In my previous blog I installed Apache 2 on a raspberry Pi. To display more than simple HTML pages, you need to install and configure additional software such as a database server and scripting language PHP. For more convenience and security you can still arrange things like SSL. You do that as follows.You can install Apache web server yourself as described here.
Install a database server
Most sites do not consist of passive HTML pages, but retrieve their ever-changing content from a database. To store the content and other data in a database, you must install MySQL (or MariaDB) as database server.
sudo apt-get install mysql server
During installation, a password is requested for the database user. After you have typed that in for confirmation again, the database server is ready for use. Wit the following command you can check if that is indeed the case.
sudo systemctl status mysql
Remember the database password well, because you will need it later, for example to create backups or new tables.
Install PHP
To install the language PHP you have to add some extra modules. This is why this command is a bit longer than the commands that you have typed so far.
sudo apt-get install php libapache2-mod-php
and
php-mcrypt php-mysql php-cgi php-curl php-json
To test if PHP is properly installed, you must first have a PHP page that you can run. To create such a page, you need an editor for editing text files. For beginners, nano is the easiest.
sudo apt-get install nano
Then you can make a test page. At Apache, the files on the web server are in the directory by default.
/ var / www / html
In that directory you create a test page with the extension php.
sudo nano /var/www/html/test.php
Then type the following line.
<? php phpinfo (); ?>
Save the file (Ctrl + O) and close the editor (Ctrl + X). Then go to http://Servername/test.php with the browser. If all goes well, you will now see the system information of PHP. Because you probably do not want everyone to be able to view all the information about your web server, you remove that page after testing with the command.
sudo rm /var/www/html/test.php
Multiple websites
Usually you want to host multiple websites on a single web server. They all come in their own directory and work with their own database, so that they do not get in each other’s way. In this case you make with the command.
mkdir
a directory for the test.com website, followed by the command.
CD
goes to that directory and there with
nano
the file index. html creates a default opening when someone visits a website.
sudo mkdir -p /var/www/test.com
cd /var/www/test.com
sudo nano index.htm
In that index file you put the following content with nano:
<html> <head> <title> test.com index - page < / title > < / head > <body> <h1> Hello and welcome to test.com! < / h1 > <h2> If you see this, then it works ... < / h2 > < / body > < / html >
Add A Website
You have created a separate directory for the new website, but Apache does not yet know what to do with it. In the directory
/ etc / apache2 / sitesavailable /
are the configuration files for the websites hosted by your Apache server. The configuration file for the new test.com domain must be created in that directory.
cd / etc / apache2 / sites-available / sudo nano test.com.conf
In the configuration file you set the following rules. At
ServerAdmin
enter your email address.
<VirtualHost> ServerAdmin @ test.com DocumentRoot / var / www / test.com ServerName test.com ServerAlias www.test.com ErrorLog $ {APACHE_LOG_DIR} / error.log CustomLog $ {APACHE_LOG_DIR} / access.log combined < / VirtualHost >
Then that configuration has to be added and loaded. With
a2ensite
(Apache 2 enable site) you add the site to the web server and with it
reload
command recharges Apache the configuration. After this the site should be available.
sudo a2ensite test.com.conf
sudo service apache2 reload
If you go to http: //Servername/test.com with the browser, you should see the index page. If you have registered the domain name test.com and refer to the IP address of your web server, you should get the same result if you go to http://test.com.
Install SSL
The internet traffic between your web server and the browser of your visitors are not yet encrypted. Everyone who has access to that network traffic can therefore read everything and see what is being sent. Of course, you do not want that on pages with login details or payment information. That is why we need to encrypt this traffic. Nowadays this can be done in several ways: a difficult one, a reasonably easy one and a very easy one. Of course we take the easiest – and free – method and do it with Let’s Encrypt. You can let Let’s Encrypt arrange the certificates needed for encryption and also have all the settings necessary to secure internet traffic.
sudo add-apt-repository ppa: certbot / certbot
sudo apt-get update
sudo apt-get install python-certbot-apache
sudo certbot --apache -d test.com -d www.test.com
Thereby the file
test.com-lessl.conf
in the directory
/ etc / apache2 / sites-available /
created in which port 443 is configured for secure SSL traffic. The normal data traffic via HTTP uses port 80, but the HTTPS protocol works with port 443. Fortunately, both HTTP and HTTPS are already enabled by the firewall, so that the secure data traffic is not stopped.
