[Ubuntu] How to build LAMP server 2 of 3 – Apache

Apache configuration files for HTTP(Port 80) and HTTPS(Port 443) can be found as below.

$sudo vi /etc/apache2/sites-available/ 000-default.conf
$sudo vi /etc/apache2/sites-available/ default-ssl.conf

SSL

Secured site can be configured by enabling ssl module and you will need to get SSL certificate in advance. Self-Signed SSL did not work for me. You can get free SSL certificates from Let’s Encrypt.

$sudo a2enmod ssl
$sudo a2ensite default-ssl
$sudo vi /etc/apache2/sites-available/default-ssl.conf
SSLCertificateFile    /etc/ssl/certs/server.crt
#SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCertificateChainFile /etc/ssl/certs/server-ca.crt

 </VirtualHost>
# intermediate configuration, tweak to your needs
# SSLProtocol             all -SSLv2 -SSLv3
# SSLProtocol +TLSV1.2 +TLSv1.3
SSLProtocol -all +TLSv1.2
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder     on
</IfModule>
$sudo /etc/init.d/apache2 restart

No Browsing and .htaccess

It can be changed from /etc/apache2/apache2.conf and do not forget restarting apache server after changing.

<Directory /var/www/>
                Options -Indexes +FollowSymLinks +MultiViews
                AllowOverride All
                Require all granted
</Directory>

SSI and Rewrite

$sudo a2enmod include
$sudo vi /etc/apache2/apache2.conf
<Directory /var/www/>
                Options -Indexes +FollowSymLinks +MultiViews +Includes
                AllowOverride All
                Require all granted
</Directory>
$sudo vi /etc/apache2/mods-availble/dir.conf
<IfModule mod_dir.c>
          DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm index.shtml
</IfModule>
$sudo a2enmod rewrite
$sudo /etc/init.d/apache2 restart

Virtual Host

Each virtual host has its own configuration file. It can be started by copying the default configuration file.

$sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/test
$sudo a2ensite test
$sudo vi /etc/apache2/sites-available/test
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	ServerName www.test.org
	ServerAlias test.org
	DocumentRoot /var/www/test
$sudo vi /etc/apache2/ports.conf
Listen 80
Listen 8080

<IfModule ssl_module>
	Listen 443
</IfModule>

<IfModule mod_gnutls.c>
	Listen 443
</IfModule>
$sudo service apache2 restart

php.ini

Some of values in php.ini need changes according to the requirements

$sudo vi /etc/php/8.1/apache2/php.ini
; UNIX: "/path1:/path2"
include_path = ".:/usr/share/php"

; Maximum amount of memory a script may consume (128MB)
; http://php.net/memory-limit
memory_limit = 8096M

; Maximum execution time of each script, in seconds
; http://php.net/max-execution-time
; Note: This directive is hardcoded to 0 for the CLI SAPI
max_execution_time = 7200

; Maximum size of POST data that PHP will accept.
; http://php.net/post-max-size
post_max_size = 512M

; Maximum number of files that can be uploaded via a single request
max_file_uploads = 5000

; Maximum allowed size for uploaded files.
; http://php.net/upload-max-filesize
upload_max_filesize = 512M

session.save_path = "/var/lib/php/sessions"

[browscap]
; http://php.net/browscap
browscap = /var/www/full_php_browscap.ini

; http://php.net/session.gc-maxlifetime
session.gc_maxlifetime = 86400

; PHP's default character set is set to UTF-8.
; http://php.net/default-charset
; default_charset = "UTF-8"
default_charset = "ISO-8859-1"

; <? and ?> tags as PHP source which should be processed as such.
short_open_tag = On

[Phar]
; http://php.net/phar.readonly
phar.readonly = 0

ADFS

When your organization supports ADFS, SSO is can be configured with SimpleSAMLphp. First, download and install SimpleSAMLphp.

$sudo apt-get install php-curl
$tar xzf ./simplesamlphp-1.18.4.tar.gz
$sudo mv ./simplesamlphp-1.18.4 /var/simplesamlphp

Then, configure apache to use this directory.

$sudo vi /etc/apache2/sites-available/000-default.conf
$sudo vi /etc/apache2/sites-available/default-ssl.conf
        SetEnv SIMPLESAMLPHP_CONFIG_DIR /var/simplesamlphp/config
        Alias /simplesaml /var/simplesamlphp/www

        <Directory /var/simplesamlphp/www>
              Require all granted
        </Directory>

Configuration can be changed from /config/config.php. Generate a random salt for ‘secretsalt’ => ‘randombytesinsertedhere’.

