Originally Posted by
Paddy Landau
I don't know what goes in those files. I'm starting to worry that I've bitten off more than I can chew
Nah, you'll do fine. Start with the basics and add to it as needed. Do not try to create the end-all-be-all config as a first step. Just get it working enough so you can create a test php file to verify the basics are there. Then add on bits specific for a WordPress site and test it. Then add SSL if you want but that gets a bit trickier if your site is not accessible from the Internet for certbot to access. For internal testing, you could just create your own SSL certificate but you would then need to import the root cert into your browser so you do not get the warning about not being a trusted certificate authority.
Here is a basic config just so we can test that PHP works:
/etc/apache2/sites-available/my.coolsite.com.conf
Code:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName my.coolsite.com
ServerAlias my.coolsite.com
DocumentRoot /var/www/my.coolsite.com
ErrorLog ${APACHE_LOG_DIR}/my.coolsite.com-error.log
CustomLog ${APACHE_LOG_DIR}/my.coolsite.com-access.log combined
</VirtualHost>
Test the site config file for any syntax errors:
Code:
sudo apache2ctl configtest
Enable the site config:
Code:
sudo a2ensite my.coolsite.com
Now create a test file:
Code:
echo "<?php phpinfo(); ?>" > /var/www/my.coolsite.com/phpinfo.php
chown www-data:www-data /var/www/my.coolsite.com/phpinfo.php
chmod 644 /var/www/my.coolsite.com/phpinfo.php
Open a browser and see if the test page shows up: http://my.coolsite.com/phpinfo.php
Since you are testing the server on the same machine as the browser accessing it, there will be no firewall rules that will get in the way since you are not "crossing" the firewall line. You would only need to worry about the firewall rules if you were to try and test this from another machine on your local network.
Once you verify the site is running and that you have all the modules enabled that WordPress requires, you can then proceed to install WordPress and make changes to the site config file as needed. Example:
Code:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName my.coolsite.com
ServerAlias my.coolsite.com
DocumentRoot /var/www/my.coolsite.com
ErrorLog ${APACHE_LOG_DIR}/my.coolsite.com-error.log
CustomLog ${APACHE_LOG_DIR}/my.coolsite.com-access.log combined
<Directory /var/www/my.coolsite.com>
Options FollowSymLinks
AllowOverride Limit Options FileInfo
DirectoryIndex index.php
Order allow,deny
Allow from all
</Directory>
<Directory /var/www/my.coolsite.com/wp-content>
Options FollowSymLinks
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Test and reload the apache configuration file.
Code:
sudo apache2ctl configtest
sudo systemctl apache2 reload
Originally Posted by
Paddy Landau
At the moment, I haven't configured the firewall at all. I've depended on my router (and I haven't set up port forwarding). I shall have a look at the firewall.
Here is a script I use to configure the firewall rules and turn it on...which will remain on even during a reboot.
You can copy this script and use it for your own purposes and tweak it for your environment. Enough commands are used/documented in it that you should be able to modify it to fit your particular server. For example, if running a web server, you can uncomment the commands to allow TCP port 80 and 443.
I NEVER simply copy this script and run it. Each and every server requires a custom variation of this script tailored for it. The application section has examples for commonly used services such as web, database, etc. Feel free to uncomment lines you can use and modify to suit your needs.
/var/scripts/prod/en-firewall.sh (GitHub Download)
Code:
#!/bin/bash
#############################################################
## Name : enable-firewall.sh
## Version : 1.1
## Date : 2017-04-13
## Author : LHammonds
## Compatibility : Ubuntu Server 12.04 - 20.04 LTS
## Requirements : Run as root
## Purpose : Restore and enable firewall.
## Run Frequency : As needed
## Exit Codes : None
###################### CHANGE LOG ###########################
## DATE VER WHO WHAT WAS CHANGED
## ---------- --- --- ---------------------------------------
## 2015-08-28 1.0 LTH Created script.
## 2017-04-13 1.1 LTH Added comments in rules.
#############################################################
## Requirement Check: Script must run as root user.
if [ "$(id -u)" != "0" ]; then
## FATAL ERROR DETECTED: Document problem and terminate script.
echo -e "\nERROR: Root user required to run this script.\n"
echo -e "Type 'sudo su' to temporarily become root user.\n"
exit
fi
clear
echo ""
echo "Resetting Firewall to factory default"
echo y | ufw reset 1>/dev/null 2>&1
ufw default deny incoming 1>/dev/null 2>&1
ufw default allow outgoing 1>/dev/null 2>&1
echo "Allowing SSH from only LAN connections"
ufw allow from 192.168.1.0/24 to any port 22 comment 'SSH via LAN' 1>/dev/null 2>&1
echo "Allowing Samba file sharing connections"
ufw allow proto tcp to any port 135,139,445 comment 'Samba Share' 1>/dev/null 2>&1
ufw allow proto udp to any port 137,138 comment 'Samba Share' 1>/dev/null 2>&1
echo "Allowing Nagios connections"
ufw allow from 192.168.107.21 to any port 12489 comment 'Nagios' 1>/dev/null 2>&1
ufw allow from 192.168.107.21 proto tcp to any port 5666 comment 'Nagios' 1>/dev/null 2>&1
echo "Adding Application-specific rules"
#echo "Adding MySQL/MariaDB rules"
#ufw allow from 192.168.1.0/24 proto tcp to any port 3306 comment 'MariaDB via LAN' 1>/dev/null 2>&1
#ufw allow from 192.168.2.0/24 proto tcp to any port 3306 comment 'MariaDB via LAN' 1>/dev/null 2>&1
#echo "Adding FTP/FTPS rules"
#ufw allow proto tcp to any port 990 comment 'FTPS' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 21 comment 'FTP' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 2000:2020 comment 'FTP Passive' 1>/dev/null 2>&1
#echo "Adding Web Server rules"
#ufw allow proto tcp to any port 80 comment 'HTTP Service' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 8080 comment 'HTTP Service' 1>/dev/null 2>&1
#ufw allow proto tcp to any port 443 comment 'HTTPS Service' 1>/dev/null 2>&1
echo "Enabling firewall"
echo y | ufw enable 1>/dev/null 2>&1
echo "Firewall enabled and all rules have been configured."
EDIT: Hopefully I did not miss any crucial bits, I did not sleep well. If you have more questions / concerns, just post them.
Bookmarks