In this tutorial, we assume that you already have an Ubuntu server running and the network has been set up and can be accessed through SSH.
Apache2 is the default Web server used by many installed Linux distributions. It is not the only available Web server for all environments, nor the best Web server, but it is suitable for many use cases. During the installation process, the system may ask which Web server you want to automatically reconfigure. Select "apache2.
Install Apache2
Run the following command to install Apache2 and other libraries.
$ Sudo apt-get-y install apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libapache2-mod-php5 libexpat1 ssl-cert php5-common php5 php5-gd php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby
Update the time zone and check the correct time
To reduce confusion between shared data and image data, all servers should be as close to the synchronization status as possible during operation. Some encryption key management systems require accurate time. Finally, for enterprise servers, Sarbanes-Oxley and HIPAA) the correct timestamp mechanism is required.
$ sudo apt-get -y install openntpd tzdata$ sudo dpkg-reconfigure tzdata$ sudo service openntpd restart
Disable AppArmor conflicts
Although the AppArmor suite does provide additional security, in my opinion, you need to create custom configuration files for each system. This is not the content discussed in this tutorial. So now, we will disable AppArmor to prevent conflicts with any default configuration.
$ sudo /etc/init.d/apparmor stop$ sudo update-rc.d -f apparmor remove$ sudo apt-get remove apparmor apparmor-utils
NOTE: If it is a Web server in the production environment, it is not recommended to disable AppArmor. If someone wants to create a custom AppArmor profile, see the official instructions (http://wiki.apparmor.net/index.php/Documentation ).
Block distributed denial of service (DDoS) attacks
DDoS attacks are distributed denial of service attacks. An Apache module can prevent such attacks.
$ sudo apt-get -y install libapache2-mod-evasive$ sudo mkdir -p /var/log/apache2/evasive$ sudo chown -R www-data:root /var/log/apache2/evasive
Add the following command to the end of the mod-evasive.load.
$ Sudo nano/etc/apache2/mod-available/mod-evasive.load DOSHashTableSize 2048 DOSPageCount 20 # maximum number of requests to the same page DOSSiteCount 300 # Total number of DOSPageInterval requests from the same client IP address on the same listener 1.0 # interval of page quantity threshold DOSSiteInterval 1.0 # interval of site quantity threshold DOSBlockingPeriod 10.0 # DOSLogDir "/var/log/apache2/evasive" DOSEmailNotify admin@domain.com
Block Slowloris attacks
Another Apache module can prevent Slowloris attacks, but the module name depends on the specific version of Ubuntu. For Ubuntu 12.10 or later versions:
$ sudo apt-get -y install libapache2-mod-qos
Then, check the configuration in qos. conf:
$ sudo nano /etc/apache2/mods-available/qos.conf
# Service quality settings
# Process connections from up to 100000 different IP addresses
QS_ClientEntries 100000
# Only 50 connections per IP address are allowed
QS_SrvMaxConnPerIP 50
# The maximum number of active TCP connections is 256
MaxClients 256
# When 70% of TCP connections are occupied, disable the active connection.
QS_SrvMaxConnClose 180
# Minimum request/response speed (refuse to block the slow client of the server, that is, slowloris keeps the connection open without making any request ):
QS_SrvMinDataRate 150 1200
# And restrict the request title and body (note that this also limits the upload and post requests ):
# LimitRequestFields 30# QS_LimitRequestBody 102400
Note: If you run the Ubuntu version earlier than 12.04, use the following command:
$ sudo apt-get -y install libapache2-mod-antiloris
Check the configuration in antiloris. conf.
$ sudo nano /etc/apache2/mods-available/antiloris.conf
# Maximum number of parallel connections for each IP address in the READ status
IPReadLimit 5
Prevent DNS injection attacks
The Spamhaus module uses the domain name system blacklist (DNSBL) to prevent spam forwarding through Web forms, prevent URL injection attacks, and prevent http DDoS attacks from bot programs, it usually protects the server from known malicious IP addresses.
$ sudo apt-get -y install libapache2-mod-spamhaus$ sudo touch /etc/spamhaus.wl Append the config to apache2.conf$ sudo nano /etc/apache2/apache2.confMS_METHODS POST,PUT,OPTIONS,CONNECTMS_WhiteList /etc/spamhaus.wlMS_CacheSize 256
Restart Apache to load new modules
$ sudo service apache2 restart
The Web server has been installed and is running properly. Direct the Web browser to your domain to see the default message that proves that everything is normal. As the final check mechanism, run the following command to check whether your server has any error information. If there is an error message, you need to search for it on Google to immediately solve the error.
$ sudo tail -200 /var/log/syslog
Apache-multi-site log analysis
Install Apache that supports SSL in Ubuntu 13.10
Disguise Apache to prevent Web Server intrusion
Compiling and installing the Apache Python module mod_wsgi
Enterprise Shell script analysis and Apache Log cutting practices
Linux website architecture series-Apache-deployment