Wiki

User Tools

Site Tools

Trace: start
ubuntu:lamp_server

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
ubuntu:lamp_server [2019/11/30 11:09] – created peterubuntu:lamp_server [2020/07/15 09:30] (current) – external edit 127.0.0.1
Line 12: Line 12:
 ---- ----
  
-Get your system up to date+===== Ensure your system is up to date =====
  
-Before moving any further, let’s upgrade all packages to the latest versions.+Upgrade all packages to the latest versions:
  
-apt-get update && apt-get upgrade+<code bash> 
 +sudo apt update && apt upgrade 
 +</code>
  
-2. Install MySql 5.7 database server+----
  
-By default MySql 5.5 is included in the standard debian repositories which is a very old version. We’ll install MySql 5.7 in this tutorial which requires a few additional steps.+===== Install MySql database server =====
  
-2.1. Download the MySQL APT repository config tool (you can see more details and the latest version of the tool here: http://dev.mysql.com/downloads/repo/apt/)+The standard respositories may have an older version of MySQL 
  
 +To get more recent version, additional steps are needed.
 +
 +
 +==== Download the MySQL APT repository config tool ====
 +
 +See http://dev.mysql.com/downloads/repo/apt/ for latest version.
 +
 +<code bash>
 wget https://dev.mysql.com/get/mysql-apt-config_0.8.9-1_all.deb wget https://dev.mysql.com/get/mysql-apt-config_0.8.9-1_all.deb
 +</code>
  
-2.2. Install the MySQL APT repository config tool+----
  
-dpkg -i mysql-apt-config_0.8.9-1_all.deb+==== Install the MySQL APT repository config tool ====
  
-You will be asked to select product and version that you want to install. In the first step, select Server and next select mysql-5.7Then click Apply.+<code bash> 
 +sudo dpkg -i mysql-apt-config_0.8.9-1_all.deb 
 +</code>
  
-2.3. Update APT+You will be asked to select product and version that you want to install
  
-apt-get update+In the first step, select Server and next select mysql-5.7. Then click Apply.
  
-2.4. Install the server+----
  
-apt-get install mysql-community-server+===== Update APT =====
  
-When the server has been installed you’ll have to provide a password for the root user. Choose any password here but make sure it’s a strong password and something you remember.+<code bash> 
 +sudo apt update 
 +</code>
  
-3. Install and configure Apache web server with mpm-itk and PHP7 support+----
  
-The mpm-itk is ideal when hosting multiple web sites on a single server to isolate the sites. Using mpm-itk you can make sure one web site cannot access files from another one if the permissions are configured correctly, more on that later.+==== Install the MySQL server ====
  
-3.1. Install the packages+<code bash> 
 +sudo apt install mysql-community-server 
 +</code>
  
-apt-get install apache2 libapache2-mpm-itk php php-mysql+When the server has been installed you’ll have to provide a password for the root user.  Choose any password here but make sure it’s a strong password and something you remember.
  
-3.2. Enable the rewrite and ssl modules+----
  
-The rewrite module is very useful to create SEO friendly urls for your web site and required by many frameworks and web applications. The SSL module is required to secure your web site with SSL/TLS (to use https:// instead of http://).+===== Install and configure Apache web server with mpm-itk and PHP7 support =====
  
-a2enmod rewrite +The **mpm-itk** is ideal when hosting multiple web sites on a single server to isolate the sites. 
-a2enmod ssl+
  
-3.3. Install additional PHP modules (optional)+Using mpm-itk you can make sure one web site cannot access files from another one if the permissions are configured correctly, more on that later.
  
-You may need some additional PHP modules to run your web applications. The modules required will vary but using the command below you can install some commonly used modules. 
  
-apt-get install php-curl php-gd php-mcrypt php-mbstring php-xml+==== Install the packages ====
  
-3.4. Restart Apache to enable the modules and any additional PHP modules installed+<code bash> 
 +sudo apt install apache2 libapache2-mpm-itk php php-mysql 
 +</code>
  
-systemctl restart apache2+----
  
-3.5. Remove the default index site provided with Apache (optional)+==== Enable the rewrite and ssl modules ====
  
-If you access your server now using http://yourserver you’ll see the default index page with some details about your server. You probably don’t want to tell people too much about the server so I suggest replacing this file with something different. Too provide the least amount of detail, let’s just empty the file.+The rewrite module is very useful to create SEO friendly urls for your web site and required by many frameworks and web applications.
  
