Apache2 is another well-known HTTP server that powers many websites (like ours, before we switched to Nginx) and other web applications (like reverse proxy) that is very easy to configure. With its modularity of installation, its ease of configuration and the possibility of having several users who each have their own Apache2 site, it is a software of choice for shared hosts unlike Nginx which aims for speed.
- A computer or server with a Linux distribution (recommended: Ubuntu, Debian, CentOS, RedHat)
- If the latter is configured from a remote location, an SSH client
- A domain name pointed to the web server, otherwise the latter will not be easily accessible on the open web.
- A SCP client that graphically allows you to manipulate files
- An SSL/TLS certificate ready to be installed
1. Prepare your server
(The orders in our guide are for Debian distribution) First of all, you need SSH in your web server. Once inside, we can start the procedure, but before starting it is imperative to make sure that there is no trace of Apache (all versions) before its configuration.
sudo apt-get purge -- auto-remove apache sudo apt-get clean sudo apt-get update && sudo apt-get upgrade
Then check that there are no other web servers listening on ports 80 and 443:
sudo netstat -plunt
If there are any, you must change their configuration to listen to the other ports, or uninstall them.
2. Install Apache
Once all those preliminary steps are done, we can now install Apache2.
sudo apt-get update sudo apt-get upgrade sudo apt-get install apache2
This set of commands will allow you to configure the default version of Apache2 provided by the main source of your distribution software. If you want to implement a more up-to-date version, feel free to compile Apache2 from source or add Apache repositories to your source list.
3. Configure Apache2
sudo nano /etc/apache2/apache2.conf
The configuration is already present and complete. We recommend that you keep it intact, as it is already adapted to your system. Despite this, it is better if you inspect it because you will need to know it in case of a problem.
4. Inspect ports.conf
sudo nano /etc/apache2/ports.conf
This file contains by default the ports that Apache2 should listen to. By default, it listens to ports 80 and 443, and supports IPv4 and IPv6. Even if your server does not support IPv6, it is recommended to keep it in Apache2 because IPv6 will always be the first between applications in the same local host.
5. Configure your site
Compared to Nginx, Apache2 is much easier to configure its site.
Apache works in blocks like Nginx, but unlike Nginx where you have to make server blocks, Apache requires VirtualHost blocks. It’s very similar. Unlike Nginx where you have the choice to make centralized configurations (on only nginx.conf) or decentralized configurations (e.g. use sites-enabled) Apache can only be decentralized (to the point where this becomes an advantage for the mutual host) Thus, here is an example of an Apache site configuration:
<VirtualHost *:80> # replace by your domain name ServerName www.example.com ServerAlias example.com # put your email address ServerAdmin [email protected] # specify your document root DocumentRoot /var/www/html/domaine.com # specify the error log location ErrorLog /path/to/error.log CustomLog /path/to/custom.log # specify access rules Options FollowSymLinks AllowOverride All # allow .htaccess and .htpasswd Order allow,deny Allow from all Satisfy all </VirtualHost>
This configuration is for a normal HTTP site without SSL. For SSL/TLS, just add another VirtualHost block:
<VirtualHost *:443> ... # take the configuration from above and paste the INSIDE of the virtualhost 80 block here SSLEngine on SSLCertificateFile /path/to/signed_certificate SSLCertificateChainFile /path/to/intermediate_certificate SSLCertificateKeyFile /path/to/private/key # Uncomment the following directive when using client certificate authentication #SSLCACertificateFile /path/to/ca_certs_for_client_authentication # HSTS (mod_headers is necessary) (15768000 seconds = 6 months) Header always set Strict-Transport-Security "max-age=15768000" # Intermediate security configuration by Mozilla change according to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on </VirtualHost>
6. Create a SSL certificate
Ignore this step if you already have an SSL certificate from any certification authority (COMODO, GoDaddy, Certum, DigiCert, Symantec…).
Go to sslforfree.com to obtain an SSL certificate from Let’s Encrypt.
domain.com and click on “Create free SSL certificate”.
Then click on “Manual verification” and you will get DNS records that you will enter at your registrar in the DNS settings. Once done, click on “Verify _acme-challenge.domain.com” and both records should appear. Otherwise, wait for the number of seconds specified in the TTL (at least put it in your DNS manager, this is important, because sometimes it can take up to 12 hours if you have configured it incorrectly).
Once both records have appeared, click on Download SSL certificate and you will be taken to a page with 3 text boxes. This is your certificate. You can then install it in your path to the SSL certificates as specified in your Apache configuration.
Put the private key in a
private.key file in the same folder in the path as specified in your Apache configuration. The same goes for the certificate and the CA Bundle (unlike Nginx, Apache wants them in 2 different certificates).
Do the same for all the sites you would like to have next to it.
Copy the certificate from your most important site to the default SSL certificate folder or create a new SSL certificate that covers all domains. There is a theoretical limit of 255 SANs that varies in practice depending on the certification authorities.
Once all of this is done….
7. Activate your site and restart Apache
sudo a2ensite filename && sudo systemctl restart nginx
From now on your site is working!
Above we described how to make the initial configuration of his site. However, there is another tool:
.htaccess. It allows you to make changes to Apache2 without restarting it and is located at the root of your
DocumentRoot. This is the location where you configure options such as
Options -Indexes to hide the file index, or configure
.htpasswd to request a password to access the site.
.htaccess is not only dedicated to additional configurations for Apache - it is also the perfect place to add instructions for other software that interacts with Apache2, such as PHP-FPM.