dependencies

sudo -i
./letsencrypt-auto

Generate certificates for your domains

Execute the interactive installation and obtain a certificate for each domain.

./letsencrypt-auto certonly --webroot -w /var/www/faix/wordpress/ -d faix.cz -d www.faix.cz
./letsencrypt-auto certonly --webroot -w /var/www/zviretnik/wordpress/ -d zviretnik.eu -d www.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/owncloud/ -d owncloud.zviretnik.eu -d cloud.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/faix/wordpress/ -d faix.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/sikora/Gallery/ -d sikora.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/silhavy/gallery/ -d silhavy.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/martinek/ -d martinek.zviretnik.eu
./letsencrypt-auto certonly --webroot -w /var/www/smrtak/gallery/ -d smrtak.zviretnik.eu

First time you will be asked to provide an email address for lost key recovery and notices:
ue]tod[kinterivznull]ta[retsamtsop

You can find the generated certificate files at:
/etc/letsencrypt/live/SITE.NAME/fullchain.pem

Certificate Auto Renewal

Edit the crontab to create a new job that will run this command every week.

crontab -e

00 2 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

Apache SSL configuration

/etc/apache2/sites-available/00zviretnik-ssl

SSLCertificateFile /etc/letsencrypt/live/zviretnik.eu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/zviretnik.eu/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/zviretnik.eu/chain.pem

SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite EECDH+AES:AES256-SHA:AES128-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH:!EXP:!SRP:!DSS:!LOW;
SSLHonorCipherOrder on
SSLVerifyClient none
SSLVerifyDepth 1
SSLCompression off

Update Let’s Encrypt Client

cd /opt/letsencrypt
sudo git pull

Gallery 3 installation / upgrade in Ubuntu

Installation

aptitude install apache2 mysql-server-5.1

su - www-data
cd /var/www/user
wget http://downloads.sourceforge.net/gallery/gallery-3.0.4.zip
unzip gallery-3.0.4.zip
mv gallery3 gallery
rm gallery-3.0.4.zip
cd gallery
mkdir var
chmod 777 var
exit

mysql -u root -p
SHOW DATABASES;
SELECT User FROM mysql.user;
CREATE DATABASE `user-gallery3`;
CREATE USER `user-gallery`;
SET PASSWORD FOR 'user-gallery' = PASSWORD('mysecretpassword');
GRANT ALL PRIVILEGES ON `user-gallery3`.* TO 'user-gallery'@'localhost' IDENTIFIED BY 'mysecretpassword';
FLUSH PRIVILEGES;
EXIT
rm -f ~/.mysql_history

/etc/apache2/sites-enabled/user-ssl

<VirtualHost *:443>
        ServerAdmin user@zviretnik.eu
        ServerName user.zviretnik.eu
        ServerAlias user-nick.zviretnik.eu
        DocumentRoot /var/www/user/wordpress/

        <Directory /var/www/user/gallery>
                Options -Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
                DirectoryIndex index.php
        </Directory>

        Alias /gallery /var/www/user/gallery

        ErrorLog /var/log/apache2/user.zviretnik.eu-ssl-error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/user.zviretnik.eu-ssl-access.log combined

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
        SSLCertificateFile /etc/ssl/user.zviretnik.cer
        SSLCertificateKeyFile /etc/ssl/private/user.zviretnik.key
        SSLCertificateChainFile /etc/ssl/startssl.sub.ca.pem
        SSLCACertificateFile /etc/ssl/startssl.root.cs.pem
        SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

        CustomLog /var/log/apache2/user.zviretnik.eu-ssl-request.log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

http://user.zviretnik.eu/gallery/installer/

rmdir /var/www/user/gallery/var/albums
ln -s /mnt/data/user/albums/ albums

Upgrade

/etc/init.d/apache2 stop

su - www-data
cd /var/www/user
wget http://downloads.sourceforge.net/gallery/gallery-3.0.4.zip
unzip gallery-3.0.4.zip
mv ./gallery/var ./gallery3/var
mv gallery gallery.old
mv gallery3 gallery
cd ./gallery
php index.php upgrade

Copy any custom or downloaded Themes or Modules from your old folder to the new one.

cd ..
rm gallery-3.0.4.zip
rm -rf gallery.old

/etc/init.d/apache2 start

Hosting multiple websites with Apache2

http://www.debian-administration.org/articles/412
http://fob.po8.org/node/289

If you are running multiple websites with Apache2 with mixed ports (usually http port 80, https port 443) change following configuration files. Variable NameVirtualHost should be only in file virtual.conf, find and comment it in other configuration files!

FOB: I recently reported being stuck trying to set up multiple SSL name-based virtual hosts on the same IP address with non-SSL name-based virtual hosts. Soon after, I figured it out. Shortly after that, one of my students suggested the same solution to me.

/etc/apache2/conf.d/virtual.conf

#
# We're running multiple virtual hosts.
#
NameVirtualHost *:80
NameVirtualHost *:443

/etc/apache2/sites-enabled

<VirtualHost *:80>
ServerAdmin webmaster@zviretnik.eu
ServerName zviretnik.eu
ServerAlias www.zvietnik.eu
...