-echo ""/var/www/html/index.html+The SSL module is required to secure your web site with SSL/TLS (to use https:// instead of http://).
  
-4. Create a web (user, web root and apache virtual host)+<code bash> 
 +sudo a2enmod rewrite 
 +sudo a2enmod ssl 
 +</code>
  
-For each web site that you want to host on this server, you should create a separate local user and to isolate the webs. The mpm-itk will make sure that every action is executed using the user you provide in the apache virtual host.+----
  
-4.1. Create the local user+==== Install additional PHP modules (optional) ====
  
-In this tutorial we’ll use the domain example.org but you should of course replace the domain with the one that you’ll be using. The username containing the web root can be anything and doesn’t have to be related to the web’s domain at all but we’ll use example as the username here.+You may need some additional PHP modules to run your web applications.
  
-adduser example+The modules required will vary but using the command below you can install some commonly used modules.
  
-This command will create a user with the username example and create a home directory for that user in /home/example. You’ll have to provide a password and you can provide some optional information about the user.+<code bash> 
 +sudo apt install php-curl php-gd php-mcrypt php-mbstring php-xml 
 +</code>
  
-4.2. Create a web root directory+----
  
-The web root is the directory that your web site is stored. The directory can be located anywhere but you just have to make sure that the user has access to read from it. In this tutorial the web root will be located in /home/example/example.org.+==== Restart Apache ==== 
 + 
 +Restart Apache to enable the modules and any additional PHP modules installed. 
 + 
 +<code bash> 
 +sudo systemctl restart apache2 
 +</code> 
 + 
 +---- 
 + 
 +==== Remove the default index site provided with Apache (optional) ==== 
 + 
 +If you access your server now using http://yourserver you’ll see the default index page with some details about your server. 
 + 
 +You probably don’t want to tell people too much about the server so I suggest replacing this file with something different. 
 + 
 +To provide the least amount of detail, let’s just empty the file. 
 + 
 +<code bash> 
 +sudo echo "" > /var/www/html/index.html 
 +</code> 
 + 
 +---- 
 + 
 +===== Create the Web Server ===== 
 + 
 +Create a web (user, web root and apache virtual host). 
 + 
 +For each web site that you want to host on this server, you should create a separate local user and to isolate the webs. 
 + 
 +The **mpm-itk** will make sure that every action is executed using the user you provide in the apache virtual host. 
 + 
 + 
 +==== Create the local user ==== 
 + 
 +In this tutorial we’ll use the domain example.org but you should of course replace the domain with the one that you’ll be using. 
 + 
 +The username containing the web root can be anything and doesn’t have to be related to the web’s domain at all but we’ll use example as the username here. 
 + 
 +<code bash> 
 +sudo adduser example 
 +</code> 
 + 
 +This command will create a user with the username example and create a home directory for that user in /home/example. 
 + 
 +You’ll have to provide a password and you can provide some optional information about the user. 
 + 
 +---- 
 + 
 +==== Create a web root directory ==== 
 + 
 +The web root is the directory that your web site is stored. 
 + 
 +The directory can be located anywhere but you just have to make sure that the user has access to read from it. 
 + 
 +In this tutorial the web root will be located in /home/example/example.org.
  
 Using the chown command we’ll change the ownership of the new directory so that the example user (and the example group) have access to it. Using the chown command we’ll change the ownership of the new directory so that the example user (and the example group) have access to it.
  
-mkdir /home/example/example.org +<code bash> 
-chown example.example /home/example/example.org+sudo mkdir /home/example/example.org 
 +sudo chown example.example /home/example/example.org 
 +</code>
  
-4.3. Create a Apache site+----
  
-Using this command we’ll tell Apache to respond to requests to the hosts example.org and www.example.org and use our web root directory for that hosts. Also here we’ll configure the local user that should be used.+==== Create a Apache site ====
  
-echo "<VirtualHost *:80>+Using this command we’ll tell Apache to respond to requests to the hosts example.org and www.example.org and use our web root directory for that hosts. 
 + 
 +Also here we’ll configure the local user that should be used. 
 + 
 +<code bash> 
 +sudo echo "<VirtualHost *:80>
 ServerName example.org ServerName example.org
 ServerAlias www.example.org ServerAlias www.example.org
Line 110: Line 194:
 </VirtualHost> </VirtualHost>
 " > /etc/apache2/sites-available/example.org.conf " > /etc/apache2/sites-available/example.org.conf
 +</code>
 +
 +----
 +
 +==== Enable the Apache site ====
 +
 +We’ve located the site config in the sites-available directory.
 +
 +This can be useful to be able to easily enable and disable sites using the **a2ensite** and **a2dissite** commands.
  
