Setting up a web server with Ubuntu Server 22.04.1 LTS

Setting up a web server with Ubuntu Server 22.04.1 LTS.

Initialisation

Connecting via SSH.

If installed from the Setup menu on a VPS, connect as root, add a general user and give sudo permission.

adduser USER_NAME
gpasswd -a USER_NAME sudo

1 2	adduser USER_NAME gpasswd -a USER_NAME sudo

Log out and login via SSH with the added user.

SSH server configuration

Disable root user login.

sudo vi /etc/ssh/sshd_config

1	sudo vi /etc/ssh/sshd_config

PermitRootLogin yes
↓
PermitRootLogin no

PermitRootLogin yes

↓

PermitRootLogin no

sudo systemctl restart sshd

1	sudo systemctl restart sshd

Firewall configuration

Enable firewall.

sudo ufw enable

1	sudo ufw enable

Next, add rules for communication permissions on the port for SSH connections with ufw allow.

sudo ufw allow OpenSSH

1	sudo ufw allow OpenSSH

Check with the ufw status verbose command.

sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)

sudo ufw status verbose

Status: active

Logging: on (low)

Default: deny (incoming), allow (outgoing), disabled (routed)

New profiles: skip

To Action From

-- ------ ----

22/tcp (OpenSSH) ALLOW IN Anywhere

22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)

If there are no problems with the added rules, the settings can be reloaded.

sudo ufw reload

1	sudo ufw reload

Installing ‘Apache2’

sudo apt install apache2

1	sudo apt install apache2

sudo ufw allow Apache

1	sudo ufw allow Apache

Check with your browser.

http://YOUR_SERVER_IP

1	http://YOUR_SERVER_IP

If the default Ubuntu 22.04 Apache web page is displayed, OK.

Enable mod_rewrite

sudo a2enmod rewrite
sudo apache2 restart

1 2	sudo a2enmod rewrite sudo apache2 restart

Virtual host configuration

If you want to assign a hostname that can be used by other users, via FTP or others, configure it in the /var/www directory as public/USER_NAME/DOMAIN_NAME.

sudo mkdir -p /var/www/public/USER_NAME/DOMAIN_NAME

1	sudo mkdir -p /var/www/public/USER_NAME/DOMAIN_NAME

*After creating the user, assign ownership of the USER_NAME directory.

sudo chown -R USER_NAME:USER_GROUP /var/www/public/USER_NAME

1	sudo chown -R USER_NAME:USER_GROUP /var/www/public/USER_NAME

If you are the only one using the domain of the virtual host, the following:

sudo mkdir -p /var/www/vhosts/DOMAIN_NAME
or
sudo mkdir /var/www/DOMAIN_NAME
etc.

sudo mkdir -p /var/www/vhosts/DOMAIN_NAME

sudo mkdir /var/www/DOMAIN_NAME

etc.

It is advisable to set up each web root under /var/www as this provides a certain level of security through AppArmor. If you wish to set it up under /home/{username}, for example, you will need to review the AppArmor configuration separately.

Create a new configuration file in /etc/apache2/sites-available/DOMAIN_NAME.conf.

<virtualhost *:80>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/vhosts/example.com/httpdocs
    ErrorLog /var/www/vhosts/example.com/logs/error.log
    CustomLog /var/www/vhosts/example.com/logs/access.log combined
     
    <directory /var/www/vhost/example.com/httpdocs>
        AllowOverride All
        Options -Indexes
    </directory>
</virtualhost>

ServerName example.com

ServerAlias www.example.com

DocumentRoot /var/www/vhosts/example.com/httpdocs

ErrorLog /var/www/vhosts/example.com/logs/error.log

CustomLog /var/www/vhosts/example.com/logs/access.log combined

AllowOverride All

Options -Indexes

</directory>

</virtualhost>

In the example, create /var/www/vhosts/example.com/logs.

sudo mkdir /var/www/vhosts/example.com/logs

1	sudo mkdir /var/www/vhosts/example.com/logs

Use the a2ensite tool to enable the DOMAIN_NAME.conf file you have created.

sudo a2ensite DOMAIN_NAME

1	sudo a2ensite DOMAIN_NAME

Check for configuration errors.

sudo apache2ctl configtest

1	sudo apache2ctl configtest

If you see output as following, restart Apache.

