Apache server configuration

To install Apache and PHP on Ubuntu:

sudo apt install apache2
sudo apt install php libapache2-mod-php

sudo systemctl start apache2
sudo systemctl stop apache2
sudo systemctl restart apache2
sudo systemctl status apache2

• the configuration file is: /etc/apache2/sites-available/000-default.conf
• Directory listing
  • To disable directory listing
    • add Options -Indexes in the global configuration file /etc/apache2/sites-available/000-default.conf
  • To enable directory listing in a specific directory
    • add a .htaccess file inside the directory
    • Within the .htaccess file, specify Options +Indexes
• Sample configuration:

<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
 
	ServerAdmin webmaster@localhost
 
	DocumentRoot /var/www
	<Directory />
		Options -Indexes +FollowSymLinks
		AllowOverride all
	</Directory>
	<Directory /var/www/>
		Options -Indexes +FollowSymLinks +MultiViews
		AllowOverride all
		Order allow,deny
		allow from all
	</Directory>
 
	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>
 
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
 
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
 
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
 
	Alias /webdav /var/www/webdav/web
	<Location /webdav>
		DAV On
		AuthType Basic
		AuthName "webdav"
		AuthUserFile /var/www/webdav/passwd.dav
		Require valid-user
	</Location>
 
</VirtualHost>
 
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

# for Ubuntu 20.04.5 LTS; 2022/11/02
# to update beyond Apache/2.4.41
$ apache2 -v
Server version: Apache/2.4.41 (Ubuntu)
Server built:   2022-06-14T13:30:55
$ sudo add-apt-repository ppa:ondrej/apache2 
$ sudo apt update
$ sudo apt install apache2
$ apache2 -v
Server version: Apache/2.4.54 (Ubuntu)
Server built:   2022-06-08T15:59:07
$ systemctl status apache2
$ sudo systemctl start apache2
$ sudo systemctl enable apache2

Inside the directory to be protected, add a .htaccess file

AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /PATH/.htpasswd
require valid-user

/PATH/.htpasswd should not be readable through a URL for safety.

to generate /PATH/.htpasswd:

htpasswd –c /PATH/.htpasswd USER

the -c option is for creating the file (1st time use). Too add more users, remove the -c option

• Use Let's Encrypt with certbot
• install:

# require snapd; pre-installed on Ubuntu 20.04
# remove the pre-installed cerbot (if present)
$ sudo apt remove certbot
# install certbot using snap
$ sudo snap install --classic certbot
# get a certificate; two options
# (1) get a certificate without changing the Apache configuration 
$ sudo certbot certonly --apache
# (2) get a certificate and have certbot edit the Apache configuration 
$ sudo certbot --apache
#
# check status
$ sudo systemctl status certbot.timer
# test renewal
$ sudo certbot renew --dry-run
# manual renewal; not recommended
# better to put '/usr/bin/certbot renew --quiet' in crontab
$ sudo certbot renew
# enable ssl
$ sudo a2enmod ssl

• modify /etc/apache2/sites-available/000-default.conf accordingly

	ServerName example.com
	ServerAdmin admin@example.com

• SSL test: https://www.ssllabs.com/ssltest/

To find out the uid and gid, execute the following script:

<?php
 
if(function_exists('posix_geteuid')){
    // use posix to get current uid and gid
    $uid   = posix_geteuid();
    $usr   = posix_getpwuid($uid);
    $user  = $usr['name'];
    $gid   = posix_getegid();
    $grp   = posix_getgrgid($gid);
    $group = $grp['name'];
}else{
    // try to create a file and read it's ids
    $tmp = tempnam ('/tmp', 'check');
    $uid = fileowner($tmp);
    $gid = filegroup($tmp);
 
    // try to run ls on it
    $out = `ls -l $tmp`;
    $lst = explode(' ',$out);
    $user  = $lst[2];
    $group = $lst[3];
    unlink($tmp);
}
 
echo "Your PHP process seems to run with the UID $uid ($user) and the GID $gid ($group)\n"; ?>

Under a standard installation, both the uid and the gid are www-data

If the browser asks to download the php files (instead of parsing them), comment all lines from <IfModule mod_userdir.c> to the next </IfModule> in /etc/apache2/mods-available/php5.conf and restart apache2.

Make the permissions more restrictive for security reasons. Assuming that the wiki is installed in /var/www/wiki

# change the ownership
sudo chown -R www-data:adm /var/www/wiki
# restrict access by other
sudo chmod -R o-rwx /var/www/wiki

# Enable the WebDAV modules
sudo a2enmod dav_fs
sudo a2enmod dav
# Restart Apache:
sudo /etc/init.d/apache2 restart

The following example uses the directory /var/www/webdav/web for the virtual host.

# create the directory
sudo mkdir -p /var/www/webdav/web
# change ownership
sudo chown -R www-data:adm /var/www/webdav
# configure the virtual host For WebDAV
# create the WebDAV password file with the user test
# the -c switch creates the file if it does not exist
sudo htpasswd -c /var/www/webdav/passwd.dav test
# change the ownership and permissions
sudo chown www-data:adm /var/www/webdav/passwd.dav
sudo chmod 640 /var/www/webdav/passwd.dav
# backup the vhost configuration
sudo cp -p /etc/apache2/sites-available/default /etc/apache2/sites-available/default.bak
# modify the vhost configuration
sudo emacs /etc/apache2/sites-available/default

Add the following part:

        Alias /webdav /var/www/webdav/web
        <Location /webdav>
           DAV On
           AuthType Basic
           AuthName "webdav"
           AuthUserFile /var/www/webdav/passwd.dav
           Require valid-user
       </Location>

The Alias directive makes (together with <Location>) that when you call /webdav, WebDAV is invoked, but you can still access the whole document root of the vhost. All other URLs of that vhost are still “normal” HTTP.

# Reload apache afterwards:
sudo /etc/init.d/apache2 reload

# install cadaver, a command-line WebDAV client
sudo aptitude install cadaver
# To test if WebDAV works, type
cadaver http://localhost/webdav/

• https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-20-04
• https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-18-04