Create your own Apache server

 · 6 mins

Create your own Apache2 server

Apache2 is another well-known HTTP server that powers many websites (like ours, before we switched to Nginx) and other web applications (like reverse proxy) that is very easy to configure. With its modularity of installation, its ease of configuration and the possibility of having several users who each have their own Apache2 site, it is a software of choice for shared hosts unlike Nginx which aims for speed.

Requirements

  • A computer or server with a Linux distribution (recommended: Ubuntu, Debian, CentOS, RedHat)
  • If the latter is configured from a remote location, an SSH client
  • A domain name pointed to the web server, otherwise the latter will not be easily accessible on the open web.

Options

  • A SCP client that graphically allows you to manipulate files
  • An SSL/TLS certificate ready to be installed

1. Prepare your server

(The orders in our guide are for Debian distribution) First of all, you need SSH in your web server. Once inside, we can start the procedure, but before starting it is imperative to make sure that there is no trace of Apache (all versions) before its configuration.

sudo apt-get purge -- auto-remove apache
sudo apt-get clean
sudo apt-get update && sudo apt-get upgrade

Then check that there are no other web servers listening on ports 80 and 443:

sudo netstat -plunt

If there are any, you must change their configuration to listen to the other ports, or uninstall them.

2. Install Apache

Once all those preliminary steps are done, we can now install Apache2.

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install apache2

This set of commands will allow you to configure the default version of Apache2 provided by the main source of your distribution software. If you want to implement a more up-to-date version, feel free to compile Apache2 from source or add Apache repositories to your source list.

3. Configure Apache2

sudo nano /etc/apache2/apache2.conf

The configuration is already present and complete. We recommend that you keep it intact, as it is already adapted to your system. Despite this, it is better if you inspect it because you will need to know it in case of a problem.

4. Inspect ports.conf

sudo nano /etc/apache2/ports.conf

This file contains by default the ports that Apache2 should listen to. By default, it listens to ports 80 and 443, and supports IPv4 and IPv6. Even if your server does not support IPv6, it is recommended to keep it in Apache2 because IPv6 will always be the first between applications in the same local host.

5. Configure your site

Compared to Nginx, Apache2 is much easier to configure its site.

Apache works in blocks like Nginx, but unlike Nginx where you have to make server blocks, Apache requires VirtualHost blocks. It’s very similar. Unlike Nginx where you have the choice to make centralized configurations (on only nginx.conf) or decentralized configurations (e.g. use sites-enabled) Apache can only be decentralized (to the point where this becomes an advantage for the mutual host) Thus, here is an example of an Apache site configuration:

<VirtualHost *:80>
	# replace by your domain name
	ServerName www.example.com
	ServerAlias example.com
	# put your email address
	ServerAdmin admin@domaine.com
	# specify your document root
	DocumentRoot /var/www/html/domaine.com
	# specify the error log location
	ErrorLog /path/to/error.log
	CustomLog /path/to/custom.log
	# specify access rules
	Options FollowSymLinks
	AllowOverride All # allow .htaccess and .htpasswd
	Order allow,deny
	Allow from all
	Satisfy all
</VirtualHost>

This configuration is for a normal HTTP site without SSL. For SSL/TLS, just add another VirtualHost block:

<VirtualHost *:443>
	... # take the configuration from above and paste the INSIDE of the virtualhost 80 block here
	SSLEngine on
	SSLCertificateFile /path/to/signed_certificate
	SSLCertificateChainFile /path/to/intermediate_certificate
	SSLCertificateKeyFile /path/to/private/key

	# Uncomment the following directive when using client certificate authentication
	#SSLCACertificateFile /path/to/ca_certs_for_client_authentication


	# HSTS (mod_headers is necessary) (15768000 seconds = 6 months)
	Header always set Strict-Transport-Security "max-age=15768000"

	# Intermediate security configuration by Mozilla change according to your needs
	SSLProtocol all -SSLv2 -SSLv3
	SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
</VirtualHost>

6. Create a SSL certificate

Ignore this step if you already have an SSL certificate from any certification authority (COMODO, GoDaddy, Certum, DigiCert, Symantec…).

Go to sslforfree.com to obtain an SSL certificate from Let’s Encrypt.

Enter *.domain.com and domain.com and click on “Create free SSL certificate”.

Then click on “Manual verification” and you will get DNS records that you will enter at your registrar in the DNS settings. Once done, click on “Verify _acme-challenge.domain.com” and both records should appear. Otherwise, wait for the number of seconds specified in the TTL (at least put it in your DNS manager, this is important, because sometimes it can take up to 12 hours if you have configured it incorrectly).

Once both records have appeared, click on Download SSL certificate and you will be taken to a page with 3 text boxes. This is your certificate. You can then install it in your path to the SSL certificates as specified in your Apache configuration.

Put the private key in a private.key file in the same folder in the path as specified in your Apache configuration. The same goes for the certificate and the CA Bundle (unlike Nginx, Apache wants them in 2 different certificates).

Do the same for all the sites you would like to have next to it.

Copy the certificate from your most important site to the default SSL certificate folder or create a new SSL certificate that covers all domains. There is a theoretical limit of 255 SANs that varies in practice depending on the certification authorities.

Once all of this is done….

7. Activate your site and restart Apache

sudo a2ensite filename && sudo systemctl restart nginx

From now on your site is working!

8. .htaccess

Above we described how to make the initial configuration of his site. However, there is another tool: .htaccess. It allows you to make changes to Apache2 without restarting it and is located at the root of your DocumentRoot. This is the location where you configure options such as Options -Indexes to hide the file index, or configure .htpasswd to request a password to access the site. .htaccess is not only dedicated to additional configurations for Apache - it is also the perfect place to add instructions for other software that interacts with Apache2, such as PHP-FPM.


Written by Rémy Samkocwa