Let’s Encrypt Setup for Apache
Assuming all commands are run as root:
apt update && apt upgrade -y
apt-get -y install apache2 nano curl unzip
apt-get install -y software-properties-common
add-apt-repository ppa:ondrej/php
apt-get update
apt-get install -y --allow-unauthenticated php7.4
apt-get install -y --allow-unauthenticated php-pear php7.4-curl php7.4-dev php7.4-xml php7.4-gd php7.4-mbstring php7.4-zip php7.4-mysql php7.4-xmlrpc php-curl libapache2-mod-php
Install and secure MySQL
apt-get install -y mysql-server
mysql_secure_server
Allow remote access to MySQL server
nano /etc/mysql/mysql.conf.d/mysqld.cnf
Find the following line:
bind-address = 127.0.0.1
Replace 127.0.0.1 with 0.0.0.0.
Create remote access user
CREATE USER 'user'@'IP' IDENTIFIED BY 'password';
GRANT CREATE, INSERT, ALTER, DROP, UPDATE, DELETE, SELECT, REFERENCES on db.* TO 'user'@'IP' WITH GRANT OPTION;
Create regular user
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON portal.* TO 'user'@'localhost';
Install phpMyAdmin
apt-get install -y phpmyadmin
Remove phpMyAdmin error:
nano /etc/phpmyadmin/config.inc.php
Add this:
$cfg['SendErrorReports'] = 'never';
MariaDB
To install and secure MariaDB:
apt install mariadb-server
mysql_secure_installation
To require root user to login with a password, disable their unix_socket plugin:
UPDATE mysql.user SET plugin = '' WHERE user = 'root' AND host = 'localhost';
FLUSH PRIVILEGES;
Check:
SELECT host, user, password, plugin FROM mysql.user;
Create the first virtual host file:
cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/example.com.conf
nano /etc/apache2/sites-available/example.com.conf
Add or modify the following directives:
ServerAdmin admin@example.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example.com/public_html
Enable site:
a2ensite example.com.conf
Disable default site:
a2dissite 000-default.conf
Restart Apache:
systemctl restart apache2
Disable access to .env files
Locate the following code in /etc/apache2/apache2.conf:
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
Add the following code below it:
<Files .env>
Order allow,deny
Deny from all
</Files>
Install Certbot
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install python-certbot-apache -y
certbot --apache -d example.com
To verify auto-renewal:
certbot renew --dry-run
Disable Insecure Protocols (SSL, TLS v1.0 and v1.1)
nano /etc/apache2/mods-available/ssl.conf
Comment the following directives:
SSLCipherSuite HIGH:!aNULL
SSLProtocol all -SSLv3
Add the following:
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
In case of using Let's Encrypt the following changes are also required:
nano /etc/letsencrypt/options-ssl-apache.conf
Comment the following directive:
SSLProtocol all -SSLv2 -SSLv3
Add the following:
SSLProtocol TLSv1.2
Apache Security
nano /etc/apache2/apache2.conf
Go to:
<Directory /var/www/>
Change:
Options Indexes FollowSymLinks
To:
Options -Indexes +FollowSymLinks
Add the following at the end:
TraceEnable off
ServerTokens Prod
ServerSignature Off
header always set X-Content-Type-Options "nosniff"
header always set X-Frame-Options "SAMEORIGIN"
header always set X-XSS-Protection "1; mode=block"
header always set Feature-Policy "autoplay 'none'; camera 'none'"
Header set X-Permitted-Cross-Domain-Policies "none"