-4.4. Enable the Apache site+To enable the site we’ll have to execute the following command:
  
-We’ve located the site config in the sites-available directory. This can be useful to be able to easily enable and disable sites using the a2ensite and a2dissite commandsTo enable the site we’ll have to execute the following command:+<code bash> 
 +sudo a2ensite example.org 
 +</code>
  
-a2ensite example.org+----
  
-4.5. Reload the Apache config+==== Reload the Apache config ====
  
 To tell Apache to use our new site reload the config. To tell Apache to use our new site reload the config.
  
-systemctl reload apache2+<code bash> 
 +sudo systemctl reload apache2 
 +</code>
  
-Now if you go to http://example.org (or a domain that’s pointing to your server’s IP address) you’ll see a 403 Forbidden error if you haven’t already placed any files in the web root. This is normal because in the site’s config we have disabled directory indexing.+Now if you go to http://example.org (or a domain that’s pointing to your server’s IP address) you’ll see a 403 Forbidden error if you haven’t already placed any files in the web root.
  
-5. Secure your site with Letsencrypt (optional)+This is normal because in the site’s config we have disabled directory indexing.
  
-Let’s Encrypt is a certificate authority that provides free SSL/TLS certificates that are instantly validated and signed and can be used to secure your web site. Certificates are valid for 90 days but you can easily set up a task to handle the renewal automatically.+----
  
-5.1. Install certbot which is used to handle the certificate request and renewal.+===== Secure your site with Letsencrypt (optional) =====
  
-apt-get install python-certbot-apache+Let’s Encrypt is a certificate authority that provides free SSL/TLS certificates that are instantly validated and signed and can be used to secure your web site.
  
-5.2. Configure Apache to allow the http verification+Certificates are valid for 90 days but you can easily set up a task to handle the renewal automatically.
  
-Since we’re using mpm-itk certbot won’t work out of box as the verification files are created using the root user and are not accessible from your website. To work around this we’ll add a new Apache module to force Apache to use a different user to read these files. 
  
-echo "Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge+==== Install certbot ==== 
 + 
 +Certbot is used to handle the certificate request and renewal 
 + 
 +<code bash> 
 +sudo apt install python-certbot-apache 
 +</code> 
 + 
 +---- 
 + 
 +=== Configure Apache to allow the http verification === 
 + 
 +Since we’re using **mpm-itk** certbot won’t work out of box as the verification files are created using the root user and are not accessible from your website. 
 + 
 +To work around this we’ll add a new Apache module to force Apache to use a different user to read these files. 
 + 
 +<code bash> 
 +sudo echo "Alias /.well-known/acme-challenge /var/www/html/.well-known/acme-challenge
 <Directory /var/www/html/.well-known> <Directory /var/www/html/.well-known>
         AssignUserId www-data www-data         AssignUserId www-data www-data
 </Directory>" > /etc/apache2/mods-enabled/letsencrypt.conf </Directory>" > /etc/apache2/mods-enabled/letsencrypt.conf
 +</code>
 +
 +----
 +
 +==== Restart Apache ====
  
-Restart Apache+<code bash> 
 +sudo systemctl restart apache2 
 +</code>
  
-systemctl restart apache2+----
  
-5.3 Run certbot to select which sites should be protected and automatically request and install the certificate.+==== Run certbot to select which sites should be protected and automatically request and install the certificate ====
  
-certbot --authenticator webroot --installer apache+<code bash> 
 +sudo certbot --authenticator webroot --installer apache 
 +</code>
  
 You need to follow a few steps to complete the request and installation of the certificate: You need to follow a few steps to complete the request and installation of the certificate:
Line 164: Line 286:
 You can now access your site using https, ex. https://example.org You can now access your site using https, ex. https://example.org
  
-5.4 Configure auto renewal of letsencrypt certificates+----
  
-crontab -e+==== Configure auto renewal of letsencrypt certificates ==== 
 + 
 +<code bash> 
 +sudo crontab -e
 43 6 * * * certbot renew --post-hook "systemctl reload apache2" 43 6 * * * certbot renew --post-hook "systemctl reload apache2"
 +</code>
 +
 +----
  
-6. Install phpMyAdmin (optional)+===== Install phpMyAdmin (optional) =====
  
 phpMyAdmin is a tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin is a tool written in PHP, intended to handle the administration of MySQL over the Web.
  
