Tested for Ubuntu 18.04
Apache, PHP, MariaDB, Sqlite, LetsEncrypt, AnonIP
Installation
apt-get install php php-gd php-sqlite3 php-mysql php-curl php-imap php-json php-pear php-mbstring
apt-get install apache2 libapache2-mod-php libapache2-mod-wsgi-py3
apt-get install mariadb-server
apt-get install sqlite
apt-get install certbot
Config
Enable apache2 mods
a2enmod proxy proxy_http rewrite ssl wsgi
/etc/apache2/apache2.conf
# The directory where shm and other runtime files will be stored.
DefaultRuntimeDir ${APACHE_RUN_DIR}
# PidFile: The file in which the server should record its process identification number when it starts.
# This needs to be set in /etc/apache2/envvars
PidFile ${APACHE_PID_FILE}
# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
# Include module configuration:
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
# Include my Configuration
Include /var/www/apache2.conf
IP anonymization for log files
wget https://raw.githubusercontent.com/DigitaleGesellschaft/Anonip/master/anonip.py
mv anonip.py /var/www/anonip.py
sed 404 log filter: /var/www/sed-filter404
/ 404 /p
(the regex is way from perfect...)
/var/www/apache2.conf
Listen 80
Listen 443 http
# Timeout: The number of seconds before receives and sends time out.
Timeout 300
# KeepAlive: Allow persistent connections (more than one request per connection).
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow during a persistent connection. Set to 0 to allow an unlimited amount. Set number high, for maximum performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next request from the same client on the same connection.
KeepAliveTimeout 5
# HostnameLookups: Log the names of clients or just their IP addresses. If enabled each client request will result in AT LEAST one lookup request to the nameserver.
HostnameLookups Off
# Prevent DirIndex if no index file present
Options -Indexes
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
<Directory /var/www/>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
<Files apache2.conf>
Require all denied
</Files>
# Default Log files
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedVH
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
#CustomLog ${APACHE_LOG_DIR}/access.log combinedVH
CustomLog "|/var/www/anonip.py --ipv4mask 8 --ipv6mask 64 --column 2 --output ${APACHE_LOG_DIR}/access.log" combinedVH
CustomLog "|$ /bin/sed -u -n -f /var/www/sed-filter404 - -- >> ${APACHE_LOG_DIR}/status404.log" common
# Disable server name in server pages (error/etc..)
ServerSignature Off
ServerTokens Prod
# Disable SSL v2/v3, to use TLS
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCompression Off
# Specify allowed Ciphers
#SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
# Default SSL certificate for "default.digitalworksempire.de"
## (Wildcard would be best placed here...)
## Including Domains with SNI incompatible clients:
SSLCertificateFile /etc/www-certs/default.example.net-cert.pem
SSLCertificateKeyFile /etc/www-certs/default.example.net-key.pem
SSLCertificateChainFile /etc/www-certs/default.example.net-fullchain.pem
#SSLStrictSNIVHostCheck on
#####################################################################
### WELL KNOWN Aliases ###
#####################################################################
# ACME-CHALLENGE #
<Directory /var/www/letsencrypt/acme-challenge>
Require all granted
</Directory>
Alias "/.well-known/acme-challenge/" "/var/www/letsencrypt/acme-challenge/.well-known/acme-challenge/"
ErrorDocument 404 /404.html
Alias /404.html /var/www/error404.html
#####################################################################
# VirtualHosts ######################################################
#####################################################################
# Default - Deny ####################################################
<VirtualHost *:80>
ServerName _default_
<Location />
Require all denied
</Location>
<Location /.well-known/acme-challenge/>
Require all granted
</Location>
<Location /404.html>
Require all granted
</Location>
RedirectMatch 404 ^/(?!(\.well-known/acme-challenge|404.html))
</VirtualHost>
<VirtualHost *:443>
ServerName _default_
Redirect 404 /
SSLEngine On
<Location />
Require all denied
</Location>
</VirtualHost>
#####################################################################
# MAIN PAGES #
# example.net #############################################
<VirtualHost *:80>
ServerName www.example.net
ServerAlias example.net
Redirect "/" "https://www.example.net/"
</VirtualHost>
<VirtualHost *:443>
ServerName www.example.net
ServerAlias example.net
DocumentRoot /var/www/vhosts/www.example.net/htdocs
SSLEngine on
SSLCertificateFile /etc/www-certs/example.net-cert.pem
SSLCertificateKeyFile /etc/www-certs/example.net-key.pem
SSLCertificateChainFile /etc/www-certs/example.net-fullchain.pem
</VirtualHost>
SSL Certificates
acme.sh (defaults to ZeroSSL)
curl https://get.acme.sh | sh -s email=somealias@mydomain.tld
mkdir -p /etc/www-certs/http-01-acme-challenge
chown -R root:www-data /etc/www-certs
acme.sh --issue -k 4096 -w /etc/www-certs/http-01-acme-challenge -d mydomain.tld -d www.mydomain.tld
export DO_LETOKEN="DOMAIN_OFFENSIVE_API_TOKEN"
acme.sh --issue --dns dns_doapi -d mydomain.tld -d *.mydomain.tld
acme.sh --install-cert -d mydomain.tld \
--cert-file /etc/www-certs/certs/mydomain.tld-cert.pem \
--key-file /etc/www-certs/certs/mydomain.tld-key.pem \
--fullchain-file /etc/www-certs/certs/mydomain.tld-fullchain.pem \
--reloadcmd "service apache2 force-reload"
Lets Encrypt [OLD] TODO... usage, cron renew, difference certbot-auto to certbot?
Using snap
sudo apt install snapd
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Setting up cronjob
#@daily /usr/bin/certbot renew -n --quiet --webroot -w /dwe/letsencrypt/acme-challenge/ --post-hook "/usr/sbin/apache2ctl graceful" --renew-hook "echo Renewed $RENEWED_DOMAINS"
Content
/var/www/404.html
Your 404 error page...