KPTree Web Server VM Setup

Web Server setup

Basic Web Server setup on VM

The main reference used is Unixmen - How To Install LAMP Stack On Ubuntu 16.04, for the basic web server setup on a virtual machine (VM), However this setup is quite basic and any similar page would probably suffice. Subsequently I found this reference that looks to be more complete for installing Apache2 on Ubuntu 16.04, Linode - Install LAMP on Ubuntu 16.04.

As installing on a virtual machine (VM) it is important to also have set up the NFS to allow access to the main storage. Also consider aligning the appropriate file system user and groups between the VM server and VM guests. (For the Ubuntu Network Filing System, NFS, see Havetheknowhow.com - How to configure NFS Version 4, that contains configuration information for both the VM server and clients.

Unfortunately, Havetheknowhow.com does not seem to cover the alignment of user and groups between the main OS and VMs. I create a basic template machine and manual update the group and user id numbers to align, a use the basic information given in Linux: Changing UIDs and GIDs for a user. The process is tedious and takes a bit of care to complete, but once setup properly allows better operation between the server and virtual machines.

Web Server Change Basic Default Settings

The Ubuntu Documentation page, HTTPD - Apache2 Web Server, describes the setup of apache2 under Ubuntu 16.04. I prefer to have the html files located on a directory not inside the VM (virtual machine), so the following basic changes are required to move the html pages under the Ubuntu 16.04 apache2 setup.

  • Copy the current html files to the proposed new location: "sudo rsync -av /var/www/html /mnt/shared/www16/"
  • Change the /var/www.html reference in the following apache2 configuration files:
    • "sudo vim /etc/apache2/apache2.conf", in particular change "‹Directory /var/www/›" to "‹Directory /mnt/shared/www16/›" (This defines file system access, add /var/www/ temporarily if necessary.)
    • "sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/kptree.net.conf" then "sudo vim /etc/apache2/sites-available/kptree.net.conf", in particular change "DocumentRoot /var/www/html" to "DocumentRoot /mnt/shared/www16/html/kptree.net/public_html". Also change "ServerName kptree.net" and add-in directly after this line "ServerAlias *.kptree.net".
    • "sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/kptree.net-ssl.conf" then "sudo vim /etc/apache2/sites-available/kptree.net-ssl.conf", in particular change "DocumentRoot /var/www/html" to "DocumentRoot /mnt/shared/www16/html/kptree.net/public_html"
  • After making these changes:
    • Test the apache2 configuration: "sudo apachectl configtest", ensure the statement "syntax ok" in output
    • To enable the new website configuration: "sudo a2ensite kpbtree.net.conf", also disable the default website configuration "sudo a2dissite example.com.conf"
    • Reload or restart apache2 to enable configuration changes: "sudo systemctl reload apache2" or "sudo systemctl restart apache2"
    • Test the web page by typing in the local ip address of the apache2 server in a web browser

The MySQL (Maria) database data directory can also be moved, however the database sizes are not so large, nor need to be often changed after initial setup to merit this move. Also move mysql data directory How to Change a MySQL Data Directory to a New Location Using a Symlink

Secure Web Server Settings

There are a number of ways the various certificate files are handle and the nomenclature and file names used can be confusing. Basically there are 3 (+1) components to a central authority trusted key.

  1. The public key, which actually acts as a lock to encrypt a file. The public key (lock) is made freely available to the public to be used to encrypt a file that only the matching private key can decrypt (unlock).
  2. The private key, which is the only key that can unlock a file that is encrypted with the matching public key (lock). The private key must be kept absolutely private.
  3. The Certificate Authority's (CA) Public Key (lock) which is used to encrypt communications with the CA to confirm that public key (lock) and the certificate embedded websites actually belongs to whoever hold the matching private key and hence the website belongs to the person that controls the private key.
  4. (+1) The CA must have a corresponding private key to unlock the encryption of their certificates and their public keys used to lock them. They need to do this to verify the Certificate data and corresponding public key.

Some points about secure web sites:

  1. A secure website really only means that the website used encryption to secure it and the certificate authority has performed basic checks to confirm ownership/control of the website. This does not necessarily guarantee the honesty of the owner/controller. There are certificates that the authorities issue that require greater ownership checks and hence cost more money and require greater verification upon the owner/controller to achieve. These tend to be used by larger organisations. The greater checking and costs tend to
  2. The public/private encryption system is not proven and relies upon large keys numbers to prevent brute force cracking. There is no guarantee that in the future the may not be developments that require even larger keys or make the current system otherwise ineffective.