	 'baseurlpath' => 'https://your.server.ca//simplesaml/',
	'auth.adminpassword' => 'setnewpasswordhere',
	'secretsalt' => 'randombytesinsertedhere',
	'technicalcontact_name' => 'John Smith',
   	'technicalcontact_email' => 'john.smith@example.com',
	'language.default' => 'en',
	'timezone' => 'America/Toronto',
	'trusted.url.domains' => ['your.server.ca'],

Enable the certificate for your service provider.

$cd /var/simplesamlphp/cert
$openssl req -newkey rsa:3072 -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
$sudo chmod 664 ./saml.pem
 $vi ./config/authsources.php
	'default-sp' => [
    	'saml:SP',
		'sign.logout' => TRUE,
    	'privatekey' => 'saml.pem',
   	 	'certificate' => 'saml.crt',
		'NameIDPolicy' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
	],

After these settings, navigate to the Federation tab, look for Tools and then click XML to simpleSAMLphp meta converter. Copy the contents of the saml20-idp-remote field. Open the metadata/saml20-idp-remote.php file and paste the contents. Consider update /config/authsources.php for entityID and idp. Ask your ADFS service provider to add NameID with “Transient” format.

Imagick and PHP GD

In order to use PDF libraries like FPDF and FPDI, some of image packages are required and can be install be as below.

$sudo apt-get install imagemagick
$sudo apt-get install php-imagick
$sudo vi /etc/Imagemagick-6/policy.xml
     <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
     <policy domain="coder" rights="read|write" pattern="PDF" />
$sudo apt-get install inkscape
$sudo apt-get install php8.0-gd
$sudo service apache2 restart

Forcing Users to HTTPS (rewrite/redirect)

$sudo a2enmod rewrite
$sudo a2enmod ssl
$sudo vi /etc/apache2/sites-available/000-default.conf
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

Redirect to One URL

If you prefer your web site to be without “www” even www.yoursite.com and yoursite.com are all configured. You can redirect visitors to one URL you like.

- $sudo vi /etc/apache2/sites-available/000-default.conf
- $sudo vi /etc/apache2/sites-available/default-ssl.conf
       <If "%{HTTP_HOST} != 'yoursite.com'">
          	Redirect "/" "https://yoursite.com/"
       </If>

Rewrite

Old URL can be directed to new URL with rewrite module.

$sudo a2enmod rewrite
$sudo vi /etc/apache2/sites-available/000-default.conf
$sudo vi /etc/apache2/sites-available/default-ssl.conf
        RewriteEngine On
        RewriteRule "^/virtualconference" "/events/virtual-teachers-conference.html" [NC]

Subversion

As one of Apache modules, Subversion can be installed on Ubuntu.

$ sudo apt-get install libapache2-mod-svn 
$ sudo a2enmod dav_svn 
$ sudo vi /etc/apache2/mods-available/dav_svn.conf
<Location /svn>
     DAV svn
     SVNPath /svn/repos/bcc
     AuthType Basic
     AuthName "BCC subversion repository"
     AuthUserFile /etc/subversion/passwd
     Require valid-user
</Location>

$ sudo mkdir /etc/subversion
$ sudo htpasswd -c /etc/subversion/passwd user_name 
(Caution: This create and overwrite existing passwd file)

$ sudo htpasswd /etc/subversion/passwd next_user_names

$ sudo chown -R www-data:www-data /svn/*
$sudo chmod -R g+rws /svn/*

Pandoc

$ sudo apt-get install pandoc

It can be installed as easy as above. Meanwhile, it becomes complicated if you need the latest version.

$ sudo pandoc --version
$ sudo apt purge pandoc

Get the latest .deb at https://github.com/jgm/pandoc/releases
$ sudo wget https://github.com/jgm/pandoc/releases/download/2.19.2/pandoc-2.19.2-1-amd64.deb 
$ sudo dpkg -i pandoc-2.19.2-1-amd64.deb

X-XSS-Protection (UTF-7 Variants) & Protect Cookies

$sudo a2enmod headers
$sudo vi /etc/apache2/apache2.conf
<Directory /var/www/>
        Options -Indexes +FollowSymLinks +MultiViews +Includes
        AllowOverride All
        Require all granted
        Header set X-XSS-Protection "1; mode=block"
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</Directory>

$ sudo service apache2 restart

CSV -> XLSZ

Length of sheet name should be smaller than 31.

$sudo apt install unoconv
$unoconv --show
$unoconv --format xlsx example.csv

Leave a Reply

Your email address will not be published. Required fields are marked *