Syntax OK
sudo systemctl restart apache2

1 2	Syntax OK sudo systemctl restart apache2

Create index.html in /var/www/vhosts/example.com/httpdocs, and then go to http://example.com from a browser, and if the HTML file you created is displayed, you have succeeded.

E.g. index.html

<html>
<body>
It Works!
</body>
</html>

<html>

<body>

It Works!

</body>

</html>

It Works!

It Works!

Get a SSL certificate using Let’s Encrypt

Install certbot python3-certbot-apache

sudo apt install certbot python3-certbot-apache

1	sudo apt install certbot python3-certbot-apache

Enable SSL ports on the firewall.

sudo ufw allow 'Apache Secure'

1	sudo ufw allow 'Apache Secure'

To make Let’s Encrypt generate an SSL, enter the following command.

To automatically detect the relevant parts of the Apache configuration file and create a configuration file for https

sudo certbot --apache

1	sudo certbot --apache

Use the configuration file edit /etc/apache2/sites-available/vhost-le-ssl.conf.

For getting a certificate only

sudo certbot certonly --webroot -w /var/www/html -d example.com
*If multiple domains are operating in a single directory
sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

sudo certbot certonly --webroot -w /var/www/html -d example.com

*If multiple domains are operating in a single directory

sudo certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

The certificate will be placed under /etc/letsencrypt/live/example.com/, specify the path in the SSL conf file.

Renewal

sudo certbot renew

1	sudo certbot renew

Install MariaDB

sudo apt install mariadb-server
sudo mysql_secure_installation

1 2	sudo apt install mariadb-server sudo mysql_secure_installation

Install PHP

sudo apt install php libapache2-mod-php php-fpm php-common php-mbstring php-xmlrpc php-gd php-xml php-mysql php-cli php-zip php-curl php-imagick

1	sudo apt install php libapache2-mod-php php-fpm php-common php-mbstring php-xmlrpc php-gd php-xml php-mysql php-cli php-zip php-curl php-imagick

To install a version other than installed by default

Add repository.

sudo apt-get install software-properties-common
sudo add-apt-repository ppa:ondrej/php

1 2	sudo apt-get install software-properties-common sudo add-apt-repository ppa:ondrej/php

sudo apt install php8.2 libapache2-mod-php8.2 php8.2-fpm php8.2-common php8.2-mbstring php8.2-xmlrpc php8.2-gd php8.2-xml php8.2-mysql php8.2-cli php8.2-zip php8.2-curl php8.2-imagick

1	sudo apt install php8.2 libapache2-mod-php8.2 php8.2-fpm php8.2-common php8.2-mbstring php8.2-xmlrpc php8.2-gd php8.2-xml php8.2-mysql php8.2-cli php8.2-zip php8.2-curl php8.2-imagick

Install phpMyAdmin

sudo apt install phpmyadmin

1	sudo apt install phpmyadmin

Select apache2 (press spacebar ‘*’), select [Ok] and press [Enter] on the keyboard.

When prompted to confirm database installation, select No & Enter.

The configuration file is /etc/phpmyadmin

Install PHP Composer

sudo apt install composer php-curl

1	sudo apt install composer php-curl

If you installed a version of PHP other than the default one.

sudo apt install composer php8.2-curl

1	sudo apt install composer php8.2-curl

Install vsftpd

sudo apt install vsftpd

1	sudo apt install vsftpd

Changes and additions

# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
# ASCII mangling is a horrible feature of the protocol.
ascii_upload_enable=YES
ascii_download_enable=YES
#
# You may restrict local users to their home directories.  See the FAQ for
# the possible risks in this before using chroot_local_user or
# chroot_list_enable below.
chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that
# the user does not have write access to the top level directory within the
# chroot)
chroot_local_user=YES
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list

