====== Apache 2.4 and PHP 7/8 ======
===== Apache 2.4 Installation =====
  - Install apache 2.4<code>$ sudo apt update
$ sudo apt install apache2</code>
  - Add one of the two commands to add the user to apache's user group:<code>$ sudo adduser <user> www-data
$ sudo usermod -a -G www-data <user></code>
  - Setup your virtual hosts
  - Create sub folders in ''/var/log/apache2'' if you setup log files for the virtual hosts in sub folders
  - Install and configure [[deb11:certbot|Let's Encrypt Certbot]]
  - If you are migrating from an old server, follow the [[deb11:migrate#apache_2.4|How to migrate a (web) server]] guide

===== Apache Settings =====

==== Harden apache ====
  * change //ServerTokens// and //ServerSignature// in /etc/apache2/conf.d/security.conf
  * add //Require all granted// to your web space, possibly exclude black listed ip addresses, and restrict access to phpmyadmin etc. Put a respective conf file into /etc/apache2/conf.d.

==== MaxRequestedWorkers ====
Modify /etc/apache2/mods-available/mpm-prefork.conf and restart apache2<code>$ sudo apache2ctl -V | grep MPM
vim /etc/apache2/mods-available/mpm-prefork.conf
  MaxRequestedWorkers 400
  ServerLimit 400
$ sudo service apache2 restart</code>

==== Check configuration ====
  * <code>$ sudo apachectl configtest</code>

===== PHP Installation =====
  - Install packages<code>$ sudo apt update
$ sudo apt install -y curl wget gnupg2 ca-certificates lsb-release apt-transport-https software-properties-common</code>
  - Add the SURY repository to your system<code>$ echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list</code>
  - Import the repository key<code>$ wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -</code>
  - Install the desired PHP version, where V is the major and v is the minor version number, for example 7.4 or 8.1<code>$ sudo apt update
$ sudo apt install phpV.v</code>
  - Enable modules:<code>$ sudo a2enmod ssl
$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2enmod rewrite</code>
  * [[https://computingforgeeks.com/how-to-install-php-on-debian-linux/|How To Install PHP 8.0 on Debian 11/10/9]]
  * [[https://computingforgeeks.com/how-to-install-latest-php-on-debian/|How To Install PHP 7.4 on Debian 10 / Debian 9]]
  * [[https://tecadmin.net/how-to-install-php-on-debian-11/|How To Install PHP (8.1, 7.4 & 5.6) on Debian 11]]
  * [[https://www.php.net/supported-versions.php|Supported Versions]]
  * [[https://github.com/oerdnj/deb.sury.org/issues/1575|Expired Debian key issue]]

===== PHP Extensions =====
  * PHP extensions for Joomla:<code>$ sudo apt install phpV.v-{bz2 curl gd mbstring mysql xml zip} phpV.v-{bcmath}</code>
  * PHP extensions for Wiki:<code>$ sudo apt install phpV.v-{bz2 curl gd mbstring mysql xml zip} phpV.v-{sqlite3}</code>
  * PHP extensions for phpMyAdmin:<code>$ sudo apt install phpV.v-mbstring</code>
  * PHP extensions for vps:<code>$ sudo apt install phpV.v-{curl xml zip}</code>
  * Required for PHP7:<code>$ sudo apt install phpV.v-json</code>
  * Restart the service with one of the 2 commands below:<code>$ sudo systemctl restart apache2
$ sudo service apache2 restart</code>

===== Set or change PHP version =====
  - Set the desired PHP version for Apache2 and restart the service with one of the 2 commands below:<code>sudo a2dismod phpV.v 
sudo a2enmod phpV.v
sudo systemctl restart apache2
sudo service apache2 restart</code>
  - Set the desired PHP version for CLI:<code>sudo update-alternatives --set php /usr/bin/phpV.v
sudo update-alternatives --set phar /usr/bin/pharV.v
sudo update-alternatives --set phar.phar /usr/bin/phar.pharV.v</code>
  - Check PHP cli Version<code>php -v</code>
  - Check PHP apache2 Version: call phpinfo(); in a script
  - Once you have installed a required extension, use the below command to verify it<code>php -m | grep -i mysql</code>
  * [[https://tecadmin.net/switch-between-multiple-php-version-on-debian/|How to Switch between Multiple PHP Version on Debian 9]]

