WebServer

Downloads
2.0.0
2012 to 2017
Stable

If you're an owner of a virtual or dedicated Linux server, you know the hassle with third party tools. They need to be maintained, could break after any upgrade and there is no such thing as "full control". What are you doing next, after you upgraded a heavy software toolchain, leaving you with error 500?

There are several web server management solutions. Well known panels include Plesk (in present) and Confixx (in past). These are all easy to use and include lots of statistics and information as well. Additionally, administrators can create resellers who can create users and so on. But if you just own a dedicated server by yourself, you may prefer control over features, especially if most features are not much of interest.

Prerequisites

In this setup, I have used Apache MPM. For this, we:

apt-get install apache2 libapache2-mpm-itk vsftpd php libapache2-mod-wsgi mysql-server
a2enmod rewrite ssl macro

In /etc/apache2/apache2.conf, we need to change the following:

<Directory /var/www/>
	Options -Indexes +FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

For vsftp, we need to add / modify following lines to /etc/vsftpd.conf:

write_enable=YES
chroot_local_user=YES

user_sub_token=$USER
local_root=/home/$USER
allow_writeable_chroot=YES

Now, web users are jailed into their home directory without shell access and traversal attacks from malicious PHP payloads are prohibited as well.

vHosts

This is the 000-default.conf in /etc/apache2/sites-available. You should usually leave it exactly how it is, including the line with "www.example.com" (this is because ServerName is mandatory).

ServerSignature Off

<Directory /home>
	Options -Indexes +FollowSymLinks
	AllowOverride All
	Require all granted
</Directory>

<VirtualHost *:80>
	ServerName www.example.com
	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory /usr/lib/cgi-bin>
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		AllowOverride None
		Order allow,deny
		Allow from all
	</Directory>
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
		SSLEngine on
		SSLProtocol all -SSLv2 -SSLv3
		SSLHonorCipherOrder on
		SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
	</VirtualHost>
</IfModule>

<Macro Host $name $domain>
	<VirtualHost *:80>
		ServerName $domain
		DocumentRoot /home/$name/html
		AssignUserID $name $name
		CustomLog /home/$name/logs/access.log vhost_combined
		ErrorLog /home/$name/logs/error.log
		<Directory /home/$name/html>
			php_admin_value open_basedir /home/$name/html
		</Directory>
	</VirtualHost>
</Macro>

<Macro SSLHost $name $domain>
	<VirtualHost *:443>
		ServerName $domain
		DocumentRoot /home/$name/html
		AssignUserID $name $name
		CustomLog /home/$name/logs/access.log vhost_combined
		ErrorLog /home/$name/logs/error.log
		<Directory /home/$name/html>
			php_admin_value open_basedir /home/$name/html
		</Directory>
		SSLCertificateFile /home/$name/cfg/$name.crt
		SSLCertificateKeyFile /home/$name/cfg/$name.key
		SSLCertificateChainFile /home/$name/cfg/ca.crt
	</VirtualHost>
</Macro>

001-mydomain.com.conf: For each domain, you can utilize the macros to create vHosts. Have a look at 000-default.conf to understand the path logic and how to set up SSL certificates. For common vHost entries, the macros used here should be sufficient.

Use SSLHost myuser mydomain.com
Use Host myuser2 subdomain.mydomain.com

Read more about vHost configuration.

webserver.sh

Place the script in /root/webserver.sh. Define $MYSQLROOTPASSWORD in webserver.conf to the password of the MySQL root user (not to be confused with the Linux root user). You should leave it blank if you are running Debian 9 where the root user automatically is authenticated.

Usage

Add users with "./webserver.sh useradd <USER>" and then set the password and MySQL password. Both passwords are undefined by default, so you have to change them first. Next, log into this user account via FTP. You probably also want to install phpMyAdmin on your server if you want a web based database administration tool.

Recommended: Use separate passwords for each user and especially separate MySQL and Unix user's passwords. Otherwise, cross access is given once any web application has been breached.

Command Function
./webserver.sh Summary of command line options
./webserver.sh useradd <USER> Adds a Unix user and a MySQL user with the name <USER>. The password for both users is undefined and therefore must be changed prior to login.
Note: Four new directories are created in /home/<USER>. "html" is where your website goes. You need to configure your vHosts to point there, "files" usually is a location for files that are not directly accessed by the web server and the "cfg" folder can be used to place files, such as certificates. The folder "logs" can be used to store logs as configured in vHosts.
./webserver.sh userdel <USER> Deletes the user with the name <USER>.
./webserver.sh userpasswd <USER> Prompts for password change of <USER>.
./webserver.sh dbadd <USER> <DATABASE> Creates a database called <USER> UNDERSCORE <DATABASE> (e.g. user1_database1) and assigns it to <USER>.
./webserver.sh dbdel <USER> <DATABASE> Deletes the database <USER> UNDERSCORE <DATABASE>.
./webserver.sh dbpasswd <USER> <PASSWORD> Prompts for password change of MySQL user <USER>.
Note: This is not to be confused with the user password; The MySQL user is separate from the Unix user.
./webserver.sh reload <apache2|mysql|ftp> Gracefully restarts either apache2, mysql or ftp. If no parameter is specified, all three services are reloaded.
./webserver.sh restart <apache2|mysql|ftp> Restarts either apache2, mysql or ftp. If no parameter is specified, all three services are restarted.
./webserver.sh userlist Displays all web users.
./webserver.sh dblist Displays all MySQL databases.