Today I’m posting about LAMP (Linux Apache MySQL & PHP) servers. I’m going to set one up with HTTP (Hypertext Transfer Protocol) on port 80, HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) on port 443, user directories that have access to both protocols, and SFTP (SSH File Transfer Protocol) for those users. I’m doing this in one of my Xen virtual machines and using UFW (Uncomplicated Firewall) to apply packet filtering to the server. As always, most of this has to be done as root, so I’m using SSH to connect, then doing sudo -i to get a root terminal.
One problem I had with this was the hostname/FQDN (fully qualified domain name) of the machine. I’m not sure why, but I had a couple of files that were wrong for this, and it really screwed up the SSL (Secure Socket Layer) stuff for the secure server. A correctly configured machine will return only the hostname, without the domain name attached with the hostname command, hostname -f will return the hostname.domain.name all attached in one string, and dnsdomainname will return only the domain.name portion. If these commands do not return the expected values then something needs fixed. To do this with file editing you can open up the /etc/hostname file:
vim /etc/hostname
and make sure that it only contains the name of this machine. To fix the domain.name part you can open up /etc/hosts:
vim /etc/hosts
and make sure that the contents follow this format:
127.0.0.1 localhost ip.of.machine.1 hostname.domain.name hostname ip.of.machine.2 hostname.domain.name hostname
Somehow I had the FQDN set in the hostname file, and the hosts file had the hostname listed before the FQDN which really broke things.
SSL Certificates: If you are going to set up a secured web server then I would suggest following the OpenSSL howto at the Ubuntu help site. It will walk you through setting up your own CA (Certificate Authority) and using it to sign your own certificates. It also tells you how to set up workstations to recognise your CA and howto create client certificates. for a more secure authentication process. You may also like to read a more in-depth howto on the subject of SSL/TLS and apache2. It is a bit more dated and a lot more complex, but if your interested in tighter security then there is a lot to gain from it.
Once the server certificates are created and signed you need to copy them into the proper places. Ubuntu Hardy uses apparmor, and for some things apparmor expects the certificates to be in sub-directories of /etc/ssl. This being the case I went ahead and moved these ones to those directories. The certificates, both the CA and the server certificate go into /etc/ssl/certs/ and the server key, (and maybe the CA key?) need to go in /etc/ssl/private. The certificates need to be readable by everyone:
chmod 0644 /etc/ssl/certs/*
And the keys need to be readable only by root:
chmod 0600 /etc/ssl/private/*
LAMP Server: A basic LAMP Server is very easy to install with Ubuntu one simple command will pull in the whole set of software:
tasksel install lamp-server
This may seem like it freezes up for a little bit, but it should eventually start doing visible things again. After it’s all installed you need to copy the default site like so:
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
Open up the default to edit:
vim /etc/apache2/aites-available/default
I’ve seen lots of ways to edit this, but I’ve used the following:
NameVirtualHost hostname.yourdomain.name:80
<VirtualHost hostname.yourdomain.name:80>
ServerAdmin webmaster@yourdomain.name
ServerName hostname.yourdomain.name
DocumentRoot /var/www/html/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
allow from 192.168.1.0/24
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order deny,allow
deny from all
Allow from 192.168.1.0/24
</Directory>
ServerSignature On
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
You should notice that I have changed the first lines to match not only the non-secured port, but also the FQDN of the server. I’ve also changed the DirectoryRoot and the allow/deny rules. I’ve done this because I don’t want to serve the same content on both the secure connection and the ‘regular’ connection and I only want this server to serve to my local network as it is only intended for testing purposes and local development. You will need to use your own values for these entries.
When you’re done editing the default site you need to save and quit, then move on to the ssl file:
vim /etc/apache2/sites-available/ssl:
I changed mine to look like the following:
NameVirtualHost hostname.yourdomain.name:443
<VirtualHost hostname.yourdomain.name:443>
ServerAdmin webmaster@yourdomain.name
ServerName hostname.yourdomain.name
DocumentRoot /var/www/ssl/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/ssl/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
allow from 192.168.1.0/24
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order deny,allow
deny from all
Allow from 192.168.1.0/24
</Directory>
ServerSignature On
SSLEngine On
SSLOptions +StrictRequire
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
</VirtualHost>
This one is very similar to the default after modification, though I did remove directories that I didn’t need for the secured connections and I’ve changed the port in the first lines to match the HTTPS port. Of particular nate on this one is the last few lines. These I needed to get the encrypted connections to work, there may be others that may be better for security, and you may wish to visit the howto that I mentioned above for more information about that.
If you’ve opted to change the DocumentRoot of the servers, as I did above, you will need to create those directories now:
mkdir /var/www/html /var/www/ssl
And throw a test file in there to be sure everything is working right:
echo "<?php phpinfo() ?>" > /var/www/html/index.php && \ cp /var/www/html/index.php /var/www/ssl/
Once everything is running that should set the default page to a PHP information page on both the secure ad non-secure ports. Now, we need to enable the ssl site and the ssl mod in apache2:
a2enmod ssl && a2ensite ssl
Now you can restart apache2 with either:
apache2ctl graceful
or:
/etc/init.d/apache2 restart
You should now have a working HTTP server on port 80 and a working HTTPS server on port 443. If you want to enable user directories you can do:
a2enmod userdir
This will allow users on the server to effectively have their own web server that uses a directory called public_html in their home directories. To change the settings for these directory servers I opened up the userdir.conf file:
vim /etc/apache2/mods-available/userdir.conf
The settings in that file seem to work the same as the ones in the site files that we modified earlier. I’ve changed mine to look like:
<IfModule mod_userdir.c>
UserDir WWW
UserDir disabled root
<Directory /home/*/WWW>
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Order deny,allow
deny from all
allow from 192.168.1.0/24
</Directory>
</IfModule>
I’ve just changed it to only accept connections from the local network, and to use a directory named ‘WWW’ instead of the default public_html. It just seems a little bit cleaner to me that way. Assuming you’ve enabled user directories and/or modified the configuration for them You will need to restart the web server again with either:
apache2ctl graceful
or:
/etc/init.d/apache2 restart
Hopefully all is well and you now have HTTP & HTTPS servers running for the servers FQDN and each user that you’ve enabled on the machine.
SFTP Server: This one is unbelievably easy. If you’re using Xen servers then it’s already there. It’s enabled with the OpenSSH server that installed by default all you have to do is set up a client to connect to it. I’ve used filezilla for this, which can be installed on a workstation with:
apt-get install filezilla
Setting it up is easy, just open the settings manager, use the FQDN of the server, you may need to put 22 in the port text input, then select SFTP - SSH File Transfer Protocol from the servertype dropdown. Fill in your username and password then click connect. Should be easy…
However, enabling this also gives your user SSH access to the server. If you don’t want this you can follow the directions in Restrict Users to SCP/SFTP and Restrict Shell Access with rssh at nixcraft.
UFW Packet Filtering: We need three ports open to allow all the traffic in this walk through, all of which are TCP. We need port 80 for HTTP, 443 for HTTPS, and 22 for SSH and SFTP. We can do this with the fallowing:
ufw allow proto tcp from 192.168.1.0/24 to ip.of.this.machine port 80 ufw allow proto tcp from 192.168.1.0/24 to ip.of.this.machine port 443 ufw allow proto tcp from 192.168.1.0/24 to ip.of.this.machine port 22 ufw default deny ufw enable
That should do it for UFW, as well as everything I set out to do. I think next I need to tackle a Xen server for PXE (Preboot Execution Environment) installs and apt-cacher for caching repositories and installing/updating all the workstations from one server instead of downloading every update for every computer… See ya then.