# Enable passive mode.
pasv_enable=YES

# Minimum/maximum ports used for PASV data connections (ports must be opened in the FW)
pasv_min_port=X000X
pasv_max_port=X00XX

# Only certain users can connect.
userlist_enable=YES
userlist_deny=NO
userlist_file=/etc/vsftpd/ftpuser_list

# Change root directory
user_config_dir=/etc/vsftpd/vsftpd_user_conf

# Workaround for refusing to run with writable root inside chroot()
allow_writeable_chroot=YES

# Include dot files during ls
force_dot_files=YES

# Enable TLS.
ssl_enable=YES

# SSL protocol configuration
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

# Designation of server certificates
rsa_cert_file=/etc/ssl/certs/example.com.pem
rsa_private_key_file=/etc/ssl/example.com.key

# Uncomment this to enable any form of FTP write command.

write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=022

# ASCII mangling is a horrible feature of the protocol.

ascii_upload_enable=YES

ascii_download_enable=YES

# You may restrict local users to their home directories. See the FAQ for

# the possible risks in this before using chroot_local_user or

# chroot_list_enable below.

chroot_local_user=YES

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

# (Warning! chroot'ing can be very dangerous. If using chroot, make sure that

# the user does not have write access to the top level directory within the

# chroot)

chroot_local_user=YES

chroot_list_enable=YES

# (default follows)

chroot_list_file=/etc/vsftpd.chroot_list

# Enable passive mode.

pasv_enable=YES

# Minimum/maximum ports used for PASV data connections (ports must be opened in the FW)

pasv_min_port=X000X

pasv_max_port=X00XX

# Only certain users can connect.

userlist_enable=YES

userlist_deny=NO

userlist_file=/etc/vsftpd/ftpuser_list

# Change root directory

user_config_dir=/etc/vsftpd/vsftpd_user_conf

# Workaround for refusing to run with writable root inside chroot()

allow_writeable_chroot=YES

# Include dot files during ls

force_dot_files=YES

# Enable TLS.

ssl_enable=YES

# SSL protocol configuration

ssl_tlsv1=YES

ssl_sslv2=NO

ssl_sslv3=NO

# Designation of server certificates

rsa_cert_file=/etc/ssl/certs/example.com.pem

rsa_private_key_file=/etc/ssl/example.com.key

Create an empty file /etc/vsftpd.chroot_list.

Create /etc/vsftpd/vsftpd_user_conf, create USER_NAME file, describe user root directory.

local_root=/var/www/public/USER_NAME

1	local_root=/var/www/public/USER_NAME

In /etc/vsftpd, create the ftpuser_list file, a list of users to connect to via FTP.

USER_NAME

USER_NAME

sudo service vsftpd restart
sudo ufw allow ftp
sudo ufw allow X000X:X00XX/tcp

sudo service vsftpd restart

sudo ufw allow ftp

sudo ufw allow X000X:X00XX/tcp

Switching between multiple versions of PHP for each virtual host in Apache on Ubuntu

Install the Apache module for PHP-FPM FastCGI Process Manager.

sudo apt install libapache2-mod-fcgid

1	sudo apt install libapache2-mod-fcgid

Enables a few modules required to configure multiple PHP versions with Apache. These modules are necessary to integrate PHP FPM and FastCGI with the Apache server.

sudo a2enmod actions fcgid alias proxy_fcgi

1	sudo a2enmod actions fcgid alias proxy_fcgi

Use PHP FPM and FastCGI to use multiple PHP versions. Install the following packages on your system.
(e.g. PHP 7.4)

sudo apt install php7.4 libapache2-mod-php7.4 php7.4-fpm php7.4-common php7.4-mbstring php7.4-xmlrpc php7.4-gd php7.4-xml php7.4-mysql php7.4-cli php7.4-zip php7.4-curl php7.4-imagick

1	sudo apt install php7.4 libapache2-mod-php7.4 php7.4-fpm php7.4-common php7.4-mbstring php7.4-xmlrpc php7.4-gd php7.4-xml php7.4-mysql php7.4-cli php7.4-zip php7.4-curl php7.4-imagick

php7.4-fpm must be installed.