===== PHP Settings =====

==== Check ini files ====
  * apache2: load a php file with the following content<code><?php phpinfo();?></code>
  * cli:<code>php --ini</code>

==== php.ini ====
  * <code>max_execution_time = 120
max_input_vars = 2000
memory_limit = 512M
post_max_size = 32M
sys_temp_dir = "/tmp"
upload_tmp_dir = "/tmp"
upload_max_filesize = 16M
date.timezone = Asia/Bangkok</code>
===== Xdebug =====
  - Open terminal and write following command:<code>php -i > /var/www/html/php_info.txt</code>
  - Copy the output from /var/www/html/php_info.txt
  - Go to the [[https://xdebug.org/wizard|Xdebug: Installation Wizard]], and paste the output inside the text box on the page. It will analyze the output and will recommend the most suited package of Xdebug.
  - Download that package, for example xdebug-3.1.5.tgz
  - Install the pre-requisites for compiling PHP extensions<code>sudo apt install phpV.v-dev autoconf automake</code>
  - Unpack the downloaded file with ''tar -xvzf xdebug-3.1.5.tgz'' within a temp folder, then change to that folder, run //phpize// and check it's output:<code>cd xdebug-3.1.5
phpize
Configuring for:
...
Zend Module Api No:      20200930 (8.0), 20210902 (8.1)
Zend Extension Api No:   420200930 (8.0), 420210902 (8.1)</code>
  - If it does not, you are using the wrong phpize. Please follow [[https://xdebug.org/docs/faq#custom-phpize|this FAQ entry]] and skip the next step.
  - Run:<code>./configure
make</code>
  - Copy the module to:<code>sudo cp modules/xdebug.so /usr/lib/php/{20200930, 20210902}</code>
  - Create ''/etc/php/{8.0, 8.1}/apache2/conf.d/99-xdebug.ini'' for Xdebug 3 and add lines:<code>zend_extension     = xdebug
xdebug.remote_port = 9000 (default: 9003)
xdebug.mode        = debug</code>
  - Restart your webserver.
  - Create a PHP page that has phpinfo(). Load it in a browser and look for the info on the Xdebug module. If you see it next to the Zend logo, you have been successful!
  - On the command line, you can also ''php -m''. This lists all loaded modules. Xdebug should appear twice there (once under 'PHP Modules' and once under 'Zend Modules').

===== Windows Subsystem for Linux =====
  * For Windows Subsystem for Linux, create a **Virtual Host** file with document root in ///mnt/<drive>/htdocs// or similar, if you need to access it through the Windows file system.
  * You should set the apache user to the one who owns the files in the document root, which helps avoiding problems with permissions on the Windows NTFS file system:<code>export APACHE_RUN_USER=<user>
export APACHE_RUN_GROUP=<user></code>
  * Restart apache and remove session variables if any:<code>/etc/init.d/apache2 restart
rm /var/lib/php/sessions/*</code>
  * You can check the current apache user with:<code>ps -ef | egrep '(httpd|apache2|apache)' | grep -v `whoami` | grep -v root | head -n1 | awk '{print $1}'</code>
  * Replace the apache default user and group permissions of //www-data// with the one of <user>. run:<code>sudo chown root:<user> /var/lib/phpmyadmin/blowfish_secret.inc.php
sudo chown -R <user>:<user> /var/lib/tmp
sudo chown root:<user> /etc/phpmyadmin/config-db.php</code>
  * Check permissions of the folder containing the http files according to [[https://thegeekpage.com/solved-failed-to-enumerate-objects-in-the-container-windows-10-error/|“Failed to Enumerate Objects in the Container” Windows 10 Error]]. Most importantly, make sure all files are owned by the same user. Run a (windows) command shell on the windows path of that folder as administrator and run:<code>takeown /F X:\FULL_PATH_TO_FOLDER
takeown /F X:\FULL_PATH_TO_FOLDER /r /d y
icacls X:\FULL_PATH_TO_FOLDER /grant Administrators:F
icacls X:\FULL_PATH_TO_FOLDER /grant Administrators:F /t</code>

