Install and configure Apache HTTP Server on Ubuntu 14.04

Install Apache HTTP Server

sudo apt-get -y install apache2 apache2-utils

Configure Apache HTTP Server

  • Create a user/password for accessing protected pages.
    sudo htpasswd -c /var/www/.htpasswd admin
  • Enable the Cache Expiration, URL Rewriting and SSL modules.
    sudo a2enmod expires rewrite ssl
  • Re-generate the default server certificate.
    sudo make-ssl-cert generate-default-snakeoil --force-overwrite
  • Backup the Apache HTTP Server default VirtualHost file.
    sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/000-default.conf.orig
  • Edit the Apache HTTP Server default VirtualHost file.
    sudo nano /etc/apache2/sites-available/000-default.conf
    • Set the ServerName to listen on the server domain.
    • Remove the VirtualHost specific ServerAdmin setting so it uses the default.
    • Set VirtualHost specific log files.
      • Replace
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
      • With
        ErrorLog ${APACHE_LOG_DIR}/{DOMAIN}-error.log
        CustomLog ${APACHE_LOG_DIR}/{DOMAIN}-access.log combined
    • Redirect HTTP to HTTPS.
      • Add
          # Redirect to HTTPS.
          RewriteEngine On
          RewriteCond %{HTTPS} off
          RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
      • Above
        </VirtualHost>
  • Backup the Apache HTTP Server default-ssl VirtualHost file.
    sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.orig
  • Edit the Apache HTTP Server default-ssl VirtualHost file.
    sudo nano /etc/apache2/sites-available/default-ssl.conf
    • Add Directory configurations.
      • Add
        <Directory />
          Options FollowSymLinks
          AllowOverride None
        </Directory>

        <Directory /var/www>
          Options MultiViews FollowSymLinks
          AllowOverride All
          Order Allow,Deny
          Allow from All

          # Authentication
          AuthType Basic
          AuthName "{DOMAIN}"
          AuthUserFile /var/www/.htpasswd
          Require valid-user
        </Directory>
      • After
        <IfModule mod_ssl.c>
    • Remove the VirtualHost specific ServerAdmin setting so it uses the default.
    • Set VirtualHost specific log files.
      • Replace
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
      • With
        ErrorLog ${APACHE_LOG_DIR}/{DOMAIN}-ssl-error.log
        CustomLog ${APACHE_LOG_DIR}/{DOMAIN}-ssl-access.log combined
  • Enable the default-ssl VirtualHost.
    sudo a2ensite default-ssl.conf
  • Backup the Apache HTTP Server status configuration file.
    sudo cp /etc/apache2/mods-available/status.conf /etc/apache2/mods-available/status.conf.orig
  • Edit the Apache HTTP Server status configuration file.
    sudo nano /etc/apache2/mods-available/status.conf
    • Allow authenticated users to access /server-status from anywhere.
      • Replace
        Require local
        #Require ip 192.0.2.0/24
      • With
        # Authentication
        AuthType Basic
        AuthName "{DOMAIN}"
        AuthUserFile /var/www/.htpasswd
        Require valid-user
  • Backup the Apache HTTP Server main configuration file.
    sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.orig
  • Edit the Apache HTTP Server main configuration file.
    sudo nano /etc/apache2/apache2.conf
    • Set the ServerName.
      • Add
        #
        # ServerName: Sets the request scheme, hostname and port that the server uses to
        # identify itself. This is used when creating redirection URLs.
        #
        ServerName {DOMAIN}

        #
        # ServerAdmin: Your address, where problems with the server should be emailed.
        # This address appears on some server-generated pages, such as error documents.
        # e.g. admin@your-domain.com
        #
        ServerAdmin {ADMIN_EMAIL}
      • After
        #ServerRoot "/etc/apache2"
  • Backup the Apache HTTP Server security configuration file.
    sudo cp /etc/apache2/conf-available/security.conf /etc/apache2/conf-available/security.conf.orig
  • Edit the Apache HTTP Server security configuration file.
    sudo nano /etc/apache2/conf-available/security.conf
    • Only send the HTTP Server name, not the version used.
      • Replace
        ServerTokens OS
      • With
        ServerTokens Prod
    • Add the ServerAdmin email to the ServerSignature.
      • Replace
        ServerSignature On
      • With
        ServerSignature EMail
    • Accept pathname information following a filename.
      • Add
        #
        # Accept pathname information that follows an actual filename into the
        # PATH_INFO environment variable.
        #
        AcceptPathinfo On
      • Above
        #vim: syntax=apache ts=4 sw=4 sts=4 sr noet
  • Backup the Apache HTTP Server SSL configuration file.
    sudo cp /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-available/ssl.conf.orig
  • Edit the Apache HTTP Server SSL configuration file.
    https://yuridejager.wordpress.com/2014/05/06/securing-your-https-apache-...
    • Disable SSLv2 and SSLv3.
      • Replace
        SSLProtocol all
      • With
        SSLProtocol all -SSLv2 -SSLv3
    • Specify a cipher suite order.
      • Replace
        SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
      • With
        SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DES-CBC3-SHA:!aNULL:!eNULL:!ADH:!EXP:!LOW:!DES:!MD5:!PSK:!SRP:!DSS:!RC4
    • Honor specified cipher suite order.
      • Replace
        #SSLHonorCipherOrder on
      • With
        SSLHonorCipherOrder on
  • Backup the Logrotate Apache HTTP Server file.
    sudo cp /etc/logrotate.d/apache2 /etc/logrotate.d/apache2.orig
  • Edit the Logrotate Apache HTTP Server file.
    sudo nano /etc/logrotate.d/apache2
    • Change the log rotation from weekly to daily.
      • Replace
        weekly
      • With
        daily
    • Rotate logs 7 times before deleting.
      • Replace
        rotate 52
      • With
        rotate 7
  • Add the www-data user to the {USER} group.
    A reboot is necessary for changes to take effect.
    sudo usermod -a -G {USER} www-data
  • Restart the Apache HTTP Server service.
    sudo service apache2 restart
  • Allow firewall access.
    sudo ufw allow http/tcp
    sudo ufw allow https/tcp

Open Source Software:

Operating System: