Ubuntu LAMP Configuration

[cold.nut]

My project for today has been setting up a web server. I was given a old computer with a Pentium 4 processor; 512mb of RAM, and a 42gig hard drive.

I was reading over some guides and I came across this guide. It is very self explanatory; however I am having issues with my configuration files within Apache and my firewall (shorewall).

I am focusing on web security. I don't even want to web edit until I know it is "lock-down" secure. In Apache are some supposed settings called Server Tokens and SeverSignature. I can't locate these files in my apache2.conf unfortunately.

Here is what is posted to me in the config:

#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.2/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
#     whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
#     which responds to requests that aren't handled by a virtual host.
#     These directives also provide default values for the settings
#     of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
#     different IP addresses or hostnames and have them handled by the
#     same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "/var/log/apache2/foo.log"
# with ServerRoot set to "" will be interpreted by the
# server as "//var/log/apache2/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation (available
# at <URL:http://httpd.apache.org/docs-2.1/mod/mpm_common.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/etc/apache2"

#
# The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
#
#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
# This needs to be set in /etc/apache2/envvars
#
PidFile ${APACHE_PID_FILE}

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>
# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
    StartServers          2
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxClients          150
    MaxRequestsPerChild   0
</IfModule>

# event MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_event_module>
    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadLimit          64
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

# These need to be set in /etc/apache2/envvars
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#

AccessFileName .htaccess

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain


#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog /var/log/apache2/error.log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

# Include module configuration:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:
Include /etc/apache2/httpd.conf

# Include ports listing
Include /etc/apache2/ports.conf

#
# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
# If you are behind a reverse proxy, you might want to change %h into %{X-Forwarded-For}i
#
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog /var/log/apache2/other_vhosts_access.log vhost_combined


# Include of directories ignores editors' and dpkg's backup files,
# see README.Debian for details.

# Include generic snippets of statements
Include /etc/apache2/conf.d/

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

I have tried re-installing.

Shorewall

I have uninstalled Shorewall. I can't post my code issues with what I was experiencing. But I can say that I didn't have access to

sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall/

Now, open the “rules” file:

sudo nano /etc/shorewall/rules

Add these lines above where it says “#LAST LINE”

HTTP/ACCEPT net $FW
SSH/ACCEPT net $FW

Then press Control-O and Control-X. Your firewall is now configured to only accept HTTP and SSH traffic.

I couldn't get that line of code to run. I've been all over the Ubuntu forums, google, Apache 2.2...

You guys are my best bet now. I can't find anything to help...

 

[DreamerBrian]

I need to learn Apache.

Brian

 

[cold.nut]

learning from scratch to setup a web server is difficult. i got phpmyadmin successfully working. i could create databases and such. didn't ever get far enough to find out the destination i need to install my web files to to actually have a website. also, couldn't get webmin working.

learned alot today. if you guys have any pointers that could assist me further that would be awesome!

 

[Mr.Guvernment]

apache is easy to set up and very secure from start, what guide are you using for security? is it up to date for apache 2?

Apache stock install is very safe, it is your code and sites that need tobe more secure.

 

[cold.nut]

i've been using this guide found here http://net.tutsplus.com/tutorials/php/how-to-setup-a-dedicated-web-server-for-free/. it seemed like a very self explanatory way of getting started.

now that i am a little more educated on the matter. i have set up a basic lamp server and have used a tiny bit of my own html knowledge to delete the default index.html file located at /var/www/. i also tried another guide found here http://www.mysql-apache-php.com/ and with it i did successfully set up my phpmyadmin. but from that, i didn't even know where to start. this has been a hell of a day trying to configure what i really want. it is apparent to me that i am still far to un-knowledgeable to do what i want.

what i am looking to do: i want to set up a phpbb forum site / wordpress blog / a downloaded css template that i turn into my own web page. i really need to get pointed in the right direct as to setting one up pro style.

want to actually learn it, don't want to be told do this.... do that...

 

[Mr.Guvernment]

okay, for me, this is what i would do

1. install apache
2. install php
3. install mysql

Confirm that all 3 are working after installing each one.

1.install your wordpress system, since this needs apache/php/mysql to work
2. install your phpbb forums - again needs all 3 to work
3. install your main website page


it can take reading alot of guides to get it right, myself and many others could easily give you step by step ways to install it and make it work, myself i could install apache/php and mysql in 15mins and have wordpress and phpbb working, but if you want to learn the ropes, you need to do each installation one at a time and test it as you go.

I will ask, have you considered setting this up under a virtual machine and using something like linux,. CentOs for example? For me i found linux FAr easier to get a 'lamp' server working then under windows.

 

[cold.nut]

yeah i'm using ubuntu server 10.04lts. i have installed apache correctly; i know this because i got the index.html test page. i have yet to know if i have setup php & mysql correctly.

if you gave me step by step then i could easily figure this out today and learn it also. once i figure out how to do something, i usually maintain it great after that!

thanks for all the help Mr.Guvernment! keep the info coming

 

[splat]

what i am looking to do: i want to set up a phpbb forum site / wordpress blog / a downloaded css template that i turn into my own web page. i really need to get pointed in the right direct as to setting one up pro style.

want to actually learn it, don't want to be told do this.... do that...

sudo apt-get install phpbb wordpress

pretty sure those are in the repositories. i know phpmyadmin is. all the info you need is on the ubuntu website https://help.ubuntu.com/community/ApacheMySQLPHP

 

[cold.nut]

got phpbb3 installed and working correctly. now tomorrow ill setup wordpress & hopefully get started on my actual website.

- how can i setup an ftp protocol (that works*) with my server. i want to upload my web files from dreamweaver. i have got my ssh client to work properly, but ftp will be so much easier to maintain the actual website. i also need to configure my domain. going to buy a domain once i get the nick of things. how can i find my external ip via command prompt? i want you guys to see what i got going!

 

[splat]

i'm not 100% sure but dreamweaver may be able to use sftp over ssh. soyou don't have to run a separate ftp daemon and open more holes in your firewall

 

[cold.nut]

i'm not 100% sure but dreamweaver may be able to use sftp over ssh. soyou don't have to run a separate ftp daemon and open more holes in your firewall

ah cool news! i'm trying to find out the best way to configure my dns. i would like to get www.coldnut-blog.com. want to host it for free on my own web-server, but i don't think this is possible...

looked at configuring DynamicDNS and everything over at the Ubuntu Forums. it seems to me that in order to get that domain I am going to have to pay someone for the name.

maybe there is a work-around

i'm pretty new to this web-server and domain stuff. learning as i go!

if I understand it all correctly, i have to register my domain through a domain registrar (ie - godaddy). then i can use that registered domain through a dns on my own machine via a program like bind-9. did i catch that right?

 

[Shelnutt2]

There are several free dynamic ip services. dyndns, no-ip.org, or dnsomatic.com . I use the later two.

Do you have a router with dd-wrt on it? It makes it super easy to set these up.

 

[splat]

if you want a url like www.colnut-blog.com you will need to register that, pay for it, and then configure DNS to point to your IP. Most of the dynamic services shelnut listed also have a pay service allowing you to keep the domain name updated to point to your dynamic IP.

if you want a free domain name, use a service like the ones above, and then you can use a program for free to keep your IP updated. then you'll have a domain name like http://splat.mine.nu or http://coldnut.bloghost.com or whatever the options are. i like dyndns.org the best, but they cut it down to 1 free dynamic domain name per account. no-ip.org allows more per account.

 

[cold.nut]

There are several free dynamic ip services. dyndns, no-ip.org, or dnsomatic.com . I use the later two.

Do you have a router with dd-wrt on it? It makes it super easy to set these up.

if you want a url like www.colnut-blog.com you will need to register that, pay for it, and then configure DNS to point to your IP. Most of the dynamic services shelnut listed also have a pay service allowing you to keep the domain name updated to point to your dynamic IP.

if you want a free domain name, use a service like the ones above, and then you can use a program for free to keep your IP updated. then you'll have a domain name like http://splat.mine.nu or http://coldnut.bloghost.com or whatever the options are. i like dyndns.org the best, but they cut it down to 1 free dynamic domain name per account. no-ip.org allows more per account.

i have a belkin n1 router. it supports ddns; but the only DDNS Service supported it DynDNS. so if i want www.coldnut-blog.com then i'll have to go register that on godaddy. then to update and point my ip to that dns i have to use dyndns?

see if i understood that correctly.. hell i wouldn't mind http://coldnut.bloghost.com, but that isn't an option as a sub-domain on either of those sites.

 

[splat]

yeah i just made up that "bloghost.com" domain to show you can get a free subdomain. i know DynDNS recently cut down on the number of free domains they offer too. so if you are ok with a subdomain, simply pick an option from the list, then add the login info to your router and it will keep your IP updated so the domain always points to you.

if you want your own domain name like www.coldnut.com, then you register it at a place like godaddy (or possibly you can do this all right thru dyndns), then i believe you need to pay dyndns for the "dynamic dns" option to point your own domain to your IP, then you set up your router with your login info to keep dyndns updated.

#edit. you can also manually update the DNS entry if you register at godaddy, but then you have to keep on top of your IP changes, and there may be hours or days that your site might be unaccessible if you don't notice that your IP changed.

 

[cold.nut]

yeah i just made up that "bloghost.com" domain to show you can get a free subdomain. i know DynDNS recently cut down on the number of free domains they offer too. so if you are ok with a subdomain, simply pick an option from the list, then add the login info to your router and it will keep your IP updated so the domain always points to you.

if you want your own domain name like www.coldnut.com, then you register it at a place like godaddy (or possibly you can do this all right thru dyndns), then i believe you need to pay dyndns for the "dynamic dns" option to point your own domain to your IP, then you set up your router with your login info to keep dyndns updated.

#edit. you can also manually update the DNS entry if you register at godaddy, but then you have to keep on top of your IP changes, and there may be hours or days that your site might be unaccessible if you don't notice that your IP changed.

mmm sounds much easier to register a domain through dyndns and then pay dyndns.org to point that domain to the ip. and use the router to configure it.

is that the more preferred way?

 

[splat]

thats probably the easiest