Table of Contents

Apache 2.4 and PHP 5/7

Apache 2.4 Installation

  1. Install apache 2.4
    $ sudo apt update
    $ sudo apt install apache2
  2. Add one of the two commands to add the user to apache's user group:
    $ sudo adduser <user> www-data
    $ sudo usermod -a -G www-data <user>
  3. Setup your virtual hosts
  4. Create sub folders in /var/log/apache2 if you setup log files for the virtual hosts in sub folders
  5. Install and configure Let's Encrypt Certbot

PHP Installation

  1. Install packages
    $ sudo apt update
    $ sudo apt install -y curl wget gnupg2 ca-certificates lsb-release apt-transport-https software-properties-common
  2. Add the SURY repository to your system
    $ echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/sury-php.list
  3. Import the repository key
    $ wget -qO - https://packages.sury.org/php/apt.gpg | sudo apt-key add -
  4. Install the desired PHP version, where V is the major and v is the minor version number, for example 5.6 or 7.4
    $ sudo apt update
    $ sudo apt install phpV.v
  5. Enable modules:
    $ sudo a2enmod ssl
    $ sudo a2enmod proxy
    $ sudo a2enmod proxy_http
    $ sudo a2enmod rewrite

PHP Extensions

Set or change PHP version

  1. Set the desired PHP version for Apache2 and restart the service with one of the 2 commands below:
    sudo a2dismod phpV.v 
    sudo a2enmod phpV.v
    sudo systemctl restart apache2
    sudo service apache2 restart
  2. Set the desired PHP version for CLI:
    sudo update-alternatives --set php /usr/bin/phpV.v
    sudo update-alternatives --set phar /usr/bin/pharV.v
    sudo update-alternatives --set phar.phar /usr/bin/phar.pharV.v
  3. Check PHP cli Version
    php -v
  4. Check PHP apache2 Version: call phpinfo(); in a script
  5. Once you have installed a required extension, use the below command to verify it
    php -m | grep -i mysql

Settings

Harden apache

Check ini files

php.ini

Xdebug

  1. Open terminal and write following command:
    php -i > /var/www/html/php_info.txt
  2. Copy the output from /var/www/html/php_info.txt
  3. Go to the Xdebug: Installation Wizard, and paste the output inside the text box on the page. It will analyze the output and will recommend the most suited package of Xdebug.
  4. Download that package, for example xdebug-2.8.4.tgz
  5. Install the pre-requisites for compiling PHP extensions
    sudo apt install phpV.v-dev autoconf automake
  6. Unpack the downloaded file with tar -xvzf xdebug-2.8.4.tgz within a temp folder, then change to that folder, run phpize and check it's output:
    cd xdebug-2.8.4
    phpize
    Configuring for:
    ...
    Zend Module Api No:      20170718 (7.2), 20190902 (7.4)
    Zend Extension Api No:   3220170718 (7.2), 320190902 (7.4)
  7. If it does not, you are using the wrong phpize. Please follow this FAQ entry and skip the next step.
  8. Run:
    ./configure
    make
  9. Copy the module to:
    sudo cp modules/xdebug.so /usr/lib/php/{20170718, 20190902}
  10. Modify the configuration in /etc/php/{7.2, 7.4}/cli/php.ini for Xdebug 2:
    zend_extension = /usr/lib/php/{20170718, 20190902}/xdebug.so
    xdebug.remote_enable=1
    xdebug.remote_port=9000 (default: 9000)
    xdebug.profiler_enable=0 
    xdebug.profiler_enable_trigger=1
    xdebug.profiler_output_dir=PATH_TO_PROFILER_OUTPUT_DIR
    xdebug.remote_log=PATH_TO_LOG/xdebug.log
    1. Change the PATH_TO_PROFILER_OUTPUT_DIR to point to the directory you want to receive profiler output. change PATH_TO_LOG to point to the directory where you want to receive xdebug.log.
    2. Make sure that zend_extension = /usr/lib/php/20190902/xdebug.so is below the line for OPcache. Please also update php.ini files in adjacent directories (apache2 and cli), as your system might be configured with a separate php.ini file for the web server and command line.
  11. Restart your webserver.
  12. Create a PHP page that has phpinfo(). Load it in a browser and look for the info on the Xdebug module. If you see it next to the Zend logo, you have been successful!
  13. On the command line, you can also php -m. This lists all loaded modules. Xdebug should appear twice there (once under 'PHP Modules' and once under 'Zend Modules').

phpMyAdmin

Debian 10/11, other than Debian 9, require manual installation of phpmyadmin, phpmyadmin has been removed from Debian's repositories.