==== Links ====
  * [[https://community.letsencrypt.org/t/correct-steps-to-add-another-domain-to-existing-certificate/64654/2|Correct steps to add another domain to existing certificate]]
  * [[https://websiteforstudents.com/revoking-lets-encrypt-certificates-on-ubuntu-18-04-16-04/|Revoking Let’s Encrypt Certificates]]
  * [[https://medium.com/@mhagemann/correct-way-to-delete-a-certbot-ssl-certificate-e8ee123e6e01|Correct Way to Delete a Certbot SSL Certificate]]
  * [[https://webmasters.stackexchange.com/questions/126557/what-is-the-difference-of-certbot-and-certbot-auto|What is the difference of certbot and certbot-auto?]]
  * [[https://www.jesusamieiro.com/remove-revoke-a-domain-in-lets-encrypt/|Remove a domain in Let’s Encrypt]]

===== SSL for localhost =====
==== Ignore invalid certificates ====
  * You can just use the default ssl conf file in /etc/apache2/sites-available which makes use of the snakeoil certificate. Modify DocumentRoot and add Directory permissions.
  * Paste this in chrome, enable, and chrome will ignore invalid certificates for localhost:<code>chrome://flags/#allow-insecure-localhost</code>

==== Create certificate for localhost ====
  - Make a folder to keep your certificate files and change to that folder, for example ~/certs/ssl.
  - Generate RootCA.pem, RootCA.key & RootCA.crt:<code>openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Example-Root-CA"
openssl x509 -outform pem -in RootCA.pem -out RootCA.crt</code>
  - Create a file domains.ext that lists all your local domains:<code>authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = localhost.yourdomain.tld
DNS.3 = machine1.yourdomain.tld
DNS.4 = machine2.yourdomain.tld</code>
  - Generate localhost.key, localhost.csr, and localhost.crt:<code>openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt</code>
  - Configure Apache:<code>SSLEngine on
SSLCertificateFile "/home/user/certs/ssl/localhost.crt"
SSLCertificateKeyFile "/home/user/certs/ssl/localhost.key"</code>
  - Restart Apache
  - At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities in your OS or browser.
    * For Windows 10 Chrome & Edge: Windows 10 recognizes .crt files, so you can right-click and open //RootCA.crt//.
    * Select //Install Certificate...//, select //Local Machine//, then select //Trusted Root Certification Authorities// and confirm.
    * You might need to clear cookies and cache for the browser to pick up the certificate from the server
  - If you want to utilitze the certificate for an Endian Firewall, do the following:
    * Rename the files //server.crt//, //server.csr//, and //server.key// in folder /etc/httpd and etc/httpd/cert
    * Copy the newly generate certificate files //localhost.crt//, //localhost.csr//, and //localhost.key// to //server.crt//, //server.csr//, and //server.key// in folder /etc/httpd
    * Copy the newly generate certificate file //localhost.crt// to //server.crt// in folder /etc/httpd/certs and append the parameters from the renamed original //server.crt// file
    * Restart httpd
    * You can check the domain names included in the original certificate:<code>openssl x509 -text < $CERT_FILE</code>

=== Links ===
  * [[https://gist.github.com/cecilemuller/9492b848eb8fe46d462abeb26656c4f8|How to create an HTTPS certificate for localhost domains]] (reference)
  * [[https://letsencrypt.org/docs/certificates-for-localhost/|Let's Encrypt: Certificates for localhost]]
  * [[https://www.section.io/engineering-education/how-to-get-ssl-https-for-localhost/|How to Get SSL HTTPS for localhost]]
  * [[https://www.digicert.com/kb/ssl-support/apache-fix-common-ssl-errors.htm|Troubleshooting Apache SSL Certificate Errors]]
===== Proxy =====
Follow the guide [[deb11:apache-proxy|Apache Server with Proxy]] to setup access to proxied servers.

