Setup Apache, LetsEncrypt, Vsftpd for multiple domain, multiple users (Ubuntu 18.04)

1-setup.sh

# reference

# ubuntu, php
# https://websiteforstudents.com/apache2-with-php-7-1-support-on-ubuntu-18-04-lts-beta-server/

# apache
# https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-18-04
# https://www.digitalocean.com/community/tutorials/how-to-set-up-apache-virtual-hosts-on-ubuntu-18-04

# vsftpd
# https://sinaru.com/2015/08/22/vsftp-to-backup-multiple-websites/
# https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-18-04

sudo apt update
sudo apt install software-properties-common
sudo apt install apache2
sudo systemctl status apache2

# for letsencrypt (ssl certificate)
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-apache

# php & apache2
sudo add-apt-repository ppa:ondrej/php
sudo apt install php libapache2-mod-php
# fix timezone settings
sudo vi /etc/php/7.4/apache2/php.ini
# add index.php to default
sudo vi /etc/apache2/dir.conf

# default site for obtaining main cert (for ftp-ssl)
sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/<your_domain>.conf
sudo vi /etc/apache2/sites-available/<your_domain>.conf
# add ServerName <your_domain>, ServerAlias <your_domain>
sudo touch /etc/apache2/sites.conf
sudo vi /etc/apache2/apache2.conf
# add line Include sites.conf
sudo apache2ctl configtest
sudo a2ensite <your_domain>
sudo a2dissite 000-default
sudo systemctl reload apache2

sudo certbot --apache -d <your_domain>
# cert is saved on /etc/letsencrypt/live/<your_domain>/
sudo apache2ctl configtest
sudo systemctl reload apache2

---

$ sudo apt install vsftpd
# backup conf
sudo cp /etc/vsftpd.conf /etc/vsftpd.conf.orig
# setup firewall
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 990/tcp
sudo ufw allow 40000:50000/tcp

$ sudo vi /etc/vsftpd.conf
# edit as vsftpd.conf file below
sudo systemctl restart vsftpd

# get ready for allowing only ftp login for created users (in addsite.sh)
sudo vi /bin/ftponly
sudo chmod a+x /bin/ftponly
sudo vi /etc/shells
# add 1 line
# /bin/ftponly



# create base apache conf files (copy from below)
vi base.conf
vi ssl.conf

# create scripts, make it executable
vi adduser.sh
vi addsite.sh
sudo chmod +x adduser.sh
sudo chmod +x addsite.sh

2-adduser.sh

# $1 : username

echo "creating new user and directory"

# create user and directory
sudo adduser $1 --disabled-password --gecos ""
sudo passwd $1
sudo mkdir -p /home/$1/ftp/www/
sudo chown nobody:nogroup /home/$1/ftp
sudo chmod a-w /home/$1/ftp
sudo chown $1:$1 /home/$1/ftp/www
sudo ls -la /home/$1/ftp

echo "user $1 created and directory is all set (/home/$1/ftp)"

echo "enabling ftp login.."

# add user to vsftpd.userlist
echo "$1" | sudo tee -a /etc/vsftpd.userlist
sudo systemctl restart vsftpd

# only allow ftp login
sudo usermod $1 -s /bin/ftponly

echo "ftp now available"

3-addsite.sh

# first, make sure your domain points to the original server

# $1 : username
# $2 : domain
# $3 : domain alias (www). optional

echo "creating new apache virtualhost"

# setup apache, create a cert
if [ -z "$3" ]
then
    sudo sed -e "s/<username>/$1/g" -e "s/<domain>/$2/g" base.conf > $2.conf
else
    sudo sed -e "s/<username>/$1/g" -e "s/<domain>/$2/g" -e "s/<alias>/$3/g" base.conf > $2.conf
fi

sudo mv $2.conf /etc/apache2/sites-available/
sudo sed -e "s/<username>/$1/g" sites.conf | sudo tee -a  /etc/apache2/sites.conf
sudo apache2ctl configtest
sudo a2ensite $2
sudo systemctl restart apache2

if [ -z "$3" ]
then
    echo "Site all set! visit http://$2"
    echo "run sudo certbot --apache -d $2"
else
    echo "Site all set! visit http://$2 , http://$3"
    echo "run sudo certbot --apache -d $2 -d $3"
fi

base.conf

<VirtualHost *:80>
  ServerAdmin <your_email>
  ServerName <domain>
  ServerAlias <alias>
  DocumentRoot /home/<username>/ftp/www/
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

ftponly

#!/bin/sh
echo "This account is limited to FTP access only."

sites.conf

<Directory /home/<username>/ftp/www/>
  AllowOverride All
  Require all granted
</Directory>

ss.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerAdmin dev@plus-ex.com
  ServerName <domain>
  ServerAlias <alias>
  DocumentRoot /home/<username>/ftp/www/
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/<domain>/cert.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/<domain>/privkey.pem
  SSLCertificateChainFile /etc/letsencrypt/live/<domain>/chain.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

vsftpd.conf

listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES

chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
pam_service_name=vsftpd

ssl_enable=YES
rsa_cert_file=/etc/letsencrypt/live/<your_domain>/cert.pem
rsa_private_key_file=/etc/letsencrypt/live/<your_domain>/privkey.pem
allow_anon_ssl=NO

user_sub_token=$USER
local_root=/home/$USER/ftp

pasv_min_port=40000
pasv_max_port=50000

userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
require_ssl_reuse=NO
ssl_ciphers=HIGH