The following is a list of Apache SSL directives used to handle certificates:

  1. SSLCertificateFile, refers to the the public key (lock) file, it sometimes also contains the CA certificate and lock.
  2. SSLCertificateKeyFile, refers to the private key file. This must be key securely private and never made public, even to the CA.
  3. SSLCertificateChainFile, refers to the CA certificate and lock file, it is sometimes combined with the SSLCertificateFile and is then not used.

StartSSL and Godaddy use all 3 directives mentioned above, whereas LetsEncrypt use only the first 2, with the CA certificate combined with the public key in the SSLCertificateFile directive.

See the Apache HTTP Server Version 2.4 documentation on Apache Module mod_ssl. This reference also has information on the directives mentioned above as well as a number of other SSL Certificate directive not discussed herein.

See the wikipedia article X.509, as a general reference / background on CAs.

StartSSL Certificate Settings

I use a free security certificate from StartCom-StartSSL. StartSSL provide 3 documents that need to be reference in the secure web server configuration, see StartSSL - Apache web server how to install page. Specifically the following files need to be copied to the web server and referenced in "sudo vim /etc/apache2/sites-enabled/kptree.net-ssl.conf".

  • SSLCertificateFile "/[your directory]/2_your_domain.crt"
  • SSLCertificateKeyFile "/[your directory]/private.key"
  • SSLCertificateChainFile "/[your directory]/1_root_bundle.crt"

Then:

  • To enable the mod_ssl module: "sudo a2enmod ssl"
  • To enable apache2 HTTPS configuration: "sudo a2ensite kptree.net-ssl"
  • To enable changes restart apache2: "sudo systemctl restart apache2"
  • Check for any errors with the SSL certificate: "sudo cat /var/log/apache2/error.log"

To permanently redirect all traffic to use https edit http configuration file, "sudo vim /etc/apache2/sites-available/000-default.conf", adding the following 2 lines above the ServerAdmin line:

  • ServerName kptree.net
  • Redirect permanent / https://kptree.net/

Also referred to Solarian Programmer - Install a 3rd party free SSL certificate on your LAMP server.

Recently, StartSSL has been taken over by another company. Unfortunately this company performed actions that have caused major players (e.g. Google, Mozilla) to not accept their new certificates published after a certain date. This effectively makes their new certificates valueless to me. Reportedly the new owner of StartSSL has undertaken to remedy their poor practices to eventually regain the lost trust. I would consider them again should the trust in them be restored.

Godaddy Certificate Settings

I needed to update my certificate in December 2016 and as noted above, StartSSL certificates would seem to have some problems. Godaddy had a promotion on for their certificates, $6.99/year, instead of $99/year, so I gave them a try. In usual Godaddy practice, the promotion price will automatically revert to $99/year. As I feel this is too much for my purposes I will be looking for other options next December. Hopefully StartSSL will have sorted out their act by then and have a suitable trusted product in place, if not Gandi.net looks to be a good overall option to further investigate. There seemed to be little information on installing Godaddy certificates on recent Apache/Ubuntu installations, perhaps as the Godaddy product is more up market/expensive.... I managed to get it working and here is the description.

The following steps are required:

  • Purchase the SSL certificate, and wait for issue, if necessary follow the verification directions from Godaddy.
  • Generate a CSR (certificate signing request).
  • See the Godaddy page, SSL Certificates Help - Apache: Generate CSR. It requires the following:
    • Log into your server shell and use the following command: "openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr". This generates two files:
      • "yourdomain.key", is the unencrypted private key. This needs to be kept secure!
      • "yourdomain.csr", is the related certificate signing request.
    • Paste the full CSR into the Godaddy SSL enrollment form in your account.
  • Godaddy will inform you via email when your certificate is available. You can then go to your account and down load the certificates:
    • One certificate is your public certificate, Godaddy, uses the certificate key as name, e.g. 3a4df25385a2d3b1.crt
    • The other certificate is the Godaddy public certificate and chain file, gd_bundle-g2-g1.crt

