Step 5 — Setting Up Virtual Hosts (Recommended)

When using the Apache web server, you can use virtual hosts (similar to server blocks in Nginx) to encapsulate configuration details and host more than one domain from a single server. In the following commands, replace your_domain with your own domain name. To learn more about setting up a domain name with DigitalOcean, see our Introduction to DigitalOcean DNS.

Apache on Debian 10 has one server block enabled by default that is configured to serve documents from the /var/www/html directory. While this works well for a single site, it can become unwieldy if you are hosting multiple sites. Instead of modifying /var/www/html, let’s create a directory structure within /var/www for our your_domain site, leaving /var/www/html in place as the default directory to be served if a client request doesn’t match any other sites.

Create the directory for your_domain as follows, using the -p flag to create any necessary parent directories:

sudo mkdir -p /var/www/<span class="highlight">your_domain</span>

Next, assign ownership of the directory with the $USER environmental variable:

• sudo chown -R $USER:$USER /var/www/your_domain

The permissions of your web roots should be correct if you haven’t modified your unmask value, but you can make sure by typing:

• sudo chmod -R 755 /var/www/your_domain

Next, create a sample index.html page using nano or your favorite editor:

• nano /var/www/your_domain/index.html

Inside, add the following sample HTML:

<html>
    <head>
        <title>Welcome to <span class="highlight">your_domain</span>!</title>
    </head>
    <body>
        <h1>Success!  The <span class="highlight">your_domain</span> virtual host is working!</h1>
    </body>
</html>

Save and close the file when you are finished.

In order for Apache to serve this content, it’s necessary to create a virtual host file with the correct directives. Instead of modifying the default configuration file located at /etc/apache2/sites-available/000-default.conf directly, let’s make a new one at /etc/apache2/sites-available/<span class="highlight">your_domain</span>.conf:

• sudo nano /etc/apache2/sites-available/your_domain.conf

Paste in the following configuration block, which is similar to the default, but updated for our new directory and domain name:

<VirtualHost *:80>
    ServerAdmin <span class="highlight">admin@your_email_domain</span>
    ServerName <span class="highlight">your_domain</span>
    ServerAlias <span class="highlight">www.your_domain</span>
    DocumentRoot /var/www/<span class="highlight">your_domain</span>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Notice that we’ve updated the DocumentRoot to our new directory and ServerAdmin to an email that the your_domain site administrator can access. We’ve also added two directives: ServerName, which establishes the base domain that should match for this virtual host definition, and ServerAlias, which defines further names that should match as if they were the base name.

Save and close the file when you are finished.

Let’s enable the file with the a2ensite tool:

• sudo a2ensite your_domain.conf

Disable the default site defined in 000-default.conf:

• sudo a2dissite 000-default.conf

Next, let’s test for configuration errors:

• sudo apache2ctl configtest

You should see the following output:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Restart Apache to implement your changes:

• sudo systemctl restart apache2

Initial Server Setup with Debian 10

Additional Instructions: Lets Encrypt, fail2ban

To ensure that the server cannot be attacked through the HTTPOXY vulnerability, we will disable the HTTP_PROXY header in apache globally by adding the configuration file /etc/apache2/conf-available/httpoxy.conf.

Note: The vulnerability is named httpoxy (without ‘r’) and therefore the file where we add the config to prevent it is named httpoxy.conf and not httproxy.conf, so there is no ‘r’ missing in the filename.

nano /etc/apache2/conf-available/httpoxy.conf

Paste the following content to the file:

<IfModule mod_headers.c>
    RequestHeader unset Proxy early
</IfModule>

And enable the module by running:

a2enconf httpoxy
systemctl restart apache2

 

11 Install Let’s Encrypt

ISPConfig 3.1 has support for the free SSL Certificate authority Let’s encrypt. The Let’s Encrypt function allows you to create free SSL certificates for your website from within ISPConfig.

Now we will add support for Let’s encrypt.

cd /usr/local/bin
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto --install-only