# Apache Setup

## Contents

  - [Apache Installation](#apache-installation)
  - [Apache iptables Ports](#apache-iptables-ports)
  - [Apache Default Template](#apache-default-template)
  - [Apache 80 Template](#apache-80-template)
  - [Apache 443 Template](#apache-443-template)


## Apache Installation

The Debian package includes the SSL libraries, a few extra modules need to be enabled to support the extra security tuning in the templates.

```
apt-get update
apt-get install apache2
a2enmod ssl
a2enmod reqtimeout
a2enmod rewrite
a2enmod headers
a2enmod expires
```

## Apache iptables Ports

Ensure the ports for 80 and 443 are added to `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`, typically near where the SSH port has been opened:

```
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
```

Restart the daemon: `systemctl restart netfilter-persistent`


## Apache Default Template

This is the main template setting up parameters for all virtualhosts; the choice to include the virtual hosts in this template is not required, only a stylistic choice of the author. Save this to `/etc/apache2/sites-available/00_main.conf` (or use a symlink):

```
Timeout 60
KeepAlive Off
MaxKeepAliveRequests 100
KeepAliveTimeout 15
ServerName localhost
ServerTokens OS
TraceEnable off

<IfModule prefork.c>
  StartServers       3
  MinSpareServers    2
  MaxSpareServers    4
  ServerLimit        9
  MaxClients         9
  MaxRequestsPerChild  2000
</IfModule>

<IfModule mod_reqtimeout.c>
  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

<Directory "/path/to/www">
  AllowOverride None
  Require all granted
</Directory>

# Port 80
Include /path/to/port_80.conf

# Port 443
Include /path/to/port_443.conf
```

Disable the Debian default website and enable the new one created above:

```
a2dissite 000-default
a2ensite 00_main
```

...or just manually change symlinks in `/etc/apache2/sites-enabled/` as desired.


## Apache 80 Template

Included above as `/path/to/port_80.conf`

```
<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin root@example.com
  ErrorLog /var/log/apache2/example-error.log
  CustomLog /var/log/apache2/example-access.log combined

  DocumentRoot /path/to/www/html
  <Directory /path/to/www/html>
    Options FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>
```

## Apache 443 Template

Included above as `/path/to/port_443.conf`

```
<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin root@example.com
  ErrorLog /var/log/apache2/example-error.log
  CustomLog /var/log/apache2/example-access.log combined

  SSLEngine on
  SSLHonorCipherOrder on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  SSLHonorCipherOrder on
  SSLCompression off
  SSLSessionTickets off

  SSLCertificateFile /path/to/sslkeys/2020-example.crt
  SSLCertificateKeyFile /path/to/sslkeys/2020-example.key
  SSLCACertificateFile /path/to/sslkeys/2020-ssl-issuer-CA.pem

  Header always set Strict-Transport-Security "max-age=15768000"

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
  </Files>

  SetEnvIf User-Agent ".*MSIE.*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

  DocumentRoot /path/to/www/html
  <Directory /path/to/www/html>
    Options FollowSymLinks
    AllowOverride All
    Require all granted
  </Directory>
</VirtualHost>
```

Note the above 443 template does not enable HSTS on all subdomains by design, add as required.