After setting up the mail system, I continued today with the basic webserver setup. This setup includes a basic Apache2 configuration with SSL and name based virtual hosts. PHP5 and MySQL5 are also needed for serving dynamic content.

Again we will start with installing all needed software components:

apt-get install apache2 libapache2-mod-php5 php5-cli php5-common mysql-common mysql-server mysql-client

Please choose a secure password for the database installation. The Debian configuration for the MySQL server is fine and does not pose any security issues, as it will only accept connections from the localhost, so only local applications can access the database.

The PHP configuration file can use some tweaks to increase the security. Make sure, that you have the following settings in /etc/php5/apache2/php.ini:

disable_functions = show_source, system, shell_exec, passthru, exec, popen, proc_open, symlink
expose_php = Off
register_globals = Off
allow_url_fopen = Off
allow_url_include = Off

The above settings will close some script injection vulnerabilities and disable some insecure function calls. The rest of the configuration file can be set to your own preferences.

For the Apache configuration we first need a custom certificate to enable SSL encryption:

openssl req -new -x509 -days 4312 -nodes -keyout /etc/apache2/web.pem -out /etc/apache2/web.pem

When filling out the certificate details, make sure that you enter your domain name in the field “Common Name”. The above command will create a self signed certificate file.

Now you need to configure the Apache server to listen on both port 80 and port 443. This is done in the configuration file /etc/apache2/ports.conf:

Listen 80
Listen 443

Enable the SSL Apache module:

a2enmod ssl

Now we need to enable the name based virtual host support. Open /etc/apache2/sites-available/default and make sure that the file starts with the following lines:

NameVirtualHost *:80
NameVirtualHost *:443
<virtualhost *:80>

Now we are all set to creating our virtual hosts. We only need to decide where these hosts will be stored. In this example I choose the path /srv/www/vhosts as the base path for the virtual hosts and each host will get its own directory named after the domain name (ie. mydomain.com) with the subdirectories httpdocs for non-ssl webpages, httpsdocs for ssl webpages and logs for the access and error log.

Let’s create a new virtual host foobar.org. First we create the directories:

mkdir /srv/www/vhosts/foobar.org
mkdir /srv/www/vhosts/foobar.org/httpdocs
mkdir /srv/www/vhosts/foobar.org/httpsdocs
mkdir /srv/www/vhosts/foobar.org/logs

Now we will define the virtual host inside apache. Create a new configuration file /etc/apache2/sites-available/foobar.org with the following contents:

<virtualhost *:80>
        SSLEngine Off
        ServerName foobar.org:80
        ServerAlias www.foobar.org
        UseCanonicalName Off
        ServerAdmin your@email.com
        DocumentRoot /srv/www/vhosts/foobar.org/httpdocs
        CustomLog /srv/www/vhosts/foobar.org/logs/access_log combined
        ErrorLog /srv/www/vhosts/foobar.org/logs/error_log
        <directory /srv/www/vhosts/foobar.org/httpdocs>
                Order Deny,Allow
                Allow from all
                Options -Indexes
        </directory>
</virtualhost>

<virtualhost *:443>
        SSLEngine On
        SSLCertificateFile /etc/apache2/web.pem
        ServerName foobar.org:443
        ServerAlias www.foobar.org
        UseCanonicalName Off
        ServerAdmin your@email.com
        DocumentRoot /srv/www/vhosts/foobar.org/httpsdocs
        CustomLog /srv/www/vhosts/foobar.org/logs/access_log combined
        ErrorLog /srv/www/vhosts/foobar.org/logs/error_log
        <directory /srv/www/vhosts/foobar.org/httpsdocs>
                Order Deny,Allow
                Allow from all
                Options -Indexes
        </directory>
</virtualhost>

The above configuration defines an non-ssl site which will point to the httpdocs folder and an ssl site with points to the httpsdocs folder. Of course you could configure the same DocumentRoot for both sites so that ssl and non-ssl content would be the same.

The last step to enable the new site is to declare it as an active site and reload the apache configuration:

a2ensite foobar.org
/etc/init.d/apache2 reload

Now you should be able to access your new site with ssl and non-ssl. And you will also be able to run PHP scripts inside your web space.

The logfiles for different virtual hosts are now stored in separate directories. We therefore need to adapt the logrotate configuration to include the new logfiles in the log rotation. So open the configuration file /etc/logrotate.d/apache2 and change the first line to:

/var/log/apache2/*.log /srv/www/vhosts/*/logs/*_log {

In the next article we will take a look at securing the Apache server with mod_security.