From 6a9377bcdd7260a7b7b6685e8c4bdfb3ed667cc0 Mon Sep 17 00:00:00 2001
From: tengel <tengel@xyzzy.ee>
Date: Wed, 20 Mar 2024 11:40:22 -0500
Subject: [PATCH] move apache to own doc

---
 README.md                 |   1 +
 md/apache_setup.md        | 150 +++++++++++++++++++++++++++++++++++++
 md/debian_server_setup.md | 151 +-------------------------------------
 3 files changed, 152 insertions(+), 150 deletions(-)
 create mode 100644 md/apache_setup.md

diff --git a/README.md b/README.md
index 415b414..1f12016 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@ memoirs, musings and reminiscences - long form writings stored in the code repo,
 ## Index
 
   - [Active Directory with Winbind](md/active_directory_with_winbind.md)
+  - [Apache Setup](md/apache_setup.md)
   - [Arch UEFI Installation](md/arch_uefi_installation.md)
   - [CIFS Client Setup](md/cifs_client_setup.md)
   - [Compose Key Sequences](md/compose_key_sequences.md)
diff --git a/md/apache_setup.md b/md/apache_setup.md
new file mode 100644
index 0000000..10d9b26
--- /dev/null
+++ b/md/apache_setup.md
@@ -0,0 +1,150 @@
+# Apache Setup
+
+## Contents
+
+  - [Apache Installation](#apache-installation)
+  - [Apache iptables Ports](#apache-iptables-ports)
+  - [Apache Default Template](#apache-default-template)
+  - [Apache 80 Template](#apache-80-template)
+  - [Apache 443 Template](#apache-443-template)
+
+
+## Apache Installation
+
+The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.
+
+```
+apt-get update
+apt-get install apache2
+a2enmod ssl
+a2enmod reqtimeout
+a2enmod rewrite
+a2enmod headers
+a2enmod expires
+```
+
+## Apache iptables Ports
+
+Ensure the ports for 80 and 443 are added to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`, typically near where the SSH port has been opened:
+
+```
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+```
+
+Restart the daemon: `systemctl restart netfilter-persistent`
+
+
+## Apache Default Template
+
+This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to `/etc/apache2/sites-available/00_main.conf` (or use a symlink):
+
+```
+Timeout 60
+KeepAlive Off
+MaxKeepAliveRequests 100
+KeepAliveTimeout 15
+ServerName localhost
+ServerTokens OS
+TraceEnable off
+
+<IfModule prefork.c>
+  StartServers       3
+  MinSpareServers    2
+  MaxSpareServers    4
+  ServerLimit        9
+  MaxClients         9
+  MaxRequestsPerChild  2000
+</IfModule>
+
+<IfModule mod_reqtimeout.c>
+  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
+</IfModule>
+
+<Directory "/path/to/www">
+  AllowOverride None
+  Require all granted
+</Directory>
+
+# Port 80
+Include /path/to/port_80.conf
+
+# Port 443
+Include /path/to/port_443.conf
+```
+
+Disable the Debian default website and enable the new one created above:
+
+```
+a2dissite 000-default
+a2ensite 00_main
+```
+
+...or just manually change symlinks in `/etc/apache2/sites-enabled/` as desired.
+
+
+## Apache 80 Template
+
+Included above as `/path/to/port_80.conf`
+
+```
+<VirtualHost *:80>
+  ServerName example.com
+  ServerAlias www.example.com
+  ServerAdmin root@example.com
+  ErrorLog /var/log/apache2/example-error.log
+  CustomLog /var/log/apache2/example-access.log combined
+
+  DocumentRoot /path/to/www/html
+  <Directory /path/to/www/html>
+    Options FollowSymLinks
+    AllowOverride All
+    Require all granted
+  </Directory>
+</VirtualHost>
+```
+
+## Apache 443 Template
+
+Included above as `/path/to/port_443.conf`
+
+```
+<VirtualHost *:443>
+  ServerName example.com
+  ServerAlias www.example.com
+  ServerAdmin root@example.com
+  ErrorLog /var/log/apache2/example-error.log
+  CustomLog /var/log/apache2/example-access.log combined
+
+  SSLEngine on
+  SSLHonorCipherOrder on
+  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+  SSLHonorCipherOrder on
+  SSLCompression off
+  SSLSessionTickets off
+
+  SSLCertificateFile /path/to/sslkeys/2020-example.crt
+  SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
+  SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem
+
+  Header always set Strict-Transport-Security "max-age=15768000"
+
+  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+    SSLOptions +StdEnvVars
+  </Files>
+
+  SetEnvIf User-Agent ".*MSIE.*" \
+    nokeepalive ssl-unclean-shutdown \
+    downgrade-1.0 force-response-1.0
+
+  DocumentRoot /path/to/www/html
+  <Directory /path/to/www/html>
+    Options FollowSymLinks
+    AllowOverride All
+    Require all granted
+  </Directory>
+</VirtualHost>
+```
+
+Note the above 443 template does not enable HSTS on all subdomains by design, add as required.
diff --git a/md/debian_server_setup.md b/md/debian_server_setup.md
index d61e2c5..db285de 100644
--- a/md/debian_server_setup.md
+++ b/md/debian_server_setup.md
@@ -7,11 +7,6 @@
       - [Disable root Login](#disable-root-login)
   - [Server Hardening](#server-hardening)
       - [fail2ban Setup](#fail2ban-setup)
-  - [Apache Webserver](#apache-webserver)
-      - [Apache iptables Ports](#apache-iptables-ports)
-      - [Apache Default Template](#apache-default-template)
-      - [Apache 80 Template](#apache-80-template)
-      - [Apache 443 Template](#apache-443-template)
 
