avigail-oron/Setup Apache httpd + PHP on Ubuntu16

## Setup Apache httpd + PHP on Ubuntu16
 //Install Apache httpd server
 //---------------------------
 apt-get install apache2
 //verify it's configured OK
 apache2ctl configtest
 //Check httpd version and installed modules
 apache2ctl  -v
 apache2ctl -M

 //Installing PHP
 //---------------
 //couldn't install php from exiting repos, added this one to install it:
 add-apt-repository ppa:ondrej/php
 apt-get update
 apt-get install php5.6
 //check php version
 php -v

 //Install the php apache module
 //------------------------------
 apt-get install libapache2-mod-php
 //remove the added repo
 add-apt-repository --remove  ppa:ondrej/php
 //restart apache to load the php module
 apache2ctl stop
 apache2ctl start
 systemctl status apache2
 //list apache module, verify php is listed
 apache2ctl -M

 //Setting up SSL
 //---------------
 //Adding support for SSL
 //first, check if the module exist but not enabled:
 dpkg -S mod_ssl.so
 //if the output shows the so in the apache folder, you just need to enable it. otherwise you neeed to install it first:
 apt-get install mod_ssl
 //Enabling the module:
 a2enmod ssl
 //restart apache2 service
 service apache2 restart
 //apache port conf checkes if mod_ssl is enabled and if so listens on 443 as well. verify:
 netstat -plnt
 //generate a self-signed certificate and a private key:
 //for all questions you can answer with a '.' (=leave blank) apart from FQDN - put the server's public IP
 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
 //make sure both files have been created
 //Create a new Apache conf file:
 nano /etc/apache2/conf-available/ssl-params.conf
 //paste the following , save and close:

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

//backup the file before we modify it:
cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
nano /etc/apache2/sites-available/default-ssl.conf
//just below ServerAdmin, add the line:
ServerName <server_domain_or_IP>
//Modify the lines pointing to the cert and key files:
SSLCertificateFile      /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
//uncomment the following lines:
BrowserMatch "MSIE [2-6]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
//save & close
//enable the changes in apache:
a2enmod headers
a2ensite default-ssl
a2enconf ssl-params
//verify conf syntax is correct:
apache2ctl configtest
//restart to take effect:
systemctl restart apache2

//Test it works:
//open browser with https://<public IP>
//you will get an error that the CA is not trusted, proceed anyway
//check the site details (icon in address bar), see that it uses the certificate issued by the same server

// Optional part - for the DNS mng specific app:
//----------------------------------------------
sudo apt install bind9utils
mkdir -p /var/local/dns/zones/
chmod a+w /var/local/dns
	//Install Apache httpd server
	//---------------------------
	apt-get install apache2
	//verify it's configured OK
	apache2ctl configtest
	//Check httpd version and installed modules
	apache2ctl -v
	apache2ctl -M

	//Installing PHP
	//---------------
	//couldn't install php from exiting repos, added this one to install it:
	add-apt-repository ppa:ondrej/php
	apt-get update
	apt-get install php5.6
	//check php version
	php -v

	//Install the php apache module
	//------------------------------
	apt-get install libapache2-mod-php
	//remove the added repo
	add-apt-repository --remove ppa:ondrej/php
	//restart apache to load the php module
	apache2ctl stop
	apache2ctl start
	systemctl status apache2
	//list apache module, verify php is listed
	apache2ctl -M

	//Setting up SSL
	//---------------
	//Adding support for SSL
	//first, check if the module exist but not enabled:
	dpkg -S mod_ssl.so
	//if the output shows the so in the apache folder, you just need to enable it. otherwise you neeed to install it first:
	apt-get install mod_ssl
	//Enabling the module:
	a2enmod ssl
	//restart apache2 service
	service apache2 restart
	//apache port conf checkes if mod_ssl is enabled and if so listens on 443 as well. verify:
	netstat -plnt
	//generate a self-signed certificate and a private key:
	//for all questions you can answer with a '.' (=leave blank) apart from FQDN - put the server's public IP
	openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
	//make sure both files have been created
	//Create a new Apache conf file:
	nano /etc/apache2/conf-available/ssl-params.conf
	//paste the following , save and close:

	# from https://cipherli.st/
	# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

	SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	# Disable preloading HSTS for now. You can use the commented out header line that includes
	# the "preload" directive if you understand the implications.
	#Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
	Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
	Header always set X-Frame-Options DENY
	Header always set X-Content-Type-Options nosniff
	# Requires Apache >= 2.4
	SSLCompression off
	SSLSessionTickets Off
	SSLUseStapling on
	SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

	//backup the file before we modify it:
	cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
	nano /etc/apache2/sites-available/default-ssl.conf
	//just below ServerAdmin, add the line:
	ServerName <server_domain_or_IP>
	//Modify the lines pointing to the cert and key files:
	SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
	SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
	//uncomment the following lines:
	BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
	//save & close
	//enable the changes in apache:
	a2enmod headers
	a2ensite default-ssl
	a2enconf ssl-params
	//verify conf syntax is correct:
	apache2ctl configtest
	//restart to take effect:
	systemctl restart apache2

	//Test it works:
	//open browser with https://<public IP>
	//you will get an error that the CA is not trusted, proceed anyway
	//check the site details (icon in address bar), see that it uses the certificate issued by the same server

	// Optional part - for the DNS mng specific app:
	//----------------------------------------------
	sudo apt install bind9utils
	mkdir -p /var/local/dns/zones/
	chmod a+w /var/local/dns