Secure Apache2 and PHP on Ubuntu 16.04

Create /etc/apache2/sites-available/000-security.conf

$ sudo vi /etc/apache2/sites-available/000-security.conf
# Secure apache website

# Disable Trace HTTP Request
TraceEnable off

# Disable Signature
ServerSignature Off

# Disable Banner
ServerTokens Prod

# If enabled ssl (sudo a2enmod ssl)
# Use only TLS, Disable SSLv2, SSLv3
# SSLProtocol -ALL +TLSv1

# Disable Null and Weak Ciphers
# SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

# Disable Directory Listing
Options all -Indexes

# If enabled headers (sudo a2enmod headers)
# Disable x-powered by
Header always unset X-Powered-By
$ sudo a2ensite 000-security.conf

On ubuntu 16.04. The default php settings is good. Please make sure settings in php.ini

/etc/php/7.0/fpm/php.ini

/etc/php/7.0/apache2/php.ini

expose_php = Off
display_errors = Off

Reference: https://www.unixmen.com/ways-to-secure-your-ubuntu-14-04-server-running-lamp/

Apache2 configuration for proxy

Proxy Modules:

  • mod_proxy: The main proxy module for Apache that manages connections and redirects them.
  • mod_proxy_http: This module implements the proxy features for HTTP and HTTPS protocols.
  • mod_proxy_ftp: This module does the same but for FTP protocol.
  • mod_proxy_fcgi: FastCGI
  • mod_proxy_connect: This one is used for SSL tunnelling.
  • mod_proxy_ajp: Used for working with the AJP protocol.
  • mod_proxy_wstunnel: Used for working with web-sockets (i.e. WS and WSS).
  • mod_proxy_balancer: Used for clustering and load-balancing.
  • mod_proxy_hcheck: Dynamic health check of Balancer members (workers) for mod_proxy
  • mod_cache: Used for caching.
  • mod_headers: Used for managing HTTP headers.
  • mod_deflate: Used for compression.

Enable proxy:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_html
sudo a2enmod xml2enc
sudo systemctl restart apache2

Example virtual host #1

<VirtualHost *:80>
    ServerName localhost
    ProxyPreserveHost On

    ProxyPass "/" "http://192.168.0.0:8080/"
    ProxyPassReverse "/" "http://192.168.0.1:8080/"

</VirtualHost>

Example virtual host #2

<VirtualHost *:80>
    ServerName localhost
    ProxyPreserveHost On

    ProxyPass "/subdir/" "http://192.168.0.221:8000/"
    ProxyPassReverse "/subdir/" "http://192.168.0.221:8000/"
     <Location "/subdir">
         ProxyPassReverse    /
         ProxyHTMLURLMap     / /subdir/
     </Location>

</VirtualHost>

Example virtual host #3 (Don’t proxy /static)

<VirtualHost *:80>
    ServerName localhost

    ProxyPreserveHost On
    ProxyPass "/" "http://192.168.0.221:8000/"
    ProxyPassReverse "/" "http://192.168.0.221:8000/"
    Alias /static/ /var/www/html/static/
    <Directory /var/www/html/static>
        Require all granted
    </Directory>
    <Location /static>
        ProxyPass "!"
    </Location>
</VirtualHost>

Enable load balancing:

sudo a2enmod proxy_balancer
sudo a2enmod proxy_hcheck
sudo systemctl restart apache2

Example load balancing #1

<Proxy balancer://myset>
    BalancerMember http://www2.example.com:8080
    BalancerMember http://www3.example.com:8080
    ProxySet lbmethod=bytraffic
</Proxy>

ProxyPass "/images/"  "balancer://myset/"
ProxyPassReverse "/images/"  "balancer://myset/"

Example load balancing #2 (www3 handles 3 times traffic and timeout is 1)

<Proxy balancer://myset>
    BalancerMember http://www2.example.com:8080
    BalancerMember http://www3.example.com:8080 loadfactor=3 timeout=1
    ProxySet lbmethod=bytraffic
</Proxy>

ProxyPass "/images"  "balancer://myset/"
ProxyPassReverse "/images"  "balancer://myset/"

Example failove

<Proxy balancer://myset>
    BalancerMember http://www2.example.com:8080
    BalancerMember http://www3.example.com:8080 loadfactor=3 timeout=1
    BalancerMember http://hstandby.example.com:8080 status=+H
    BalancerMember http://bkup1.example.com:8080 lbset=1
    BalancerMember http://bkup2.example.com:8080 lbset=1
    ProxySet lbmethod=byrequests
</Proxy>

ProxyPass "/images/"  "balancer://myset/"
ProxyPassReverse "/images/"  "balancer://myset/"

Balancer Manager (Don’t enable it in production)

<Location "/balancer-manager">
    SetHandler balancer-manager
    Require host localhost
</Location>

Controlling access proxy

<Proxy "*">
  Require ip 192.168.0
</Proxy>

Reference:

https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension
https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
https://httpd.apache.org/docs/2.4/mod/mod_proxy.html

Install apache2, php, mysql client, drush on ubuntu 16.04

Install mysql-client

sudo apt install mysql-client

Install php7

sudo apt install php php-xml php-gd php-curl php-mcrypt php-mbstring php7.0-mbstring php-gettext php-mysql

Install apache2

sudo apt install apache2 libapache2-mod-php mod_dbd
sudo a2enmod rewrite

Install drush

$ php -r "readfile('https://s3.amazonaws.com/files.drush.org/drush.phar');" > drush
$ php drush core-status
$ chmod +x drush
$ sudo mv drush /usr/local/bin
$ drush init