===== Links =====
  * [[https://www.itzgeek.com/how-tos/linux/debian/how-to-install-php-7-3-7-2-7-1-on-debian-10-debian-9-debian-8.html|How To Install PHP 7.4 / 7.3 / 7.2 / 7.1 on Debian 10 / Debian 9]]
  * [[https://deb.sury.org/|DEB.SURY.ORG]]
  * [[https://tecadmin.net/install-php-debian-9-stretch/|How To Install PHP (7.2, 7.1 & 5.6) on Debian 9 Stretch]]
  * [[https://linuxize.com/post/how-to-install-php-on-debian-9/|How to Install PHP on Debian 9]]
  * [[https://tecadmin.net/switch-between-multiple-php-version-on-debian/|How to Switch between Multiple PHP Version on Debian 9]]
  * [[https://tecadmin.net/install-multiple-php-version-with-apache-on-debian/|How to Install Multiple PHP Version with Apache on Debian 9]]
  * [[https://www.php.net/manual/en/simplexml.installation.php|php.net - SimpleXML Installation]]
  * [[https://www.php.net/manual/en/configuration.file.php|php.net - The configuration file]]
  * [[https://www.howtoforge.com/how-to-specify-a-custom-php.ini-for-a-website-apache2-with-mod_php|How To Specify A Custom php.ini For A Web Site]]
  * [[https://www.sslshopper.com/ssl-checker.html|SSL Checker]]
  * [[https://www.onepagezen.com/letsencrypt-auto-renew-certbot-apache/|How to Setup Auto-Renew for Let’s Encrypt SSL Certificates (Apache)]]
  * [[https://medium.com/@mhagemann/correct-way-to-delete-a-certbot-ssl-certificate-e8ee123e6e01|Correct Way to Delete a Certbot SSL Certificate]]
  * [[https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-debian-9|How To Secure Apache with Let's Encrypt on Debian 9]]
  * [[https://certbot.eff.org/docs/install.html#certbot-auto|Certbot-auto]]
  * [[https://stackoverflow.com/questions/38302401/letsencrypt-add-domain-to-existing-certificate|Letsencrypt add domain to existing certificate]]
  * [[https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979|Certbot-auto deployment best practices]]
  * [[https://community.letsencrypt.org/t/multiple-servers-one-ip-address-home-setup-issue/64210|Multiple servers one IP address]]
  * [[https://stackoverflow.com/questions/2364840/what-is-the-size-limit-of-a-post-request|What is the size limit of a post request?]]
  * [[https://xdebug.org/docs/install|Xdebug: Installation]]
  * [[https://gist.github.com/RazaChohan/51bffc660d52eae8a75dd0f9503740bf|GitHub: Xdebug Installation]]
  * [[https://xdebug.org/docs/all_settings|Xdebug: all settings]]
  * [[https://www.digitalocean.com/community/tutorials/how-to-install-and-secure-phpmyadmin-on-debian-9|How To Install and Secure phpMyAdmin on Debian 9]]
  * [[https://www.digitalocean.com/community/tutorials/how-to-install-phpmyadmin-from-source-debian-10|How To Install phpMyAdmin From Source on Debian 10]]
  * [[https://computingforgeeks.com/install-phpmyadmin-with-apache-on-debian-10-buster/|How To Install phpMyAdmin with Apache on Debian 10]]
  * [[https://devanswers.co/problem-php-7-2-phpmyadmin-warning-in-librariessql-count/|Problem with phpMyAdmin and PHP 7.2]]
  * [[https://devanswers.co/manually-upgrade-phpmyadmin/|How to Manually Upgrade phpMyAdmin]]
  * [[https://www.phpmyadmin.net/downloads/|Download phpMyAdmin]]
  * [[https://www.itaewonpool.org/phpmyadmin/doc/html/faq.html#faq1-16|phpMyAdmin trouble shooting]]
  * [[https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate|Getting Chrome to accept self-signed localhost certificate]]
  * [[https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl|How to create a self-signed certificate with OpenSSL]]
  * [[https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-apache/|How to install an SSL Certificate on Apache]]
  * [[https://confluence.jaytaala.com/display/TKB/Securing+Apache+and+blocking+a+list+of+ip+addresses|Securing Apache and blocking a list of ip addresses]]
  * [[https://support.plesk.com/hc/en-us/articles/214529205--Apache-keeps-going-down-on-a-Plesk-server-server-reached-MaxRequestWorkers-setting|Apache keeps going down on a Plesk server: server reached MaxRequestWorkers setting]]