LetEncrypt Certificate Settings

As of writing this there is no direct support for LetsEncrpyt's current version of installation software on Ubuntu 16.04, Certbot. The recommended Certbot PPA for Ubuntu can be found at "certbot" team - Certbot PPA. Unfortunately the command "add-apt-repository" needs to be added, so the final commands are:

  • To ensure the current package database is up to date: "sudo apt update"
  • To install the add-apt-repository command: "sudo apt install software-properties-common"
  • To add the official Debian Certbot repository that have been back-ported to Ubuntu: "sudo add-apt-repository ppa:certbot/certbot"
  • To update the repositories including the newly added Certbot ones: "sudo apt update"
  • To install Certbot: "sudo apt install certbot"

DigitalOcean has Ubuntu 14.04 setup, How to Set Up Let's Encrypt Certificates for Multiple Apache Virtual Hosts on Ubuntu 14.04. This seems to work well on 16.04 too. Once setup, the basic commands are:

  • To create a new certificate with sub-domains: "certbot-auto --apache -d example.com -d www.example.com -d mail.example.com". This assume that all these domains and sub-domains are existing accessible Apache web pages.
  • To manually auto renewal: "sudo certbot-auto renew". Set up auto renew using a cron job.

The Cerbot process seems to be fairly automated. And worked immediately for my existing sites. I had to update my domain DNS records to add additional sub-domains for these to work correctly with this Certbot command.

Web Server Applications Setup

Nextcloud setup

The following references show how to install Nextcloud on Ubuntu 16.04 (& 14.04)

To move / redeploy an Owncloud server to Nextcloud, backup and restore instructions, Backing up ownCloud and Restoring ownCloud. Also check the mariadb help on mysqldump and mysql Command-line Client. Also the DigitalOcean - How To Backup MySQL Databases on an Ubuntu VPS is a handy reference.

  • To back up use, where moving deployment from the old server virtual machine:
    • For the database: "sudo mysqldump --lock-tables -h localhost -u root -p owncloud > owncloud-dbbackup_`date +"%Y%m%d"`.bak" (Then move to the oc-backdir: "sudo mv owncloud-dbbackup_`date +"%Y%m%d"`.bak /mnt/shared/temp/oc-backupdir/").
    • For the config files: "sudo rsync -Aax /var/www/owncloud/config /mnt/shared/temp/oc-backupdir/"
    • For the relocated data: "sudo rsync -Aax /mnt/shared/www/owncloud/data /mnt/shared/temp/oc-backupdir/"
  • To restore use, where moving deployment from the new server virtual machine:
    • If required create the nextcloud database in MySQL:
      • Enter MySQL as root: "mysql -u root -p", you will be prompted for MySQL root password.
      • Create the NextCloud database in MySQL: "CREATE DATABASE nextcloud;"
      • Create a separate MySQL account for NextCloud, obviously using your own assigned password: "GRANT ALL ON nextcloud.* to 'nextcloud'@'localhost' IDENTIFIED BY 'set_database_password';
      • Make current MySQL session know of the recent privilege change: "FLUSH PRIVILEGES;"
      • Last, exit MySQL command line with: "exit".
    • (First copy to the local VM home directory from the backup directory, oc-backdir: "sudo cp /mnt/shared/temp/oc-backupdir/owncloud-dbbackup_`date +"%Y%m%d"`.bak ~") For the database: "mysql -h localhost -u root -p nextcloud < owncloud-dbbackup_`date +"%Y%m%d"`.bak".
    • For the config files: "sudo rsync -Aax /mnt/shared/temp/oc-backupdir/config /var/www/nextcloud/", add the -n flag for a test run.
    • For the relocated data: "sudo rsync -Aax /mnt/shared/temp/oc-backupdir/data /mnt/shared/www16/nextcloud/"
  • Ensure the path to your nextcloud directory is included in the /etc/apache2/apache2.conf, e.g. statement.
  • Nextcloud Updating

    Nextcloud 11 Server Administration Manual How to Upgrade Your Nextcloud Server. Be sure to check the latest relevant version!

HTTP & HTTPS Apache redirect to internal IP Virtual Machine & Related

HTTP & HTTPS Apache Reverse Proxy to internal IP Virtual Machine

The goal is to setup two (or more) Apache2 virtual web servers, each on separate virtual machines (VMs), each with a separate distinct LAN IP address. However there is only one WAN static Internet address, with the router setup to forward the web ports 80 and 443 to only one primary virtual web server. The primary virtual web server is setup to handle certain sub-domains directly and to forward, via reverse proxy other the subdomain(s) to "secondary" virtual web servers. The setup must operate on a "standard" Ubuntu 16.04 with this distribution's "standard" LAMP (Linux, Apache, Mariadb(MySQL) PHP) setup.

