====== Apache server configuration ======

===== Packages =====
To install Apache and PHP on Ubuntu:

<code bash>
sudo apt install apache2
sudo apt install php libapache2-mod-php
</code>

===== Process control and status check =====
<code bash>
sudo systemctl start apache2
sudo systemctl stop apache2
sudo systemctl restart apache2
sudo systemctl status apache2
</code>


===== Configuration =====
  * the configuration file is: ''/etc/apache2/sites-available/000-default.conf''
  * Directory listing
    * To disable directory listing
      * add ''Options -Indexes'' in the global configuration file ''/etc/apache2/sites-available/000-default.conf''
    * To enable directory listing in a specific directory
      * add a ''.htaccess'' file inside the directory
      * Within the ''.htaccess'' file, specify ''Options +Indexes''
  * Sample configuration:


<file 000-default.conf>
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com

	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
		Options -Indexes +FollowSymLinks
		AllowOverride all
	</Directory>
	<Directory /var/www/>
		Options -Indexes +FollowSymLinks +MultiViews
		AllowOverride all
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

	Alias /webdav /var/www/webdav/web
	<Location /webdav>
		DAV On
		AuthType Basic
		AuthName "webdav"
		AuthUserFile /var/www/webdav/passwd.dav
		Require valid-user
	</Location>

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

</file>

===== Update =====

<code bash>
# for Ubuntu 20.04.5 LTS; 2022/11/02
# to update beyond Apache/2.4.41
$ apache2 -v
Server version: Apache/2.4.41 (Ubuntu)
Server built:   2022-06-14T13:30:55
$ sudo add-apt-repository ppa:ondrej/apache2 
$ sudo apt update
$ sudo apt install apache2
$ apache2 -v
Server version: Apache/2.4.54 (Ubuntu)
Server built:   2022-06-08T15:59:07
$ systemctl status apache2
$ sudo systemctl start apache2
$ sudo systemctl enable apache2
</code>

===== Password protection =====
Inside the directory to be protected, add a ''.htaccess'' file
<code bash>
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /PATH/.htpasswd
require valid-user
</code>

''/PATH/.htpasswd'' should not be readable through a URL for safety.

to generate ''/PATH/.htpasswd'':
<code bash>
htpasswd –c /PATH/.htpasswd USER
</code>
the ''-c'' option is for creating the file (1st time use). Too add more users, remove the ''-c'' option


===== HTTPS/SSL =====
  * Use [[https://letsencrypt.org/|Let's Encrypt]] with [[https://certbot.eff.org/|certbot]]
  * install:
<code bash>
# require snapd; pre-installed on Ubuntu 20.04
# remove the pre-installed cerbot (if present)
$ sudo apt remove certbot
# install certbot using snap
$ sudo snap install --classic certbot
# get a certificate; two options
# (1) get a certificate without changing the Apache configuration 
$ sudo certbot certonly --apache
# (2) get a certificate and have certbot edit the Apache configuration 
$ sudo certbot --apache
#
# check status
$ sudo systemctl status certbot.timer
# test renewal
$ sudo certbot renew --dry-run
# manual renewal; not recommended
# better to put '/usr/bin/certbot renew --quiet' in crontab
$ sudo certbot renew
# enable ssl
$ sudo a2enmod ssl
</code>
    * modify ''/etc/apache2/sites-available/000-default.conf'' accordingly
<file>
	ServerName example.com
	ServerAdmin admin@example.com
</file>


  * SSL test: [[https://www.ssllabs.com/ssltest/]]
===== PHP =====
==== Info ====
To find out the ''uid'' and ''gid'', execute the following script:
<code php>
<?php
 
if(function_exists('posix_geteuid')){
    // use posix to get current uid and gid
    $uid   = posix_geteuid();
    $usr   = posix_getpwuid($uid);
    $user  = $usr['name'];
    $gid   = posix_getegid();
    $grp   = posix_getgrgid($gid);
    $group = $grp['name'];
}else{
    // try to create a file and read it's ids
    $tmp = tempnam ('/tmp', 'check');
    $uid = fileowner($tmp);
    $gid = filegroup($tmp);
 
    // try to run ls on it
    $out = `ls -l $tmp`;
    $lst = explode(' ',$out);
    $user  = $lst[2];
    $group = $lst[3];
    unlink($tmp);
}
 
echo "Your PHP process seems to run with the UID $uid ($user) and the GID $gid ($group)\n"; ?>
</code>

Under a standard installation, both the ''uid'' and the ''gid'' are ''www-data''

==== Problems and solutions====
If the browser asks to download the php files (instead of parsing them), comment all lines from <IfModule mod_userdir.c> to the next </IfModule> in ''/etc/apache2/mods-available/php5.conf'' and restart apache2.

===== Dokuwiki Installation =====

==== Permissions ====
Make the permissions more restrictive for security reasons. Assuming that the wiki is installed in ''/var/www/wiki''

<code bash>
# change the ownership
sudo chown -R www-data:adm /var/www/wiki
# restrict access by other
sudo chmod -R o-rwx /var/www/wiki
</code>

===== WebDAV =====
==== Enable the WebDAV modules ====

<code bash>
# Enable the WebDAV modules
sudo a2enmod dav_fs
sudo a2enmod dav
# Restart Apache:
sudo /etc/init.d/apache2 restart
</code>

==== Creating a virtual host ====
The following example uses the directory ''/var/www/webdav/web'' for the virtual host.
<code bash>
# create the directory
sudo mkdir -p /var/www/webdav/web
# change ownership
sudo chown -R www-data:adm /var/www/webdav
# configure the virtual host For WebDAV
# create the WebDAV password file with the user test
# the -c switch creates the file if it does not exist
sudo htpasswd -c /var/www/webdav/passwd.dav test
# change the ownership and permissions
sudo chown www-data:adm /var/www/webdav/passwd.dav
sudo chmod 640 /var/www/webdav/passwd.dav
# backup the vhost configuration
sudo cp -p /etc/apache2/sites-available/default /etc/apache2/sites-available/default.bak
# modify the vhost configuration
sudo emacs /etc/apache2/sites-available/default
</code>

Add the following part:
<code bash>
        Alias /webdav /var/www/webdav/web
        <Location /webdav>
           DAV On
           AuthType Basic
           AuthName "webdav"
           AuthUserFile /var/www/webdav/passwd.dav
           Require valid-user
       </Location>
</code>
The Alias directive makes (together with <Location>) that when you call /webdav, WebDAV is invoked, but you can still access the whole document root of the vhost. All other URLs of that vhost are still "normal" HTTP.

<code bash>
# Reload apache afterwards:
sudo /etc/init.d/apache2 reload
</code>

==== Testing WebDAV ====
<code bash>
# install cadaver, a command-line WebDAV client
sudo aptitude install cadaver
# To test if WebDAV works, type
cadaver http://localhost/webdav/
</code>

==== References ====
  * [[https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-20-04]]
  * [[https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-18-04]]