<VirtualHost *:443>
ServerAdmin webmaster@zviretnik.eu
ServerName www.zviretnik.eu
ServerAlias zviretnik.eu
...

The ports 80 and 443 should be also defined in following configuration file.

/etc/apache2/ports.conf

Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>

Also check your /etc/hosts file, if DNS name and IP address is correct.

127.0.0.1 localhost zviretnik.eu
94.143.171.113 zviretnik.eu zvire

Apache2 – WordPress & Gallery solutions

If Apache server status page http://zviretnik.eu/server-status error 403 page not found appear, the solution could be modification of .htaccess file of WordPress. Mode rewrite has to have following rule:

# Stop Processing if you see server-info or server-status
RewriteRule ^(server-info|server-status) - [L]
# The Rewrite Condition below did not work
# RewriteCond %{REQUEST_URI} !=/server-status

Don’t forget, that server status is accessible mostly only from localhost. If you want to change it, you have to edit /etc/apache2/mods-enabled/status.conf (Allow from localhost).

In case you upgrade to Apache2, it may happen that your Gallery 3 show following error message when you try to change permission on album or photo:

Oh no! Your server needs a configuration change in order for you to hide photos! Ask your server administrator to enable mod_rewrite and set AllowOverride? FileInfo? Options to fix this.

If you have mode rewrite enabled (a2enmod rewrite) and your virtual host directory configuration already contain “AllowOverride FileInfo Options“, than problem could be in your /etc/hosts file. The localhost entry has to have also FQDN name of your server, for example:

127.0.0.1       localhost       zviretnik.eu

Apache2 security – mod_rewrite, mod_security

Enable mod_rewrite in Apache2

http://www.grosseosterhues.com/2011/07/enabling-mod-security-protection-in-apache2-on-ubuntu/
http://www.linuxlog.org/?p=135

a2enmod rewrite

/etc/apache2/sites-available/000-default

Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all

/etc/init.d/apache2 restart

.htaccess

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Enable mod_evasive and mod_security in Apache2

aptitude install libapache-mod-security libapache2-mod-evasive

a2enmod mod-security mod-evasive

ln -s /usr/sbin/sendmail /bin/mail
mkdir /var/log/mod_evasive
chown www-data:www-data /var/log/mod_evasive/

/etc/apache2/conf.d/modevasive

<ifmodule mod_evasive20.c>
DOSHashTableSize 3097
DOSPageCount 2
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 10
DOSLogDir /var/log/mod_evasive
DOSEmailNotify jan.faix@gmail.com
DOSWhitelist 127.0.0.1
</ifmodule>

Check if /etc/apache2/apache2.conf contain:

# Include generic snippets of statements
Include /etc/apache2/conf.d/[^.#]*

mkdir /etc/apache2/mod_security_rules
chown -R root:root /etc/apache2/mod_security_rules
sed '/^$/d; /^#/d;' /usr/share/doc/mod-security-common/examples/rules/*conf >> /etc/apache2/mod_security_rules/modsecurity_crs_10_config_global.conf
cp /usr/share/doc/mod-security-common/examples/rules/base_rules/* /etc/apache2/mod_security_rules/
touch /var/log/apache2/modsec_audit.log /var/log/apache2/modsec_debug.log
chown www-data:www-data /var/log/apache2/modsec_audit.log /var/log/apache2/modsec_debug.log

/etc/apache2/mod_security_rules/modsecurity_crs_10_config_global.conf

SecAuditLog /var/log/apache2/modsec_audit.log
SecDebugLog /var/log/apache2/modsec_debug.log

/etc/apache2/conf.d/mod_security

<IfModule security2_module>
Include /etc/apache2/mod_security_rules/*.conf
</IfModule>

cd /etc/apache2/mod_security_rules/
mv modsecurity_crs_41_phpids_filters.conf modsecurity_crs_41_phpids_filters.conf.disabled

/etc/init.d/apache2 restart

Test mod_security

/var/www/test.php

<?php
$secret_file = $_GET['secret_file'];
include ( $secret_file);
?>

http://yourserver.tld/test.php?secret_file=/etc/passwd

Correct response is “403 Forbidden” error message.

rm -f /var/www/test.php

Test mod_evasive

Run from another box than your server, change domain to your web server.
Correct response is HTTP/1.1 404 Not Found.

~/test.pl

#!/usr/bin/perl
# test.pl: small script to test mod_dosevasive’s effectiveness
use IO::Socket;
use strict;
for(0..100) {
my($response);
my($SOCKET) = new IO::Socket::INET( Proto => "tcp",PeerAddr=> "faix.homelinux.net:80");
if (! defined $SOCKET) { die $!; }
print $SOCKET "GET /?$_ HTTP/1.0\n\n";
$response = <$SOCKET>;
print $response;
close($SOCKET);
}

rm -r ~/test.pl