Unfortunately a web search on this matter does not provide much clarity. There are a number of reasons for this, including without limitation:

  • Outdated information, for older web server and virtual machine set-ups
  • Different goals and associated scopes
  • The Apache documentation, while authoritative, is difficult to use as it seems to have limited relevant examples

It is assumed that the domain name provide DNS information points to the WAN Internet address (A Record) for the domain name and all related sub-domains (CNAME Record).

Forward Proxy not Required and to be Disabled

A forwarding proxy with its associated security risks is not required. These ProxyRequests directive should be off, so we could add the line "ProxyRequests Off" in "/etc/apache2/mods-enabled/proxy.conf". However as ProxyRequests Off is default, this is not necessary. Be careful to ensure this directive is not otherwise inadvertently turned on!

See references: Apache HTTP Server Version 2.4 - Apache Module mod_proxy

Reverse Proxy is required and must be Enabled

The proxy_module mod_proxy must be enabled for a reverse (or forward) proxy to function.

  • "ProxyPreserveHost on" (default off) is required where the original Host header needs to be evaluated by the proxy server.
  • "ProxyPass"
  • "ProxyPassReverse"

The ProxyPass and ProxyReversePass directives are enclosed within the <location> directive to limit their scope. See Apache HTTP Server Version 2.4 - Apache Core Features - <Location>

See references: Apache HTTP Server Version 2.4 - Apache Module mod_proxy

SSL Reverse Proxy is required and must be Enabled

In the prime VirtualHost definition for each reverse proxy sub-domain for https the following additional parameters need to be considered. The SSL module, mod_ssl must be turned on.

"SSLEngine on" (default off) must be turned on in https virtual host definition

  • "SSLProxyEngine On" (default is off) is required to allow reverse proxy with SSL to function
  • "SSLProxyVerify none" (default is none)
    • none: no remote server Certificate is required at all
    • optional: the remote server may present a valid Certificate
    • require: the remote server has to present a valid Certificate
    • optional_no_ca: the remote server may present a valid Certificate, but it need not to be (successfully) verifiable.
  • SSLProxyCheckPeerCN off (default is on), leave on if the remote server certificate CN field is to be check against the hostname of the requested URL. (only the primary CN field is checked.)
  • SSLProxyCheckPeerName off (default is on), leave on if the remote server certificate CN field, or subjectAltName extention are to be check against the hostname of the requested URL. (Basic wildcard matching supported too.)
  • SSLProxyCheckPeerExpire off (default is on), leave on if remote server certificate expiry check is to be performed.

Reverse proxy will not work where SSLProxyEngine is off or any set SSLProxyChecks fail.

See references: Apache HTTP Server Version 2.4 - Apache Module mod_ssl and Server Fault - proxy:error AH00898: Error during SSL Handshake with remote server.

The Alias and Redirect Directives and <Directory> Directive may be required

The Alias Directive may need to be used with <Directory> Directive to allow other access to local file system outside DocumentRoot. The Alias and Redirect Directives are included in the mod_alias module. <Directory> is a core feature and hence always available.

See references: Apache HTTP Server Version 2.4 - Apache Module mod_alias and Apache Core Features - Directory.

Apache modules requirements

  • The following is a list of additional apache modules that will need to be installed:
    • sudo a2enmod proxy
    • sudo a2enmod proxy_http
    • sudo a2enmod rewrite (The secondary virtual web server only requires for this setup.)
    • sudo a2enmod xml2enc (This is not mandatory, but gets rid of some warnings.)
  • These modules should have been installed by default and are required. (To check installed modules "sudo a2dismod"):
    • sudo a2enmod alias
    • sudo a2enmod deflate
    • sudo a2enmod headers
  • These modules do not need to be installed on this setup:
    • sudo a2dismod proxy_ajp
    • sudo a2dismod proxy_balancer
    • sudo a2dismod proxy_connect
    • sudo a2dismod proxy_html

Virtualhost Files Setup

HTTP virtual host on primary server, example.com:

Virtualhost file /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>

ServerName example.com

ServerAlias www.example.com

ServerAdmin webmaster@localhost

#DocumentRoot /mnt/shared/www/html


#ErrorLog ${APACHE_LOG_DIR}/error.log

#CustomLog ${APACHE_LOG_DIR}/access.log combined

ErrorLog /mnt/shared/www/html/logs/error.log

CustomLog /mnt/shared/www/html/logs/access.log combined


Redirect permanent / https://example.com/

#Added by Certbot

RewriteEngine on

RewriteCond %{SERVER_NAME} =kptree.net [OR]

RewriteCond %{SERVER_NAME} =www.kptree.net

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>


The only function is to redirect HTTP queries to http://example.com and http://www.example.com to the HTTPS virtual machine for https://example.com.

HTTP virtual host on primary proxy server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf

<VirtualHost *:80>

ServerName sub1.example.com

#ServerAlias

#ServerAdmin webmaster@localhost

#DocumentRoot /mnt/shared/www/html


ErrorLog /mnt/shared/www/html/logs/error.log

CustomLog /mnt/shared/www/html/logs/access.log combined


Redirect permanent / https://sub1.example.com/

#Added by Certbot

RewriteEngine on

RewriteCond %{SERVER_NAME} =kptree.net [OR]

RewriteCond %{SERVER_NAME} =www.kptree.net

RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

</VirtualHost>


The only function is to redirect HTTP queries to http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com.

HTTPS virtual host on primary server, example.com:

Virtualhost file /etc/apache2/sites-available/example.com-SSL.conf

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName example.com

ServerAlias www.example.com

ServerAdmin webmaster@localhost

DocumentRoot /mnt/shared/www/html


#Some optimisation and security directives (requires mod_headers enabled)

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"

Header set X-Frame-Options "SAMEORIGIN"

Header set X-Content-Type-Options "nosniff"


ErrorLog /mnt/shared/www/html/logs/error.log

CustomLog /mnt/shared/www/html/logs/access.log combined


SSLEngine on

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

#SSLCertificateChainFile


<FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

</FilesMatch>

<Directory /usr/lib/cgi-bin>

SSLOptions +StdEnvVars

</Directory>

</VirtualHost>

</IfModule>


This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a "standard" virtual machine setup for HTTPS.

HTTPS virtual host on primary proxy server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName sub1.example.com

#ServerAlias

#ServerAdmin webmaster@localhost

#DocumentRoot /mnt/shared/www/html


ProxyPreserveHost on

<Location />

ProxyPass https://192.168.1.18/

ProxyPassReverse https://192.168.1.18/

</Location>


#Some optimisation and security directives

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"

Header set X-Frame-Options "SAMEORIGIN"

Header set X-Content-Type-Options "nosniff"


ErrorLog /mnt/shared/www/html/logs/error.log

CustomLog /mnt/shared/www/html/logs/access.log combined


SSLEngine on

SSLProxyEngine On

SSLProxyVerify none

SSLProxyCheckPeerCN off

SSLProxyCheckPeerName off

SSLProxyCheckPeerExpire off


SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem

SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

#SSLCertificateChainFile


<FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

</FilesMatch>

<Directory /usr/lib/cgi-bin>

SSLOptions +StdEnvVars

</Directory>

</VirtualHost>

</IfModule>


This is the virtual machine to reverse proxy HTTPS queries to https://sub1.example.com to a separate local LAN apache server, hence the reference to the local LAN address: https://192.168.1.18. (Does not seem to function correctly or at all without the ProxyPreserveHost and SSLProxyEngine directives on. Similarly the ProxyPass and ProxyPassReverse references must be to the https://LAN_IP_address (192.168.1.18/), not a server name (sub1.example.com), as shown.)

HTTP virtual host on secondary server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com.conf

<VirtualHost *:80>

ServerName sub1.example.com

#ServerAlias

ServerAdmin webmaster@localhost

Redirect permanent / https://sub1.example.com/

DocumentRoot /var/www/html


ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined


</VirtualHost>


The only function is to redirect HTTP queries from http://sub1.example.com to the HTTPS virtual machine for https://sub1.example.com. (It would normally never be called as the primary server reverse proxy only calls the https address. Not WAN accessible except via primary reverse proxy.)