 
 ## Server Installation
@@ -198,7 +193,7 @@ apt-get install fail2ban sqlite3
 cat << 'EOF' > /etc/fail2ban/jail.local
 [DEFAULT]
 ignoreip  = 127.0.0.1/8
-bantime   = 600
+bantime   = 3600
 maxretry  = 3
 backend   = auto
 destemail = root@localhost
@@ -228,147 +223,3 @@ chown root:root /etc/cron.weekly/f2b-cleanup
 chmod 0755 /etc/cron.weekly/f2b-cleanup
 ```
 
-
-## Apache Webserver
-
-Optional: adding a webserver might be desired, the method of obtain the SSL certificate is not covered here.
-
-### Apache Installation
-
-The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.
-
-```
-apt-get update
-apt-get install apache2
-a2enmod ssl
-a2enmod reqtimeout
-a2enmod rewrite
-a2enmod headers
-a2enmod expires
-```
-
-### Apache iptables Ports
-
-Ensure the ports for 80 and 443 are added to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`, typically near where the SSH port has been opened:
-
-```
--A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
--A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-```
-
-Restart the daemon: `systemctl restart netfilter-persistent`
-
-
-### Apache Default Template
-
-This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to `/etc/apache2/sites-available/00_main.conf` (or use a symlink):
-
-```
-Timeout 60
-KeepAlive Off
-MaxKeepAliveRequests 100
-KeepAliveTimeout 15
-ServerName localhost
-ServerTokens OS
-TraceEnable off
-
-<IfModule prefork.c>
-  StartServers       3
-  MinSpareServers    2
-  MaxSpareServers    4
-  ServerLimit        9
-  MaxClients         9
-  MaxRequestsPerChild  2000
-</IfModule>
-
-<IfModule mod_reqtimeout.c>
-  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
-</IfModule>
-
-<Directory "/path/to/www">
-  AllowOverride None
-  Require all granted
-</Directory>
-
-# Port 80
-Include /path/to/port_80.conf
-
-# Port 443
-Include /path/to/port_443.conf
-```
-
-Disable the Debian default website and enable the new one created above:
-
-```
-a2dissite 000-default
-a2ensite 00_main
-```
-
-...or just manually change symlinks in `/etc/apache2/sites-enabled/` as desired.
-
-
-### Apache 80 Template
-
-Included above as `/path/to/port_80.conf`
-
-```
-<VirtualHost *:80>
-  ServerName example.com
-  ServerAlias www.example.com
-  ServerAdmin root@example.com
-  ErrorLog /var/log/apache2/example-error.log
-  CustomLog /var/log/apache2/example-access.log combined
-
-  DocumentRoot /path/to/www/html
-  <Directory /path/to/www/html>
-    Options FollowSymLinks
-    AllowOverride All
-    Require all granted
-  </Directory>
-</VirtualHost>
-```
-
-### Apache 443 Template
-
-Included above as `/path/to/port_443.conf`
-
-```
-<VirtualHost *:443>
-  ServerName example.com
-  ServerAlias www.example.com
-  ServerAdmin root@example.com
-  ErrorLog /var/log/apache2/example-error.log
-  CustomLog /var/log/apache2/example-access.log combined
-
-  SSLEngine on
-  SSLHonorCipherOrder on
-  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-  SSLHonorCipherOrder on
-  SSLCompression off
-  SSLSessionTickets off
-
-  SSLCertificateFile /path/to/sslkeys/2020-example.crt
-  SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
-  SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem
-
-  Header always set Strict-Transport-Security "max-age=15768000"
-
-  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
-    SSLOptions +StdEnvVars
-  </Files>
-
-  SetEnvIf User-Agent ".*MSIE.*" \
-    nokeepalive ssl-unclean-shutdown \
-    downgrade-1.0 force-response-1.0
-
-  DocumentRoot /path/to/www/html
-  <Directory /path/to/www/html>
-    Options FollowSymLinks
-    AllowOverride All
-    Require all granted
-  </Directory>
-</VirtualHost>
-```
-
-Note the above 443 template does not enable HSTS on all subdomains by design, add as required.