Posted under » Ubuntu » Apache » LAMP Security updated on 1 July 2022
Ubuntu tries to improve things in their Apache config in their new version.
For eg. to make it common among the many linux distro.
This : ErrorLog /var/log/apache2/error.log has become
This : ErrorLog ${APACHE_LOG_DIR}/error.log
Directory access control are specified in the main apache2.conf file.
<Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
It does not allow access to the root filesystem outside of /var/www. If your system is serving content from a sub-directory other than /var/www or in any related virtual host you must allow access here.
<Directory /home/anoneh/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Putting your virtual host on your /home/ folder is tricky because you will get a 'Apache: (filesystem path '/home/anoneh/www') because search permissions are missing on a component of the path' error. Path component means either 'anoneh' and/or 'www' is not accessible.
The home folder is suppose to private and can only be read by you. To fix this you need to recursively chmod 755 or chmod +x the 'home' directory. Check that 'anoneh' and 'www' directory is also 755 so that the 'others' or public group is able to read it.
It is also good to make anoneh part of the www-data usergroup.
Includes to the apache config must have a .conf extension. This make things look neat and easy to understand.
# Include generic snippets of statements IncludeOptional conf-enabled/*.conf # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf
The sites-enabled www.conf file may look like this
<VirtualHost *:80> ServerName www.lkybast.com ServerAlias lkybast.com ServerAdmin webmaster@lkybast.com DocumentRoot /var/www/lkybast <Directory /var/www/lkybast/> Options -Indexes AllowOverride All Order allow,deny allow from all ServerSignature Off </Directory> ErrorLog ${APACHE_LOG_DIR}/error-www-lkybast.log CustomLog ${APACHE_LOG_DIR}/access-www-lkybast.log combined ErrorDocument 404 /pagenotfound.php </VirtualHost>
If somehow you have have, 'AH01797: client denied by server configuration' instead of
<Directory /var/www/lkybast/> Order allow,deny allow from all </Directory>
Do this instead.
<Directory /var/www/lkybast/> Require all granted </Directory>
Of course, it could just be a simple typo of the folder.
Security issues
You may test if your config is working by
$ apachectl configtest
You may enable config in the conf-available directory by
$ sudo a2enconf mod-wsgi
You may enable site in the sites-available directory by
$ sudo a2ensite waklu.conf
To disable,
$ sudo a2dissite waklu.conf
You may wish to proceed in install PHP libraries and install Apache mod rewrite.
Or change MySQL root password.