Posted under » Ubuntu » Apache » LAMP Security updated on 1 July 2022
Ubuntu tries to improve things in their Apache config in their new version.
For eg. to make it common among the many linux distro.
This : ErrorLog /var/log/apache2/error.log has become
This : ErrorLog ${APACHE_LOG_DIR}/error.log
Directory access control are specified in the main /etc/apache2/apache2.conf file.
By default yout files are at /var/www/html but if you want to have it elsewhere, you need to amend the /etc/apache2/apache2.conf file and go the line where "/var/www/" can be edited.
<Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
It does not allow access to the root filesystem outside of /var/www. If your system is serving content from a sub-directory other than /var/www or in any related virtual host you must allow access here.
You may also see this error on your logs.
'AH01797: client denied by server configuration'To fix this go to the v config and change from
<Directory /var/www/lkybast/> Order allow,deny allow from all </Directory>
To this instead.
<Directory /var/www/lkybast/> Require all granted </Directory>
<Directory /home/anoneh/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Putting your virtual host on your /home/ folder is tricky because you will get a 'Apache: (filesystem path '/home/anoneh/www') because search permissions are missing on a component of the path' error. Path component means either 'anoneh' and/or 'www' is not accessible.
The home folder is suppose to private and can only be read by you. To fix this you need to recursively chmod 755 or chmod +x the 'home' directory. Check that 'anoneh' and 'www' directory is also 755 so that the 'others' or public group is able to read it.
It is also good to make anoneh part of the www-data usergroup.
Includes to the apache config must have a .conf extension. This make things look neat and easy to understand.
# Include generic snippets of statements IncludeOptional conf-enabled/*.conf # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf
The sites-enabled www.conf file may look like this
<VirtualHost *:80> ServerName www.lkybast.com ServerAlias lkybast.com ServerAdmin webmaster@lkybast.com DocumentRoot /var/www/lkybast <Directory /var/www/lkybast/> Options -Indexes AllowOverride All Order allow,deny allow from all ServerSignature Off </Directory> ErrorLog ${APACHE_LOG_DIR}/error-www-lkybast.log CustomLog ${APACHE_LOG_DIR}/access-www-lkybast.log combined ErrorDocument 404 /pagenotfound.php </VirtualHost>
Of course, it could just be a simple typo of the folder.
Security issues
You may test if your config is working by
$ apachectl configtest
You may enable config in the conf-available directory by
$ sudo a2enconf mod-wsgi
To check the apache status like sites enabled and the ports that are in use,
$ apache2ctl -S VirtualHost configuration: *:443 is a NameVirtualHost default server mth107-adles.nus.edu.sg (/etc/apache2/sites-enabled/mth107.conf:12) port 443 namevhost mth107-adles.nus.edu.sg (/etc/apache2/sites-enabled/mth107.conf:12) *:80 is a NameVirtualHost default server 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost cbquery.anoneh.com (/etc/apache2/sites-enabled/cbquery.conf:1) ServerRoot: "/etc/apache2"
You may enable site in the sites-available directory by
$ sudo a2ensite waklu.conf
To disable,
$ sudo a2dissite waklu.conf
For more info on system status and restart
You may wish to proceed in install PHP libraries and install Apache mod rewrite.
Or change MySQL root password.