Apache HTTPD webserver

Install Apache HTTP server

sudo apt-get install apache2 apache2-utils

# Check that the webserver at http://192.168.0.100 responds:
echo "<html><body><h1>Hello World!</h1></body></html>" | sudo tee /var/www/html/index.html
firefox http://192.168.0.100 &

The Apache HTTPD configuration files are located in /etc/apache2/*.conf

Also add PHP support to our web server:

sudo apt-get install php libapache2-mod-php php-gd php-xml
sudo /etc/init.d/apache2 restart

# Check that PHP works (http://192.168.0.100/about.php):
echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/about.php
firefox http://192.168.0.100/about.php &

Access the server from the internet

Collect public information on the server

When the server is sitting behind a NAT router, public IPv4 address can obtained from http://ip4.me/.

# Get IPv6 address of the server:
ifconfig
eth0      Link encap:Ethernet  HWaddr b8:27:eb:00:e4:ad
          inet6 addr: 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45/64 Scope:Global

# Get reverse DNS address of the router
nslookup 82.247.83.30
Non-authoritative answer:
30.83.247.82.in-addr.arpa name = vau06-3-82-247-83-30.fbx.proxad.net.

This gives the following info:

FieldValue
IPv4 Address82.247.83.30
IPv6 Address2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45
Reverse DNS (PTR record)vau06-3-82-247-83-30.fbx.proxad.net

Configure the Web Domain

Either configure a real Domain, or use host from https://www.noip.com/
DNS  : www.tognoli.fr
A    : 82.247.83.30
AAAA : 2a01:e35:2f75:31e0:7f7c:1938:ba82:1d45
MX   : vau06-3-82-247-83-30.fbx.proxad.net

Configure the Router port forwarding

IPv4 router ports should be NATed so that the server can be reached.

IPv4 NAT port redirection
IP Source Port IP DestinationPortProtocol
82.247.83.30 80(tcp)192.168.0.100 80(tcp)HTTP
82.247.83.30443(tcp)192.168.0.100443(tcp)HTTPS
82.247.83.30 22(tcp)192.168.0.100 22(tcp)SSH
82.247.83.30 25(tcp)192.168.0.100 25(tcp)SMTP

The web server is now reachable from the internet at: http://www.tognoli.fr/

Securing the Web Server

Enable HTTPS server (with SSL/TLS Security)

sudo a2enmod ssl
sudo a2ensite default-ssl.conf
sudo /etc/init.d/apache2 restart

# Test our server:
firefox https://192.168.0.100/ &

Currently, apache uses a self-signed certificate. So, browser will complain that connection is not private.

Self signed certificate

Self signed certificate must be added to browser trusted sites so that website is displayed...

# Create self signed certificate
make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/ssl/private/tognoli.fr.pem
# for "Alternate host" you must use this syntax: "DNS:localname;IP:192.168.0.100"

CA certificate (letsencrypt.org)

Free SSL certificate can be obtained from https://letsencrypt.org/.

cd /usr/local/sbin
sudo wget https://dl.eff.org/certbot-auto
sudo chmod a+x /usr/local/sbin/certbot-auto
sudo ./certbot-auto certonly --webroot -w /var/www/html/ -d tognoli.fr -d www.tognoli.fr -d bertrand.tognoli.fr -d svn.tognoli.fr

Certificate must be added to WebServer configuration file.

 /etc/apache2/sites-enabled/*.conf
        #SSLCertificateFile     /etc/ssl/certs/ssl-cert-snakeoil.pem
        #SSLCertificateKeyFile  /etc/ssl/private/ssl-cert-snakeoil.key

        SSLCertificateFile      /etc/letsencrypt/live/tognoli.fr/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/tognoli.fr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/tognoli.fr/chain.pem

Cron job will renew the certificate regularly.

sudo crontab -e
00 04 01,15 * * /usr/local/sbin/certbot-auto renew --quiet --no-self-upgrade

Website can now be accessed remotely, without browser warning.

Server configuration

Below is a final server configuration file that:

 /etc/apache2/sites-enabled/tognoli.conf
<VirtualHost *:80>
        ServerName www.tognoli.fr

        # Redirect all non secure accesses to https.
        Redirect permanent / https://www.tognoli.fr/

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

<VirtualHost _default_:443>
        ServerName www.tognoli.fr
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # Enable SSL for this virtual host.
        SSLEngine on

        # SSL/TLS certificate.
        SSLCertificateFile      /etc/letsencrypt/live/www.tognoli.fr/cert.pem
        SSLCertificateKeyFile   /etc/letsencrypt/live/www.tognoli.fr/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/www.tognoli.fr/chain.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                        SSLOptions +StdEnvVars
        </FilesMatch>

        <Directory /usr/lib/cgi-bin>
                        SSLOptions +StdEnvVars
        </Directory>

        #   SSL Protocol Adjustments:
        BrowserMatch "MSIE [2-6]" \
                        nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

Now, we should disable Apache2 default settings and enable our site:

cd /etc/apache2/sites-enabled
sudo a2dissite *
sudo a2ensite tognoli.conf
sudo service apache2 reload

HTTP proxy

a2enmod proxy
a2enmod proxy_html
a2enmod proxy_http

vim.tiny proxy.conf
<IfModule mod_proxy.c>
  ProxyRequests Off
  ProxyPass /esp/ http://192.168.0.4/
  ProxyHTMLURLMap http://192.168.0.4 /esp
  <Location /esp/>
    ProxyPassReverse /
#   ProxyHTMLEnable On
    ProxyHTMLURLMap / /esp/
#   RequestHeader    unset  Accept-Encoding
  </Location>
</IfModule>

systemctl restart apache2

Tips

Convert image to favicon

sudo apt install imagemagick rsvg-convert
convert -density 384 -background transparent -fill "#4040ff" -colorize 100 image.svg -define icon:auto-resize -colors 256 /var/www/html/favicon.ico
21-Aug-2019