Skip to content

X386 – Ubuntu & Python

Ubuntu and Python Documentation

  • Home
  • About
  • Contact
  • License
  • Privacy Policy

Apache Fine Tunes on Ubuntu

Posted on 13/06/2020 - 16/04/2021 by exforge

Apache Fine Tunes on Ubuntu 20.04

Copyright (C) 2020 Exforge exforge@x386.xyz

# This document is free text: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# any later version.
# This document is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
 

Specs

# Based on Alexey Abel's ISP Mail Tutorial Caramel Edition
https://123qwe.com/
 

1. Special DNS Records:

# 1.1. Certificate Authorities
# 1.1.1. Letsencrypt may issue normal certificates 
@ CAA 0 issue "letsencrypt.org"
# 1.1.2. Wildcard domains are not allowed by anyone
@ CAA 0 issuewild ";"
# 1.1.3. Violations can be reported to postmaster@karasite.com
CAA 0 iodef "mailto:postmaster@x11.xyz"
#
# 1.2. SPF Policy for Email Server
# 1.2.1. All my emails come from the servers with MX record 
#   in my domain. Reject all others.
# Add as a txt record for x11.xyz (replace with your domain)
@ TXT "v=spf1 mx -all"
#
# 1.3. DMARC Policy for Email Server
# Dmarc Version 1, reject non complied mail, report to postmaster, strict dkim
#   and spf policy, filter 100% of the messages.
# Add as a txt record for _dmarc.x11.xyz (replace with your domain)
_dmarc "v=DMARC1; p=reject; rua=mailto:postmaster@x11.xyz; adkim=s; aspf=s; pct=100;"
 

2. Apache More Secure Configuration

https://ssl-config.mozilla.org/ 
#   is a good place to start
# 2.1. More Secure HTTPS redirect
#   Contents of the conf file
#      rewrite mod must be enabled
<VirtualHost *:80>
    ServerName www.x11.xyz
    # Force redirect to HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
    ErrorLog ${APACHE_LOG_DIR}/www.x11.xyz-error.log
</VirtualHost>
#
# 2.2. More Secure HTTPS conf
#   Contents of the conf file
#       headers and ssl mods must be enabled
<VirtualHost *:443>
    ServerName my.server.com
    DocumentRoot /var/www/www.x11.xyz
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/www.x11.xyz/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.x11.xyz/privkey.pem
    # enable HTTP/2, if available
    Protocols h2 http/1.1
    # HSTS (mod_headers is required) (63072000 seconds = 2 years)
    Header always set Strict-Transport-Security "max-age=63072000"
    ErrorLog  ${APACHE_LOG_DIR}/my.server.com.port443-error.log
</VirtualHost>
#
# 2.3. More Secure TLS Configuration
#   A more secure Apache conf may be created to apply security
#     to all hosted sites
sudo nano /etc/apache2/conf-available/ssl-stricter-options.conf
#_________________________________________________________________
# Generated by: https://ssl-config.mozilla.org/
# modern configuration, tweak to your needs
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder     off
SSLSessionTickets       off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
#_________________________________________________________________
#
# Enable new conf
sudo a2enconf ssl-stricter-options
#
# 2.4. Enable all mentioned mods
sudo a2enmod rewrite ssl headers
 

3. Disabling All Apache Access Logs

#   You may consider respecting your user's privacy by not keeping any
#     access logs on Apache Servers. I'd like to follow Alexey Abel's
#     approach.
#   We start by  not configuring any access or custom logs on apache confs, 
#     but Apache itself catches all access logs at orher-vhosts-access-log.conf
#     So we have to disable it.
sudo a2disconf other-vhosts-access-log
 

4. Certbot Post Hooks

# For HTTPS we use letsencrypt's certificates, Certbot automates the renewal 
#   process of the certificates. It is a good thing, because letsencrypt 
#   certificates last only 2 months. 
# I use the certificates mostly for Apache, Postfix and Dovecot. When Certbot
#   renews a certificate, Apache, Postfix or Dovecot don't know about it. They 
#   might keep using the old certificates. Therefore it is a good idea to
#   restart these services when a certificate is renewed.
# Christoph Haas and Alexey Abel use 2 different methods for that purpose.
#   Both is documented here, choose whichever you want.
#
# 4.1. Christoph's Method:
# Add a line to certbot ini file
sudo nano /etc/letsencrypt/cli.ini
#___________________________________________________________________________
post-hook = systemctl restart postfix ; systemctl restart dovecot ; systemctl restart apache2
#___________________________________________________________________________
#
# 4.2. Alexey's Method:
# Certbot runs all scripts in the  /etc/letsencrypt/renewal-hooks/deploy
#   directory after a successfull renewal. We'll put there a scipt.
sudo nano /etc/letsencrypt/renewal-hooks/deploy/reloadall.sh
#__________________________________________
#!/bin/bash
systemctl reload apache2
systemctl reload postfix
systemctl reload dovecot
#__________________________________________
# Make the script executable
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reloadall.sh
 

Posted in Ubuntu

Post navigation

Python3 CGI Programming
enc.py file encoder
Proudly powered by WordPress | Theme: micro, developed by DevriX.