Apache Setup

Last Edit: 2023.10.06

Debian / Ubuntu

Overview

Install Apache web server and complete initial configuration.

Assumptions

Initial system setup completed.
Logged in as administrative user.

Update

Before getting started, update package repositories. Consider upgrading them as well for the latest patches.

# Debian
sudo apt update
sudo apt upgrade

Install Apache

Install Apache package apache2 using apt.

sudo apt install apache2

Apache is enabled by default, verify this and check that it is running.

sudo systemctl status apache2

Configure Apache

Once Apache is installed, there are a few basic configuration steps to complete.

security.conf

Some Apache configurations should by modified from their default state for optimal security. Open Apache’s security.conf file in your text editor of choice.

sudo nano /etc/apache2/conf-available/security.conf

By default, Apache will publicly display some sensitive information about your server including Apache version and OS type. Apache will also respond to TRACE requests by default, which can expose your web server to cross-site tracing (XST).

Change this behavior by setting ServerTokens to production, and disabling ServerSignature and TraceEnable.

ServerTokens Prod
ServerSignature Off
TraceEnable Off

Set the headers X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection so that they will be applied to all virtual hosts by default. These can be overridden on a per-host basis, but most times there will be no reason to.

X-Content-Type-Options is used to disable MIME type sniffing.

X-Frame-Options is used to prevent your sites content from being loaded in third party iframes or embeds, to prevent click-jacking.

X-XSS-Protection enables XSS filtering, this is the default behavior on modern browsers and is included for legacy support.

Header set X-Content-Type-Options: "nosniff"
Header set X-Frame-Options: "sameorigin"
Header set X-XSS-Protection "1; mode=block"

Enable the Apache headers module for the above headers to be effective.

sudo a2enmod headers

Restart Apache to apply all changes made.

sudo systemctl restart apache2

Virtual Hosts

Apache virtual hosts allow you to have different Apache configurations for multiple sites. This provides the ability to host more than one domain on a single web server. Even if the server will only host one website, having a virtual host allows the configuration for the host to be edited easily.

Create Web Directory

Apache website files should be stored in the /var/www/ directory. Create a directory named after your domain example.com, and a directory to actually store your website files within it public. The document root for the website will be /var/www/example.com/public/, this is where your website’s files will go.

sudo mkdir -p /var/www/example.com/public

Configure Apache as the owner of the web directory.

sudo chmod -R www-data:www-data /var/www/example.com

Set the directory permissions so that the owner can read / write / execute, and the group can read / execute. Add yourself to the www-data group for continued navigability of the directory.

sudo chown -R 750 /var/www/example.com

sudo usermod -aG www-data exampleuser

Configure Virtual Host

Create a new virtual host configuration file in the /etc/apache2/sites-available/ directory.

sudo nano /etc/apache2/sites-available/example.com.conf

Define the virtual host settings for HTTP port 80. Apache can use name-based routing, allowing you to have multiple websites on the same port as long as you define ServerName.

<VirtualHost *:80>
  ServerAdmin [email protected]
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/example.com/public
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/example.com/public/>
    Options -Indexes -FollowSymLinks
    Order deny,allow
    AllowOverride none
  </Directory>
</VirtualHost>

Enable Virtual Host

Once the virtual host is configured, it can be enabled using Apache’s a2ensite command.

sudo a2ensite example.com.conf

Disable the default host configuration using Apache’s a2dissite command.

sudo a2dissite 000-default.conf

Test the Apache configuration. If all is well, the output should include Syntax OK.

sudo apache2ctl configtest

Finally, restart Apache and your site’s initial setup will be complete!

sudo systemctl restart apache2

Firewall

Apache will use whatever ports you define in /etc/apache2/ports.conf. For most use cases, you will be allowing connections on port 80 (HTTP) and port 443 (HTTPS). Allow port 80 now, as HTTPS has not yet been configured. Once HTTPS has been enabled, repeat for port 443.

sudo ufw allow 80/tcp

Check the firewall status to see what connections are currently being accepted.

sudo ufw status