After installation, the php-fpm service is automatically started. Using the following commands, make sure that services are running.

sudo systemctl status php7.4-fpm

1	sudo systemctl status php7.4-fpm

Apache virtual host configuration

<VirtualHost *:80>
    ServerName php74.example.com
    DocumentRoot /var/www/php74
    <Directory /var/www/php74>
        Options -Indexes +FollowSymLinks +MultiViews
        AllowOverride All
        Require all granted
    </Directory>
    <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"
    </FilesMatch>
</VirtualHost>

ServerName php74.example.com

DocumentRoot /var/www/php74

Options -Indexes +FollowSymLinks +MultiViews

AllowOverride All

Require all granted

</Directory>

SetHandler "proxy:unix:/var/run/php/php7.4-fpm.sock|fcgi://localhost"

</FilesMatch>

</VirtualHost>

After all changes have been made, restart Apache and reload the new configuration changes.

sudo systemctl restart apache2

1	sudo systemctl restart apache2

Create a file named info.php with the following content

<?php phpinfo(); ?>

1	<?php phpinfo(); ?>

in the document root configured with PHP 7.4.

Open a web browser and access the site: php74.example.com should show PHP 7.4 and FastCGI configured.

PHP settings using FPM/FastCGI you can find the php.ini file under the path /etc/php/{version}/fpm/php.ini like /etc/php/7.4/fpm/php.ini.

Running PHP with different user

Normally, to run WordPress with a modular version of PHP, you specify the username and group as www-data, which is the user/group under which Apache runs, but if you want to run it as different user, you can use the mpm-itk module or use FastCGI.

This time, the steps are to use FastCGI.

Configuration of PHP-FPM

Use the following command to copy www.conf in /etc/php/7.4/fpm/pool.d and create user1.conf.

sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/user1.conf

1	sudo cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/user1.conf

Rewrite the following in the file.

; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[user1]

; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
;       --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
;                 If the group is not set, the user's group is used.
user = user1
group = user1

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /run/php/php7.4-fpm-user1.sock

; Start a new pool named 'www'.

; the variable $pool can be used in any directive and will be replaced by the

; pool name ('www' here)

[user1]

; Per pool prefix

; It only applies on the following directives:

; - 'access.log'

; - 'slowlog'

; - 'listen' (unixsocket)

; - 'chroot'

; - 'chdir'

; - 'php_values'

; - 'php_admin_values'

; When not set, the global prefix (or /usr) applies instead.

; Note: This directive can also be relative to the global prefix.

; Default Value: none

;prefix = /path/to/pools/$pool

; Unix user/group of the child processes. This can be used only if the master

; process running user is root. It is set after the child process is created.

; The user and group can be specified either by their name or by their numeric

; IDs.

; Note: If the user is root, the executable needs to be started with

; --allow-to-run-as-root option to work.

; Default Values: The user is set to master process running user by default.

; If the group is not set, the user's group is used.

user = user1

group = user1

; The address on which to accept FastCGI requests.

; Valid syntaxes are:

; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on

; a specific port;

; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on

; a specific port;

; 'port' - to listen on a TCP socket to all addresses

; (IPv6 and IPv4-mapped) on a specific port;

; '/path/to/unix/socket' - to listen on a unix socket.

; Note: This value is mandatory.

listen = /run/php/php7.4-fpm-user1.sock

Restart PHP-FPM.

A socket file php7.4-fpm-user1.sock is created in /var/run/php.

Add the following to the Apache configuration file.

<FilesMatch \.php$>
    SetHandler "proxy:unix:/var/run/php/php7.4-fpm-user1.sock|fcgi://localhost"
</FilesMatch>

SetHandler "proxy:unix:/var/run/php/php7.4-fpm-user1.sock|fcgi://localhost"

</FilesMatch>

Restart Apache.

sudo apache2ctl configtest
sudo systemctl restart apache2

1 2	sudo apache2ctl configtest sudo systemctl restart apache2

You can now run PHP as a different user.