sudo apt-get install apache2 apache2-utils # Check that the webserver at http://192.168.0.100 responds: echo "<html><body><h1>Hello World!</h1></body></html>" | sudo tee /var/www/html/index.html firefox http://192.168.0.100 &
The Apache HTTPD configuration files are located in /etc/apache2/*.conf
Also add PHP support to our web server:
sudo apt-get install php libapache2-mod-php php-gd php-xml sudo /etc/init.d/apache2 restart # Check that PHP works (http://192.168.0.100/about.php): echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/about.php firefox http://192.168.0.100/about.php &
When the server is sitting behind a NAT router, public IPv4 address can obtained from http://ip4.me/.
# Get IPv6 address of the server: ifconfig eth0 Link encap:Ethernet HWaddr b8:27:eb:00:e4:ad inet6 addr: 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45/64 Scope:Global # Get reverse DNS address of the router nslookup 82.247.83.30 Non-authoritative answer: 30.83.247.82.in-addr.arpa name = vau06-3-82-247-83-30.fbx.proxad.net.
This gives the following info:
| Field | Value |
|---|---|
| IPv4 Address | 82.247.83.30 |
| IPv6 Address | 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45 |
| Reverse DNS (PTR record) | vau06-3-82-247-83-30.fbx.proxad.net |
DNS : www.tognoli.fr A : 82.247.83.30 AAAA : 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45 MX : vau06-3-82-247-83-30.fbx.proxad.net
IPv4 router ports should be NATed so that the server can be reached.
| IP Source | Port | IP Destination | Port | Protocol |
|---|---|---|---|---|
| 82.247.83.30 | 80(tcp) | 192.168.0.100 | 80(tcp) | HTTP |
| 82.247.83.30 | 443(tcp) | 192.168.0.100 | 443(tcp) | HTTPS |
| 82.247.83.30 | 22(tcp) | 192.168.0.100 | 22(tcp) | SSH |
| 82.247.83.30 | 25(tcp) | 192.168.0.100 | 25(tcp) | SMTP |
The web server is now reachable from the internet at: http://www.tognoli.fr/
sudo a2enmod ssl sudo a2ensite default-ssl.conf sudo /etc/init.d/apache2 restart # Test our server: firefox https://192.168.0.100/ &
Currently, apache uses a self-signed certificate. So, browser will complain that connection is not private.
Self signed certificate must be added to browser trusted sites so that website is displayed...
# Create self signed certificate make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/tognoli.fr.pem # for "Alternate host" you must use this syntax: "DNS:localname;IP:192.168.0.100"
Free SSL certificate can be obtained from https://letsencrypt.org/.
cd /usr/local/sbin sudo wget https://dl.eff.org/certbot-auto sudo chmod a+x /usr/local/sbin/certbot-auto sudo ./certbot-auto certonly --webroot -w /var/www/html/ -d tognoli.fr -d www.tognoli.fr -d bertrand.tognoli.fr -d svn.tognoli.fr
Certificate must be added to WebServer configuration file.
/etc/apache2/sites-enabled/*.conf
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/letsencrypt/live/tognoli.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/tognoli.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/tognoli.fr/chain.pem
Cron job will renew the certificate regularly.
sudo crontab -e
00 04 01,15 * * /usr/local/sbin/certbot-auto renew --quiet --no-self-upgrade
Website can now be accessed remotely, without browser warning.
Apache allows to restrict access to part of a website to authentified user.
To enable basic authentication:
# create user and password: htpasswd -c /var/www/users.pswd user
vim /etc/apache2/sites-enabled/000-default.conf
<Location /private/>
AuthType Basic
AuthName "Restricted pages"
AuthUserFile /var/www/users.pswd
Require valid-user
</Location>
# Restart server sudo service apache2 reload
Auth basic does not encrypt passwords, so, should be used with https.
Below is a final server configuration file that:
<VirtualHost *:80>
ServerName www.tognoli.fr
# Redirect all non secure accesses to https.
Redirect permanent / https://www.tognoli.fr/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost _default_:443>
ServerName www.tognoli.fr
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# Enable SSL for this virtual host.
SSLEngine on
# SSL/TLS certificate.
SSLCertificateFile /etc/letsencrypt/live/www.tognoli.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.tognoli.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.tognoli.fr/chain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
Now, we should disable Apache2 default settings and enable our site:
cd /etc/apache2/sites-enabled sudo a2dissite * sudo a2ensite tognoli.conf sudo service apache2 reload
Apply some setting to increase server secutrity
# Disable CAMELLIA (Non-compliant with NIST guidelines)
SSLCipherSuite HIGH:!aNULL
SSLCipherSuite HIGH:!aNULL:!CAMELLIA
# Enforce highest security from server
#SSLHonorCipherOrder on
SSLHonorCipherOrder on
# Disable unsecure TLS v1/v1.1
SSLProtocol all -SSLv3
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
a2enmod proxy
a2enmod proxy_html
a2enmod proxy_http
vim.tiny proxy.conf
<IfModule mod_proxy.c>
ProxyRequests Off
ProxyPass /esp/ http://192.168.0.4/
ProxyHTMLURLMap http://192.168.0.4 /esp
<Location /esp/>
ProxyPassReverse /
# ProxyHTMLEnable On
ProxyHTMLURLMap / /esp/
# RequestHeader unset Accept-Encoding
</Location>
</IfModule>
systemctl restart apache2
Alternative
sudo iptables -t nat -A POSTROUTING -j MASQUERADE sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.1:80
sudo apt install imagemagick rsvg-convert convert -density 384 -background transparent -fill "#4040ff" -colorize 100 image.svg -define icon:auto-resize -colors 256 /var/www/html/favicon.ico09-Jun-2020
