Installation

Install Apache

# apt install apache2

# systemctl start apache2

# systemctl status apache2

To test, go to http://localhost

NOTE: default root is /var/www/html/

NOTE 2: Apache configuration file is located in /etc/apache2/apache2.conf

Install PHP

# apt install php-fpm libapache2-mod-php php-mysql 

• Check PHP version:

php -v

• Start PHP and Apache:

# systemctl start php7.2-fpm

# systemctl restart apache2

To test, go to http://localhost/info.php

Install MariaDB

# apt install mariadb-server

The MariaDB service will start automatically. You can verify it by typing:

# systemctl status mariadb

Set MySQL/MariaDb root user password:

# mysql_secure_installation

Enter current password for root (enter for none): ## Press Enter

Set root password? [Y/n]## Press Enter

New password:##  Enter password

Re-enter new password:  ## Re-enter password

Remove anonymous users? [Y/n]## Press Enter

Disallow root login remotely? [Y/n]## Press Enter

Remove test database and access to it? [Y/n]## Press Enter

Reload privilege tables now? [Y/n]## Press Enter

Additional Steps

When setting up our LAMP stack, we only required a very minimal set of extensions in order to get PHP to communicate with MySQL. WordPress and many of its plugins leverage additional PHP extensions.

We can download and install some of the most popular PHP extensions for use with WordPress by typing:

• sudo apt update
• sudo apt install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc
• sudo systemctl restart apache2

Adjust Apache's Configuration to Allow for .htaccess Overrides and Rewrites

Enable .htaccess Overrides

Open the primary Apache configuration file to make our first change:

$ sudo nano /etc/apache2/apache2.conf

To allow .htaccess files, we need to set the AllowOverride directive to All within a Directory block pointing to our document root. Towards the bottom of the file, add the following block:

<Directory /var/www/html/>

    AllowOverride All

</Directory>

If you are using a local VPS set up instead as explained here, you must edit <Directory /var/www/> :

<Directory /var/www/>

        Options Indexes FollowSymLinks

        AllowOverride All

        Require all granted

</Directory>

Alternatively, for a local VPS set up, you can edit /etc/apache2/sites-available/example.com.conf and add the following between lines :

<Directory />

        Options FollowSymLinks

        AllowOverride None

        Require all denied

</Directory>

<Directory /var/www/example.com/public_html>

        Options Indexes FollowSymLinks

        AllowOverride All

        Require all granted

</Directory>

Enable the Rewrite Module (for Permalink)

Next, we can enable mod_rewrite so that we can utilize the WordPress permalink feature:

$ sudo a2enmod rewrite

Bash Script - LAMP management

If you don't want LAMP to be enabled on start up, you can disable it:

• sudo systemctl disable apache2 php7.2-fpm mysql

You can now create a file and the following bash script to manage the LAMP services manually and efficiently:

#!/bin/bash

if [ "$1" == "" ]

then

   systemctl start apache2 mariadb php7.2-fpm

elif [ "$1" == "-s" ]

then

   systemctl stop apache2 mariadb php7.2-fpm

elif [ "$1" == "-r" ]

then

   systemctl restart apache2

elif [ "$1" == "-status" ]

then

   echo "apache2:"

   systemctl status apache2 | grep "Active"

   echo "mariadb:"

   systemctl status mariadb | grep "Active"

   echo "php-fpm:"

   systemctl status php7.2-fpm | grep "Active"

elif [ "$1" == "--help" ] || [ "$1" == "-h" ]

then

   echo "Usage:"

   echo "'sudo ./server' will launch apache, mariadb and php-fpm"

   echo "'sudo ./server -s' will stop apache, mariadb and php-fpm"

   echo "'sudo ./server -r' will restart apache"

   echo "'./server -status' will show the status of apache, mariadb and php-fpm"

else

   echo "Wrong argument supplied"

fi

1. Save the file as file_name
2. chmod +x file_name
3. Usage:

• Start LAMP: sudo ./file_name
• Stop LAMP: sudo ./file_name -s
• Restart Apache: sudo ./file_name -r

Securing Apache Server

Disable Trace HTTP Request

Edit the config file at /etc/apache2/sites-available/ and be sure that TraceEnable on is not in the file, or it is commented, or it is set as TraceEnable off.

To check if it is disabled, run:

$ curl -i -X TRACE example.com

If disabled (what we want), you must get:

• HTTP/1.1 405 Method Not Allowed

If enabled, you must get:

• HTTP/1.1 200 OK

Disable Signature

Edit the config file at /etc/apache2/sites-available/ and be sure that ServerSignature on is not in the file, or it is commented, or it is set as ServerSignature off.

Disable Banner

Edit the config file at /etc/apache2/sites-available/ and be sure that ServerTokens Prod is in the file.

Disable directory listing

Edit /etc/apache2/apache/apache2.conf and set "Options" to "None":

<Directory />

        ...

        Options None

        ...

</Directory>

Run Apache as separate User & Group

$ sudo groupadd apache

$ sudo useradd –G apache apache

$ chown –R apache:apache /etc/apache2

Running Apache in its own non-root account is good. Modify User & Group Directive in config file at /etc/apache2/sites-available/ by adding:

User apache

Group apache

Restart Apache server and check changes are in effect:

• $ sudo ps –ef | grep http

More info at https://geekflare.com/apache-web-server-hardening-security/