Apache HTTPD webserver

Install Apache HTTP server

sudo apt-get install apache2 apache2-utils

# Check that the webserver at responds:
echo "<html><body><h1>Hello World!</h1></body></html>" | sudo tee /var/www/html/index.html
firefox &

The Apache HTTPD configuration files are located in /etc/apache2/*.conf

Also add PHP support to our web server:

sudo apt-get install php libapache2-mod-php php-gd php-xml
sudo /etc/init.d/apache2 restart

# Check that PHP works (
echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/about.php
firefox &

Access the server from the internet

Collect public information on the server

When the server is sitting behind a NAT router, public IPv4 address can obtained from http://ip4.me/.

# Get IPv6 address of the server:
eth0      Link encap:Ethernet  HWaddr b8:27:eb:00:e4:ad
          inet6 addr: 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45/64 Scope:Global

# Get reverse DNS address of the router
Non-authoritative answer: name = vau06-3-82-247-83-30.fbx.proxad.net.

This gives the following info:

IPv4 Address82.247.83.30
IPv6 Address2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45
Reverse DNS (PTR record)vau06-3-82-247-83-30.fbx.proxad.net

Configure the Web Domain

Either configure a real Domain, or use host from https://www.noip.com/
DNS  : www.tognoli.fr
A    :
AAAA : 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45
MX   : vau06-3-82-247-83-30.fbx.proxad.net

Configure the Router port forwarding

IPv4 router ports should be NATed so that the server can be reached.

IPv4 NAT port redirection
IP Source Port IP DestinationPortProtocol 80(tcp) 80(tcp)HTTP 22(tcp) 22(tcp)SSH 25(tcp) 25(tcp)SMTP

The web server is now reachable from the internet at: http://www.tognoli.fr/

Securing the Web Server

Enable HTTPS server (with SSL/TLS Security)

sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo /etc/init.d/apache2 restart

# Test our server:
firefox &

Currently, apache uses a self-signed certificate. So, browser will complain that connection is not private.

Self signed certificate

Self signed certificate must be added to browser trusted sites so that website is displayed...

# Create self signed certificate
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/tognoli.fr.pem
# for "Alternate host" you must use this syntax: "DNS:localname;IP:"

CA certificate (letsencrypt.org)

Free SSL certificate can be obtained from https://letsencrypt.org/.

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto
sudo ./certbot-auto certonly --webroot -w /var/www/html/ -d tognoli.fr -d www.tognoli.fr -d bertrand.tognoli.fr -d svn.tognoli.fr

Certificate must be added to WebServer configuration file.

        #SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
        #SSLCertificateKeyFile  /etc/ssl/private/ssl-cert-snakeoil.key

        SSLCertificateFile      /etc/letsencrypt/live/tognoli.fr/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/tognoli.fr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/tognoli.fr/chain.pem

Cron job will renew the certificate regularly.

sudo crontab -e
00 04 01,15 * * /usr/local/sbin/certbot-auto renew --quiet --no-self-upgrade

Website can now be accessed remotely, without browser warning.


Apache allows to restrict access to part of a website to authentified user.

To enable basic authentication:

# create user and password:
htpasswd -c /var/www/users.pswd user
vim /etc/apache2/sites-enabled/000-default.conf 
  <Location /private/>
    AuthType Basic
    AuthName "Restricted pages"
    AuthUserFile /var/www/users.pswd
    Require valid-user
# Restart server
sudo service apache2 reload

Auth basic does not encrypt passwords, so, should be used with https.

Server configuration

Below is a final server configuration file that:

<VirtualHost *:80>
        ServerName www.tognoli.fr

        # Redirect all non secure accesses to https.
        Redirect permanent / https://www.tognoli.fr/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

<VirtualHost _default_:443>
        ServerName www.tognoli.fr
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # Enable SSL for this virtual host.
        SSLEngine on

        # SSL/TLS certificate.
        SSLCertificateFile      /etc/letsencrypt/live/www.tognoli.fr/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/www.tognoli.fr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.tognoli.fr/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars

        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars

        #   SSL Protocol Adjustments:
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

Now, we should disable Apache2 default settings and enable our site:

cd /etc/apache2/sites-enabled
sudo a2dissite *
sudo a2ensite tognoli.conf
sudo service apache2 reload

HTTP proxy

a2enmod proxy
a2enmod proxy_html
a2enmod proxy_http

vim.tiny proxy.conf
<IfModule mod_proxy.c>
  ProxyRequests Off
  ProxyPass /esp/
  ProxyHTMLURLMap /esp
  <Location /esp/>
    ProxyPassReverse /
#   ProxyHTMLEnable On
    ProxyHTMLURLMap / /esp/
#   RequestHeader    unset  Accept-Encoding

systemctl restart apache2


sudo iptables -t nat -A POSTROUTING -j MASQUERADE
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination


Convert image to favicon

sudo apt install imagemagick rsvg-convert
convert -density 384 -background transparent -fill "#4040ff" -colorize 100 image.svg -define icon:auto-resize -colors 256 /var/www/html/favicon.ico