Setting Up Apache

Scenario

In 2012, three friends decided to buy scooters for their daily commute in New Napoli. Far from just a method of getting from Point A to Point B, they found that they loved the power and fun they felt while riding. They started to ride on weekends for fun and began posting pictures of their exploits on social media. Soon Angels & Scooters had grown to a dozen or more. Today, Angels & Scooters has more than 300 members. But while they’ve grown in numbers, they haven’t grown in infrastructure. They recently decided it was time for a change and now want to create their very first website. They have the design, one of the city’s hosting providers was kind enough to provide some server space, and they are excited to get started. Unfortunately, they don’t know how to install a webserver. So they’ve come to you for help.

Apache Setup

To install a website into a server, you first need to log in with SSH and gain root privileges.

sudo apt update
sudo apt install apache2

Once apache is installed, the server is essentially ready. You can go to http://localhost or your IP in your browser to see the Apache2 Ubuntu Default Page. It’s good practice to disable the default web page and default virtual host.

Disable Default Site: a2dissite 000-default

Delete Default Site Files: rm -r /var/www/html

Reload Apache Service: systemctl reload apache2

The webpage should just load a 404 now.

After disabling the default page, you can download relevant website files from a Git repository and set correct file permissions to all files and directories.

git clone {site repo}
cp -r {site repo}/* /var/www/{site dir}

Set Permissions:

chown -R www-data:www-data /var/www/{site dir}

Virtualhost Setup

Apache comes with a default config file at /etc/apache2/sites-available/000-default.conf

You can copy the contents over and make modifications as necessary.

<VirtualHost *:80>
   ServerAdmin admin@mysite.com
   ServerName mysite.com
   DocumentRoot /var/www/mysite.com
</VirtualHost>

DocumentRoot specifies location of web content used for the site ServerName specifies what users type in the address bar to reach the site ServerAdmin should have your email address so users can contact you if they have issues with the site

Once config is done, you can enable the site by running sudo a2ensite <mysite.com.conf> (replace <mysite.com.conf> with your vhost file)

HTTPS Security

Scenario:

The Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that uses TLS or SSL to securely encrypt HTTP traffic. The owner of The Dogfood Company needs your help to make his website work over an HTTPS connection.

First you need a Private Key. Log into the server the website is hosted on and get a root shell, then generate a private key.

openssl genrsa -out /etc/ssl/private/priv.key 2048

In order to generate a working HTTPS certificate, you need a trusted Certificate Authority to sign it. You can generate a certificate request from the command line with openssl req \, and then add appropriate flags.

openssl req \
    -out /root/certreq.csr \
    -key /etc/ssl/private/priv.key \
    -subj "/CN=dogfood.lab" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:dogfood.lab")) \
    -new

Once the certificate has been generated, place it in the /etc/ssl/certs/ directory with the name {site}.crt

To enable SSL to run in Apache, run the command a2enmod ssl

Then configure Apache to use your certificate, open up /etc/apache2/sites-available/default-ssl.conf and change SSLCertificateFile and SSLCertificateKeyFile parameters to their corresponding paths. Add the following lines to the config block to make sure you’re only allowing up to date cipher suites, protocols, and best practices.

Enable the config using a2ensite default-ssl and reload apache systemctl reload apache2

Now that the site is accessible over HTTPS, we need to make sure that it redirects to HTTPS if a user tries accessing it over HTTP.

Enable the rewrite module with a2enmod rewrite, open up 000-default.conf and add these lines to the end of the host block:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>

To prevent an attacker from being able to downgrade the site to HTTP, you should also enable HSTS. This tells the web browser the site should never be accessed over HTTP.

Enable the headers module with a2enmod headers

Go back to default-ssl.conf and add this line to the VirtualHost block: Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"

Reload with systemctl reload apache2 and you’re all set!