-6.1. Install phpMyAdmin+==== Install phpMyAdmin ====
  
-apt-get install phpmyadmin+<code bash> 
 +sudo apt install phpmyadmin 
 +</code>
  
 There are a few steps required to configure phpMyAdmin: There are a few steps required to configure phpMyAdmin:
Line 189: Line 319:
 phpMyAdmin is now installed and you can access it on https://example.org/phpmyadmin (if you have already created a letsencrypt certificate) or http://example.org/phpmyadmin (if you skipped the letsencrypt step). phpMyAdmin is now installed and you can access it on https://example.org/phpmyadmin (if you have already created a letsencrypt certificate) or http://example.org/phpmyadmin (if you skipped the letsencrypt step).
  
-6.2. IP Restrict access to phpMyAdmin (optional)+----
  
-phpMyAdmin is a great tool for managing MySql but you should not allow anyone to access the tool as that will make it easier to access your databases. Although a password is required, brute force method or vulnerabilities in phpMyAdmin could be used to gain access.+==== IP Restrict access to phpMyAdmin (optional) ==== 
 + 
 +phpMyAdmin is a great tool for managing MySql but you should not allow anyone to access the tool as that will make it easier to access your databases. 
 + 
 +Although a password is required, brute force method or vulnerabilities in phpMyAdmin could be used to gain access.
  
 Let’s only allow certain IP addresses to access phpMyAdmin. Let’s only allow certain IP addresses to access phpMyAdmin.
Line 199: Line 333:
 Add these lines below DirectoryIndex index.php (7. line): Add these lines below DirectoryIndex index.php (7. line):
  
 +<file bash /etc/apache2/conf-available/phpmyadmin.conf>
 order deny,allow order deny,allow
 deny from all deny from all
 allow from x.your.ip.address allow from x.your.ip.address
 +</file>
  
-Restart Apache+----
  
-systemctl restart apache2+==== Restart Apache ====
  
-7. Install and configure FTP service+<code bash> 
 +sudo systemctl restart apache2 
 +</code>
  
-vsftpd is a secure, fast and stable FTP server. In this tutorial we’ll install the vsftpd allowing local users to access their home directories.+----
  
-7.1. Install vsftpd+===== Install and configure FTP service =====
  
-apt-get install vsftpd+vsftpd is a secure, fast and stable FTP server.
  
-7.2. Allow users to upload files instead of just reading files and enable chroot to make sure the users won’t be able to read files outside their home directories.+In this tutorial we’ll install the vsftpd allowing local users to access their home directories.
  
-echo "write_enable=YES+==== Install vsftpd ==== 
 + 
 +<code bash> 
 +sudo apt install vsftpd 
 +</code> 
 + 
 +---- 
 + 
 +==== Setup User Permissions ==== 
 + 
 +Allow users to upload files instead of just reading files and enable chroot to make sure the users won’t be able to read files outside their home directories 
 + 
 +<code bash> 
 +sudo echo "write_enable=YES
 chroot_local_user=YES" >> /etc/vsftpd.conf chroot_local_user=YES" >> /etc/vsftpd.conf
 +</code>
  
-7.3. Restart vsftpd+----
  
-/etc/init.d/vsftpd restart+==== Restart vsftpd ====
  
-7.4. Change the permissions on the user’s home directory+<code bash> 
 +sudo /etc/init.d/vsftpd restart 
 +</code>
  
-When chroot is enabled, we must remove write access to the home directory which means that the user cannot upload new files directly to the home directory. The user can however upload files to subfolders in the home directory, including the web root directory, (ex. /home/example/example.org). 
  
-chmod u-w /home/example+==== Change the permissions on the user’s home directory ==== 
 + 
 +When chroot is enabled, we must remove write access to the home directory which means that the user cannot upload new files directly to the home directory. 
 + 
 +The user can however upload files to subfolders in the home directory, including the web root directory, (ex. /home/example/example.org). 
 + 
 +<code bash> 
 +sudo chmod u-w /home/example 
 +</code>
  
 vsftpd is now installed and you can connect to the server using any FTP client. vsftpd is now installed and you can connect to the server using any FTP client.
  
-8. Configure iptables firewall+----
  
-It’s generally a good idea to disallow access to any ports that doesn’t have to be accessed by anonymous users. Even if all services are password protected they can be hacked using brute force or vulnerabilities in the applications.+===== Configure iptables firewall ===== 
 + 
 +It’s generally a good idea to disallow access to any ports that doesn’t have to be accessed by anonymous users. 
 + 
 +Even if all services are password protected they can be hacked using brute force or vulnerabilities in the applications.
  