HTTPS virtual host on secondary server, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.example.com-SSL.conf

<IfModule mod_ssl.c>

<VirtualHost *:443>

ServerName sub1.example.com

#ServerAlias

ServerAdmin webmaster@localhost

Redirectmatch ^/$ https://sub1.example.com/sub1

DocumentRoot /var/www/html


#Some optimisation and security directives

Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains;"

Header set X-Frame-Options "SAMEORIGIN"

Header set X-Content-Type-Options "nosniff"


ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined


SSLEngine on


SSLCertificateFile /etc/ssl/PUBLIC_KEY_FILE

SSLCertificateKeyFile /etc/ssl/private/PRIVATE_KEY_FILE

SSLCertificateChainFile /etc/ssl/PUBLIC_CHAIN_KEY_FILE


<FilesMatch "\.(cgi|shtml|phtml|php)$">

SSLOptions +StdEnvVars

</FilesMatch>

<Directory /usr/lib/cgi-bin>

SSLOptions +StdEnvVars

</Directory>

</VirtualHost>

</IfModule>


This is the virtual machine to serve HTTPS queries to https://example.com and https://www.example.com. It is basically a "standard" virtual machine setup for HTTPS. (Not WAN accessible except via primary reverse proxy.)

Setup of application on secondary server virtualhost, sub1.example.com:

Virtualhost file /etc/apache2/sites-available/sub1.app.conf

Alias /app1 "/mnt/shared/app1/"

<Directory /mnt/shared/html/app1/>

Options FollowSymLinks

AllowOverride All

#AllowOverrideList None

<RequireAll>

Require all granted

</RequireAll>

</Directory>


<Directory /mnt/shared/html/app1/installer>

Options FollowSymLinks

AllowOverride None

#AllowOverrideList None

<RequireAll>

Require all denied

</RequireAll>

</Directory>


This allows application access control to various sub-directories. It can also be used to give access to directories outside the DocumentRoot directive.

Notes:

In relation to the HSTS directive 'Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"', refer to the following references; The Chromium Projects HTTP Strict Transport Security and HSTS preload. As this web site does not perform funds transactions it has been elected not to use the preload function. Hence the HSTS "preload" option is removed.

Password Protecting HTTP/HTTPS Pages

The apache2 module auth_basic is required to be loaded. To enable "sudo a2enmod auth_basic"

To make a html secure page subdirectory add the following to "sudo vim /etc/apache2/apache2.conf"

<Location "/mnt/shared/www/html/secure">

AuthType basic

AuthName "Private Area"

AuthUserFile "/mnt/shared/www/.htpasswd"

Require valid-user

</Location>

To create the authuserfile with one user, 'user': "htpasswd -c /mnt/shared/www/.htpasswd user", to add another user or change an existing user password "htpasswd /mnt/shared/www/.htpasswd user"

The following are related links:

Install Zenphoto

Zenphoto The simpler media website CMS. The Zenphoto User guide for installation and upgrade. Some additional helpful links: An overview of zenphoto users (Rights management), Permissions for Zenphoto files and folders, and Database scheme.

    Following the same outline as the Zenphoto installation guide.

  1. Download the latest version of Zenphoto

    Move to the proposed installation directory, as required:

    • cd /var/www/html
    • sudo mkdir zenphoto
    • cd zenphoto

    The latest version of Zenphoto can be downloaded by: "sudo wget https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.13.tar.gz"

    (The latest version of Zenphoto can be found on the Zenphoto main page. As of writing it is Zenphoto 1.4.13)

  2. Extract the files to your computer

    Extract the archive into zenphoto directory: "sudo tar -xzvf zenphoto-1.4.13.tar.gz"

    Move contents to preferred directory: "sudo mv zenphoto-1.4.13/* ./"

    The archive can be deleted after successfully extracting it: "sudo rm -rf zenphoto-1.4.13.tar.gz zenphoto-1.4.13"

    Setup apache2 to recognise example.com/zenphoto/:

    Create "sudo vim /etc/apache2/sites-available/zenphoto.conf" and copy following into it:

    Alias /zenphoto "/var/www/zenphoto/"

    <Directory /var/www/zenphoto/>

    Options +FollowSymlinks

    AllowOverride All

    </Directory>

    Then "sudo a2ensite zenphoto.conf" to enable configuration

    Then "sudo systemctl reload apache2" to reload apache2 with updated configuration file


  3. Create a MySQL database

    The Zenphoto instructions do not give any details here, presumably it just needs a MYSQL database with local permissions.

