Apache config on Ubuntu 20.04

Posted under » Ubuntu » Apache » LAMP Security updated on 1 September 2020

Ubuntu tries to improve things in their Apache config in their new version.

For eg. to make it common among the many linux distro.
This : ErrorLog /var/log/apache2/error.log has become
This : ErrorLog ${APACHE_LOG_DIR}/error.log

Directory access control are specified in the main apache2.conf file.

<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>

#<Directory /usr/share>
#	AllowOverride None
#	Require all granted
#</Directory>

<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>

It does not allow access to the root filesystem outside of /var/www. If your system is serving content from a sub-directory other than /var/www or in any related virtual host you must allow access here.

Includes to the apache config must have a .conf extension. This make things look neat and easy to understand.

# Include generic snippets of statements
IncludeOptional conf-enabled/*.conf

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf 

The sites-enabled www.conf file may look like this

<VirtualHost *:80>
  ServerName www.lkybast.com
  ServerAlias lkybast.com 
	ServerAdmin webmaster@lkybast.com 
	DocumentRoot /var/www/lkybast

	<Directory /var/www/lkybast/>
		Options -Indexes
		AllowOverride All
		Order allow,deny
		allow from all
		ServerSignature Off
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error-www-lkybast.log
	CustomLog ${APACHE_LOG_DIR}/access-www-lkybast.log combined

    ErrorDocument 404 /pagenotfound.php

</VirtualHost>

If somehow you have access issues, instead of

  <Directory /var/www/lkybast/>
    Order allow,deny
    allow from all
  </Directory>

Do this instead

  <Directory /var/www/lkybast/>
    Require all granted
  </Directory>

Security issues

• For using .htaccess files or mod-rewrite, read this.
• Another security issue is enabling the index or directory browsing. So don't forget to put "Options -Indexes" to be on the safe side.
• It is a good idea when in production server you turn off server signature server wide by putting the "server signature off" at the main apache2.conf
  

You may test if your config is working by

$ apachectl configtest

You may enable config in the conf-available directory by

$ sudo a2enconf mod-wsgi

You may enable site in the sites-available directory by

$ sudo a2ensite waklu.conf

To disable,

$ sudo a2dissite waklu.conf

You may wish to proceed in finetuning your LAMP config.
 

© 2009-2022 anoneh.com | Home | About | My Wordpress | Tumblr | Blogger | Gallery