For optimal security, of course, you want all traffic that enters your web server via HTTP to be redirected to HTTPS. That is also what Let’s Encrypt sets for you in the configuration file
test.com.conf
from your website. If you then go to https: // www. ssllabs.com/ssltest/analyze. html? d = test.com & latest , you can test if your site is indeed secure. If you go to http://test.com with your browser, you will see that you are automatically redirected to https://test.com. And more importantly: next to the url you will see a green lock to confirm the secure status of the web traffic.
Extend automatically
A Let’s Encrypt certificate has a maximum validity of 90 days, after which you normally have to renew the certificate manually. That is still possible for one website, but if you manage multiple sites, you do not want to run the risk of accidentally forgetting to extend one, which means your site will suddenly no longer be reachable safely. Fortunately, there is a possibility to automatically renew the certificate.
For this we create a system task, called Linux cronjob or crontab. With Cron (from the English word chronograph, a sort of stopwatch) you can perform tasks at a preset time. At the bottom of the list of existing tasks you add a new task to renew the certificates. In this case, that happens every morning at 7 a.m. If a certificate does not have to be renewed yet, nothing else happens.
sudo crontab -e 0 7 * * * /usr/bin/certbot renew --quiet
Install the database manager
Now that the traffic from and to your web server is encrypted, you can continue with the database server. You have already installed it, but there is no management interface yet. Usually phpMyAdmin is used for this. Install this software with the following commands:
sudo apt-get update
sudo apt-get install phpmyadmin php-mbstring
php-gettext
At the first screen, select apache2 by pressing the space bar and in the question to dbconfig- common you say yes. Then you have to enter a password to login to phpMyAdmin. The modules mcrypt and mbstring need to be explicitly allowed because phpMyAdmin needs them and they are not automatically installed. Then you have to restart Apache:
sudo phpenmod mcrypt
sudo phpenmod mbstring
sudo systemctl restart apache2
Then you can go to https: // test in the browser. com / phpmyadmin and you will be asked to log in. Use the password you just entered. You use root as the username.
By logging in at phpMyAdmin as root, you will manage the database as a kind of super-user. Just like with the management of the web server, this is absolutely undesirable in practice, especially not because that interface is often the target of attackers. If malicious people manage to hack the interface, they have total access to all your databases. This is prevented by better shielding phpMyAdmin. Open the php-MyAdmin configuration file with
sudo nano /etc/apache2/conf-available/phpmyadmin.conf
And add the line with
AllowOverride
to overrule the default settings later:
<Directory /usr/share/phpmyadmin> Options FollowSymLinks DirectoryIndex index.php AllowOverride All ...
Restart the Apache server for the new settings:
sudo systemctl restart apache2
Then you will ensure that only explicitly specified users can login to php-MyAdmin. There you create a .htaccess file in the phpMyAdmin directory for
sudo nano /usr/share/phpmyadmin/.htaccess
containing the following content:
AuthType Basic AuthName "Restricted files" AuthUserFile /etc/phpmyadmin/.htpasswd Require valid-user
Save the file and create the file named .htpasswd with the permissible users:
sudo apt-get install apache2-utils
sudo htpasswd -c /etc/phpmyadmin/.htpasswd
for the first user and for every subsequent user the second command again, but without
-c
. If you then go to https://test.com/ phpmyadmin, you will first have to log in as one of those users to access the interface.
Web server ready
Then the basic configuration of your web server is ready and your website is ready for use. If you want to work with a content management system (CMS), you can use phpMyAdmin to create a database for the relevant CMS package (for example WordPress, Jooma or Drupal) and specify its data when installing that package. Basically you now have a secure web server with all the basic functions – but also the possibility to extend that functionality where, how and when you want it.