    Enter MySQL as root: "mysql -u root -p", you will be prompted for MySQL root password.

    Create the Zenphoto database in MySQL: "CREATE DATABASE zenphoto;"

    Create a separate MySQL account for Zenphoto, using your own assigned password if desired: "GRANT ALL ON zenphoto.* to 'zenphoto'@'localhost' IDENTIFIED BY 'zenphoto_pass';"

    Make current MySQL session know of the recent privilege change: "FLUSH PRIVILEGES;"

    Last, exit MySQL command line with: "exit".

    Remember the MySQL credentials above to configure Zenphoto

    • database name: zenphoto
    • user name: zenphoto
    • password: zenphoto_pass
  4. Navigate to the zenphoto gallery

    "example.com/zenphoto/" and Setup.php should run.

    If it does not run, navigate directly to example.com/zenphoto/zp-core/setup.php. Refer to info about the required permissions if you run into issues.

  5. Enter the MySQL credentials and make sure everything checks out

  6. Click GO!

Install FluxBB

FluxBB is lightweight forum software for a website. A forum gives readers a chance to interact.

See the following FluxBB reference links Installing and Upgrading.


To install, it assumed that an operating LAMP server is already operational. Follow the FluxBB Installing instruction. I have "clarified" the first 3 steps below.

  1. Create a database for the forum to use

    mysql -u root -p

    create database fluxbb;

    create user 'fluxbbadmin' identified by 'fluxbbadmin';

    grant all privileges on fluxbb.* to 'fluxbbadmin';

    FLUSH PRIVILEGES;

    exit

  2. Copy/upload all contents into the directory where you want to run your forums

    Move to the proposed installation directory, as required:

    • cd /var/www/html
    • sudo mkdir fluxbb
    • cd fluxbb

    The latest version of FluxBB can be downloaded by "sudo wget http://fluxbb.org/download/releases/1.5.10/fluxbb-1.5.10.tar.gz"

    Extract the archive into fluxbb directory: "sudo tar -xzvf fluxbb-1.5.10.tar.gz"

    Move contents to preferred directory: "sudo mv fluxbb-1.5.10/* ./"

    The archive can be deleted after successfully extracting it: "sudo rm -rf fluxbb-1.5.10.tar.gz fluxbb-1.5.10"

  3. Run install.php from the forum root directory and follow the on-screen instructions

The following is a list web subject references:

Older web reference links, that are either outdated or not aligned with the proposed goal and scope:

The following is a list of related commonly used commands and scripts:

  • To open the main web page "http://server-ip-address/"
  • To open the PHP test page "http://server-ip-address/testphp.php"
  • To label list current IPTABLES configuration, verbose "sudo iptables -L -v" or simple "sudo iptables -S"
  • To check running process with sql (/ apa for apache2) in the name "ps -A | grep sql"
  • To start (/stop /enable) the SQL database daemon "sudo systemctl stop mysql"
  • Systemd common commands (start / stop / restart / status) (enable / disable for boot control)
  • Reload or restart apache2 to enable configuration changes: "sudo systemctl reload apache2" or "sudo systemctl restart apache2"
  • Apache2 related:
    • To show the current apache VirtualHost configuration: "apache2ctl -S"
    • To enable / disable apache module: "sudo a2enmod module_name" / "sudo a2dismod module_name", if module name is not given available modules will be listed
    • To enable / disable apache virtual host (configuration file): "sudo a2ensite VH.conf" / "sudo a2dissite VH.conf"
    • Site configuration files stored in directory: "/etc/apache2/sites-available"

The following is a list of related commonly used SQL commands:

  • To open the current SQL database configuration web page "http://server-ip-address/phpmyadmin/"
  • To confirm the status (start, stop and restart) mysql "sudo systemctl status apache2"
  • To login into mysql as root, with password prompt: "sudo mysql -u root -p"
  • Database commands:
    • To show databases: "show databases;"
    • To create database (where new database name is: dBase_NAME): "create dBase_NAME"
    • To list mySQL database sizes: "SELECT table_schema "DB Name", Round(Sum(data_length + index_length) / 1024 / 1024, 1) "DB Size in MB" FROM information_schema.tables GROUP BY table_schema;"
    • To use a database: "use databasename;"