Installation

Configuration

Manual Upgrade on Debian 9

Security

Windows Subsystem for Linux

apache2 settings

MaxRequestedWorkers

Modify /etc/apache2/mods-available/mdm-prefork.conf and restart apache2

$ sudo apache2ctl -V | grep MPM
vim /etc/apache2/mods-available/mdm-prefork.conf
  MaxRequestedWorkers 400
  ServerLimit 400
$ sudo service apache2 restart

SSL for localhost

Ignore invalid certificates

Create certificate for localhost

  1. Make a folder to keep your certificate files and change to that folder, for example ~/certs/ssl.
  2. Generate RootCA.pem, RootCA.key & RootCA.crt:
    openssl req -x509 -nodes -new -sha256 -days 1024 -newkey rsa:2048 -keyout RootCA.key -out RootCA.pem -subj "/C=US/CN=Example-Root-CA"
    openssl x509 -outform pem -in RootCA.pem -out RootCA.crt
  3. Create a file domains.ext that lists all your local domains:
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = localhost
    DNS.2 = localhost.yourdomain.tld
    DNS.3 = machine1.yourdomain.tld
    DNS.4 = machine2.yourdomain.tld
  4. Generate localhost.key, localhost.csr, and localhost.crt:
    openssl req -new -nodes -newkey rsa:2048 -keyout localhost.key -out localhost.csr -subj "/C=US/ST=YourState/L=YourCity/O=Example-Certificates/CN=localhost.local"
    openssl x509 -req -sha256 -days 1024 -in localhost.csr -CA RootCA.pem -CAkey RootCA.key -CAcreateserial -extfile domains.ext -out localhost.crt
  5. Configure Apache:
    SSLEngine on
    SSLCertificateFile "/home/user/certs/ssl/localhost.crt"
    SSLCertificateKeyFile "/home/user/certs/ssl/localhost.key"
  6. Restart Apache
  7. At this point, the site would load with a warning about self-signed certificates. In order to get a green lock, your new local CA has to be added to the trusted Root Certificate Authorities in your OS or browser.
    • For Windows 10 Chrome & Edge: Windows 10 recognizes .crt files, so you can right-click and open RootCA.crt.
    • Select Install Certificate…, select Local Machine, then select Trusted Root Certification Authorities and confirm.
    • You might need to clear cookies and cache for the browser to pick up the certificate from the server
  8. If you want to utilitze the certificate for an Endian Firewall, do the following:
    • Rename the files server.crt, server.csr, and server.key in folder /etc/httpd and etc/httpd/cert
    • Copy the newly generate certificate files localhost.crt, localhost.csr, and localhost.key to server.crt, server.csr, and server.key in folder /etc/httpd
    • Copy the newly generate certificate file localhost.crt to server.crt in folder /etc/httpd/certs and append the parameters from the renamed original server.crt file
    • Restart httpd
    • You can check the domain names included in the original certificate:
      openssl x509 -text < $CERT_FILE

Links

Proxy

* Setup a VirtualHost on your main apache server, which for this example is now called “proxy”. * There needs to be another (regular) VirtualHost file on the backuppc server, which for this example is now called “host”. * The SSL certificates are served from the “proxy” through access to https://sub.domain.tld * The “host” serves an unencrypted site through port 80. This assumes your local network is secure.

VirtualHost on the "proxy" server

* sub.domain.tld: external domain name with which you access the “host” behind the “proxy” * host.yourdomain.tld: internal domain name of your “host”. You may also choose to have both names the same.

<VirtualHost *:80>
    ServerName sub.domain.tld
    Redirect 301 / https://sub.domain.tld
<VirtualHost>
<VirtualHost *:443>
    ServerName sub.domain.tld
    ServerAdmin you@domain.tld
    DocumentRoot /var/www/html/yoursite
    
    SSLEngine on
    RedirectMatch ^/$ /yourapp/ # use this if backuppc is not the default app, or if you need to access another app on the same server
    
    <Location "/yourapp/">
          ProxyPass "http://host.yourdomain.tld/yourapp/"
          ProxyPassReverse "http://host.yourdomain.tld/yourapp/"
          Require all granted
    </Location>
    
    # add other options such as Files and Directory permissions
    
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/sub.domain.tld/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.tld/privkey.pem
</VirtualHost>

Links

Links