Posted under » Ubuntu » Apache » LAMP Security updated on 1 July 2022
Ubuntu tries to improve things in their Apache config in their new version.
For eg. to make it common among the many linux distro.
This : ErrorLog /var/log/apache2/error.log has become
This : ErrorLog ${APACHE_LOG_DIR}/error.log
Directory access control are specified in the main /etc/apache2/apache2.conf file.
By default yout files are at /var/www/html but if you want to have it elsewhere, you need to amend the /etc/apache2/apache2.conf file and go the line where "/var/www/" can be edited.
<Directory /> Options FollowSymLinks AllowOverride None Require all denied </Directory> <Directory /var/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
It does not allow access to the root filesystem outside of /var/www. If your system is serving content from a sub-directory other than /var/www or in any related virtual host you must allow access here.
You may also see this error on your logs.
'AH01797: client denied by server configuration'To fix this go to the v config and change from
<Directory /var/www/lkybast/> Order allow,deny allow from all </Directory>
To this instead.
<Directory /var/www/lkybast/> Require all granted </Directory>
<Directory /home/anoneh/www/> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory>
Putting your virtual host on your /home/ folder is tricky because you will get a 'AH00035: access to / denied (filesystem path '/home/ubuntu/www') because search permissions are missing on a component of the path' error. Path component means either 'home' and/or 'ubuntu' and/or 'www' is not accessible.
The home folder is suppose to private and can only be read by you. To fix this you need to recursively chmod 755 or chmod +x the directory. Check that 'ubuntu' and 'www' directory is also 755 so that the 'others' or public group is able to read it. If this fail, then try the /home folder too as a last resort.
It is also good to make anoneh part of the www-data usergroup.
Includes to the apache config must have a .conf extension. This make things look neat and easy to understand.
# Include generic snippets of statements IncludeOptional conf-enabled/*.conf # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf
The sites-enabled www.conf file may look like this
<VirtualHost *:80> ServerName www.lkybast.com ServerAlias lkybast.com ServerAdmin webmaster@lkybast.com DocumentRoot /var/www/lkybast <Directory /var/www/lkybast/> Options -Indexes AllowOverride All Order allow,deny allow from all ServerSignature Off </Directory> ErrorLog ${APACHE_LOG_DIR}/error-www-lkybast.log CustomLog ${APACHE_LOG_DIR}/access-www-lkybast.log combined ErrorDocument 404 /pagenotfound.php </VirtualHost>
Of course, it could just be a simple typo of the folder.
Security issues
You may test if your config is working by
$ apachectl configtest
You may enable config in the conf-available directory by
$ sudo a2enconf mod-wsgi
To check the apache status like sites enabled and the ports that are in use,
$ apache2ctl -S VirtualHost configuration: *:443 is a NameVirtualHost default server mth107-adles.nus.edu.sg (/etc/apache2/sites-enabled/mth107.conf:12) port 443 namevhost mth107-adles.nus.edu.sg (/etc/apache2/sites-enabled/mth107.conf:12) *:80 is a NameVirtualHost default server 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost cbquery.anoneh.com (/etc/apache2/sites-enabled/cbquery.conf:1) ServerRoot: "/etc/apache2"
You may enable site in the sites-available directory by
$ sudo a2ensite waklu.conf
To disable,
$ sudo a2dissite waklu.conf
For more info on system status and restart
You may wish to proceed in install PHP libraries and install Apache mod rewrite.
Or change MySQL root password.