aptosid LAMP Stack

The acronym LAMP refers to a set of free software programs commonly used together to run dynamic Web sites or servers
Linux, the operating system
Apache, the Web server
MySQL, the database management system (or database server)
Perl, PHP, and/or Python, scripting languages

WARNING: Never use your day-to-day PC to act as an internet web server! Use a dedicated PC to be an internet web server and let it do nothing else!

Server uses:
a) a local test server for web designers without internet connectivity which is the scope of this topic;
b) a private "closet" server connected to the net;
c) a private web server fully propagated to the internet
d) a commercial web server which is beyond the scope of this manual

Minimum Requirements

At least 256MB of RAM available. Anything less than this minimum ram will cause lot of problems since running a server with mysql requires lot of RAM to run properly. Mysql will error of "cannot connect to mysql.sock" if you dont have enough memory in your server.

The packages you will need to install are:

apache2
apache2-utils
apache2-mpm-prefork
php5 php5-common
mysql-server
mysql-common
libapache2-mod-php5
php5-mysql
phpmyadmin

WARNING

apt-get remove --purge splashy

As splashy always breaks mysql

The Apache configuration file is located at:/etc/apache2/apache2.conf and your web folder is /var/www. Do not tweak the debian default settings for 'mpm-worker/mpm-prefork' as the debian defaults are sane.

To check whether php is installed and running properly, just create a test.php in your /var/www folder with phpinfo() function exactly as shown below.

mcedit /var/www/test.php

# test.php
<?  phpinfo(); ?>

Point your browser to:

http://localhost/test.php
or
http://yourip:80/test.php

This should show all your php configuration and default settings.

You can edit necessary values or setup virtual domains using apache configuration file.

If you want to test your installation go to your browser and type the following

http://youripaddress/apache2-default/

This should display welcome message then your installation is correct.

Default document root directory for apache2 is /var/www Change this to:

mkdir /home/myself/www
ln -s /home/myself/www /var/www

By doing the above commands you can now edit your web site inside your home as normal user.

FTP Clients

Use SSH and read carefully the SSH topic , also aptosid has another built in FTP client in the form of Konqueror to enable you to upload your files.

Enabling good security protocols for Web Servers

Firewalls

Without a firewall there is absolutely no security for your server. Remember block EVERYTHING until you need it, then reblock it!.

21 (ftp)
22 (SSH)
25 110 (email)
443 (SSL http or https)
993 (imap ssl)
995 (pop3 ssl)
80 (http)
and any other port going!

Protect Server Files by Default

One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, therefore it can serve it to clients.

For instance, consider the following example:

 1. # cd /; ln -s / public_html
 2. Accessing http://localhost/~root/

This would allow clients to walk through the entire filesystem! To work around this, add the following block to your server's configuration:

<Directory />
   Order Deny,Allow
   Deny from all
</Directory>

This will forbid default access to filesystem locations. Add appropriate <Directory> blocks to allow access only in those areas you wish. For example,

<Directory /usr/users/*/public_html>
    Order Deny,Allow
    Allow from all
</Directory>
<Directory /usr/local/httpd>
    Order Deny,Allow
    Allow from all
 </Directory>

Pay particular attention to the interactions of <Location> and <Directory> directives; for instance, even if <Directory /> denies access, a <Location /> directive might overturn it.

Also be wary of playing games with the UserDir directive; setting it to something like "./" would have the same effect, for root, as the first example above. If you are using Apache 1.3 or above, we strongly recommend that you include the following line in your server configuration files:

UserDir disabled root

SSL

Run the script “apache2-ssl-certificate”

# apache2-ssl-certificate

The following screen will appear for you to enter all the required information.

Creating self-signed certificate
replace it with one signed by a certification authority (CA) enter your ServerName at the Common Name prompt. If you want your certificate to expire after x days call this programm
with -days x
-----
Generating a 1024 bit RSA private key
--------
writing new private key to '/etc/apache2/ssl/apache.pem'
--------
You are about to be asked to enter information that will be incorporated into your certificate request.
-----------
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value,
----------
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:

State or Province Name (full name) [Some-State]:

Locality Name (eg, city) []:

Organization Name (eg, company; recommended) []:

Organizational Unit Name (eg, section) []:

server name (eg. ssl.domain.tld; required!!!) []:

Email Address []:

Run the script “a2enmod ssl” i.e

# a2enmod ssl

This will automatically generate a symbolic link between mods- available and mods – enabled

Make a copy of '/etc/apache2/sites-available/default' file in the /etc/apache2/sites-available/ - call it 'ssl'

# cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Make a sym-link to this new site configuration for this use

#  ln -s /etc/apache2/sites-available/ssl /etc/apache2/sites-enabled/
(or)
#a2ensite ssl

If you want to change the any basic configuration settings change in /etc/apache2/apache2.conf and if you want to change the default document root change in /etc/apache2/sites-available/default file and restart the apache server.

To Restart Apache server use the following command

#service apache2 restart

Now we need to change the port address in /etc/apache2/ports.conf by default it will listen port 80 and now we are installing with SSL we need to change port 443 to listen

 Listen 443

Edit /etc/apache2/sites-available/ssl (or whatever you called your new ssl site's config) and change port 80 in the name of the site to 443.

Add below two lines some where in /etc/apache2/apache2.conf file

  SSLEngine On

  SSLCertificateFile /etc/apache2/ssl/apache.pem

Edit SSLCertificateFile /etc/apache2/ssl/apache.pem and enter the locations of certificate file and certificate key file .Below one is the example

SSLCertificateFile /etc/apache2/ssl/online.test.net.crt
SSLCertificateKeyFile /etc/apache2/ssl/online.test.net.key

Set ServerSignature off, follow these steps edit the /etc/apache2/apache2.conf file and add these two lines

  ServerSignature Off
 ServerTokens ProductOnly

If you want to allow the different index files types check for the following line in /etc/apache2/apache2.conf file

 DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.shtml

Restart the apache server

 service apache2 restart

You should now have a test server sandbox, should you want to connect to the interent, with it, DONT!... Use another PC purely dedicated to being an internet web server!

Sources:

http://www.mysql-apache-php.com

http://httpd.apache.org/docs/1.3/misc/security_tips.html

http://www.debianhelp.co.uk/webserver.htm

Content last revised 14/08/2010 0100 UTC