 We’ll use the iptables firewall and only allow http, https, ssh and ftp for anonymous users. We’ll use the iptables firewall and only allow http, https, ssh and ftp for anonymous users.
  
-8.1. Enable ip_conntrack_ftp to allow passive FTP connections+==== Enable ip_conntrack_ftp to allow passive FTP connections ====
  
-echo "ip_conntrack_ftp" >> /etc/modules +<code bash> 
-echo "net.netfilter.nf_conntrack_helper=1" >> /etc/sysctl.conf+sudo echo "ip_conntrack_ftp" >> /etc/modules 
 +sudo echo "net.netfilter.nf_conntrack_helper=1" >> /etc/sysctl.conf 
 +</code>
  
 To get passive FTP running you need to restart the server To get passive FTP running you need to restart the server
  
-8.2. Allow ICMP, established and local connections+==== Allow ICMP, established and local connections ====
  
-iptables -A INPUT -p icmp -j ACCEPT +<code bash> 
-iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED +sudo iptables -A INPUT -p icmp -j ACCEPT 
-iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED +sudo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED 
-iptables -A INPUT -i lo -j ACCEPT +sudo iptables -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED 
-iptables -A FORWARD -o lo -j ACCEPT+sudo iptables -A INPUT -i lo -j ACCEPT 
 +sudo iptables -A FORWARD -o lo -j ACCEPT 
 +</code>
  
-8.3. Allow all users to connect to web services (http and https), ssh and ftp+----
  
-iptables -A INPUT -p tcp --dport 80 -j ACCEPT +==== Allow all users to connect to web services (http and https), ssh and ftp ==== 
-iptables -A INPUT -p tcp --dport 443 -j ACCEPT + 
-iptables -A INPUT -p tcp --dport 22 -j ACCEPT +<code bash> 
-iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT 
-iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT +sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT 
-iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT+sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT 
 +sudo iptables -A INPUT -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
 +sudo iptables -A INPUT -p tcp -m tcp --dport 20 -m conntrack --ctstate ESTABLISHED -j ACCEPT 
 +sudo iptables -A INPUT -p tcp -m tcp --sport 1024: --dport 1024: -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 
 +</code>
  
 Consider restricting access to ssh and ftp only to required ip addresses using the -s parameter (ex. -s 8.8.8.8) Consider restricting access to ssh and ftp only to required ip addresses using the -s parameter (ex. -s 8.8.8.8)
  
-8.4. Allow all outgoing connections from the server.+---- 
 + 
 +==== Allow all outgoing connections from the server ==== 
 + 
 +<code bash> 
 +sudo iptables -P OUTPUT ACCEPT 
 +</code> 
 + 
 +---- 
 + 
 +==== Drop all incoming connections that don’t match the previous created rules ==== 
 + 
 +Make sure you have already allowed your ip address (or all ip addresses) to connect to SSH because otherwise your connection will be dropped and you’ll be locked out from your server. 
 + 
 +<code bash> 
 +sudo iptables -P INPUT DROP 
 +sudo iptables -P FORWARD DROP 
 +</code> 
 + 
 +---- 
 + 
 +==== Save iptable rules ==== 
 + 
 +Now we’ve set up all required iptables rules but they are temporary and will be lost on next reboot.
  
-iptables -P OUTPUT ACCEPT+To store the rules permanently, we’ll have to install the iptables-persistent package and save the rules.
  
-8.5. Drop all incoming connections that don’t match the previous created rules. Make sure you have already allowed your ip address (or all ip addresses) to connect to SSH because otherwise your connection will be dropped and you’ll be locked out from your server.+<code bash> 
 +sudo apt install iptables-persistent 
 +sudo iptables-save > /etc/iptables/rules.v4 
 +</code>
  
-iptables -P INPUT DROP +----
-iptables -P FORWARD DROP+
  
-8.6. Now weve set up all required iptables rules but they are temporary and will be lost on next reboot. To store the rules permanently, we’ll have to install the iptables-persistent package and save the rules.+Thats it! 
  
-apt-get install iptables-persistent +Now you should have a fully functional LAMP web server with SSL/TLS certificate, FTP server and software firewall.
-iptables-save > /etc/iptables/rules.v4+
  
-That’s it! Now you should have a fully functional LAMP web server with SSL/TLS certificate, FTP server and software firewall. 
ubuntu/lamp_server.1575112158.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki