Setting Up a Secure Apache Server on Ubuntu 24.04

by

In this comprehensive guide, we will walk you through the process of setting up a secure Apache server on Ubuntu 24.04. Whether you are setting up a personal website or a business platform, following these steps will ensure that your server is not only functional but also secure. Remember to replace “myweb.linuxconfig.org” with your own domain throughout this tutorial.

In this tutorial you will learn:

  • How to update and upgrade your Ubuntu system
  • Steps to install and configure Apache
  • Firewall configuration for security
  • Creating a sample website and setting up Virtual Hosts
  • Enabling and starting Apache service
  • Testing your Apache setup
  • Securing Apache with Let’s Encrypt SSL Certificate
  • Harden your Apache server for enhanced security
Setting Up a Secure Apache Server on Ubuntu 24.04
Setting Up a Secure Apache Server on Ubuntu 24.04

Step-by-Step Guide

  1. Update and Upgrade System: Start by updating the package indexes and upgrading your system to the latest version. This ensures you have all the latest security patches and dependencies. 
    $ sudo apt update
$ sudo apt upgrade
  2. Install Apache: Next, install the Apache2 web server. Apache is a free and open-source web server software that powers much of the web. 
    $ sudo apt install apache2

  3. Firewall Configuration: Configure the firewall to allow HTTP and HTTPS traffic. Additionally, enable SSH if you plan to manage your server remotely. 
    $ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw allow OpenSSH
$ sudo ufw enable

    The commands sudo ufw allow http and sudo ufw allow https are used for allowing incoming HTTP and HTTPS traffic, respectively, which are essential for serving web pages and secure web communications. The command sudo ufw allow OpenSSH is for opening the SSH port, allowing secure remote management of the server. Finally, sudo ufw enable activates the UFW firewall, enforcing the specified rules to control server traffic.

  4. Create Sample Website: Create a directory for your website and add a sample index.html file. Then, change the ownership to the web server user (www-data). 
    $ mkdir -p /var/www/html/myweb
$ echo "Setting Up a Secure Apache Server on Ubuntu 24.04" > /var/www/html/myweb/index.html
$ chown -R www-data:www-data /var/www/html/myweb/

    The command mkdir -p /var/www/html/myweb creates a new directory named ‘myweb’ in the ‘/var/www/html’ path, which is typically used for storing web content. The echo command is used to create a simple HTML file named ‘index.html’ inside this directory, containing the text “Setting Up a Secure Apache Server on Ubuntu 24.04”. Lastly, chown -R www-data:www-data /var/www/html/myweb/ changes the ownership of the ‘myweb’ directory and its contents to the user and group ‘www-data’, which is the default user for Apache web server, ensuring appropriate permissions for web server operations.

  5. Virtual Host Setup: Create a Virtual Host file for your domain. This allows Apache to respond to requests for your domain. Don’t forget to enable the site and optionally disable the default site. 
    $ sudo nano /etc/apache2/sites-available/myweb.conf

# Insert the following configuration:
<VirtualHost *:80>
    ServerAdmin admin@myweb.linuxconfig.org
    ServerName myweb.linuxconfig.org
    DocumentRoot /var/www/html/myweb
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

    Next, enable site and optionally disable default site

    $ sudo a2ensite myweb
$ sudo a2dissite 000-default

    The command sudo a2ensite myweb is used to enable the ‘myweb’ site in Apache. This command creates a symbolic link of the site configuration file from the ‘sites-available’ directory to the ‘sites-enabled’ directory, thereby activating the site configuration. Conversely, the command sudo a2dissite 000-default disables the default site provided by Apache. This is achieved by removing the symbolic link for the ‘000-default’ configuration from the ‘sites-enabled’ directory, which stops Apache from loading the default settings.

  6. Start and Enable Apache: Enable the Apache service to start on boot and then restart the service to apply the changes. 
    $ sudo systemctl enable apache2
$ sudo systemctl restart apache2

    The command sudo systemctl enable apache2 is used to ensure that the Apache2 service starts automatically upon system boot. This creates a persistent setting that links the Apache2 service to the system’s boot process. Following this, the command sudo systemctl restart apache2 is employed to restart the Apache2 service. This is necessary for applying any recent changes made to the Apache configuration or for initiating the service after installation or updates. Restarting the service ensures that Apache is running with the latest configurations.

  7. Test Your Apache Configuration: Test your setup by accessing your website. You can use a browser or command line tools like wget to see if your site is serving correctly. 
    $ wget myweb.linuxconfig.org

    Currenlty the website run only on HTTP
    Currenlty the website run only on HTTP
  8. Securing Apache with Let’s Encrypt: Optional: Secure your site with a free Let’s Encrypt SSL certificate. This provides encryption for your website, protecting your visitors’ data. 
    $ sudo apt install certbot python3-certbot-apache
$ sudo certbot --apache


    The command sudo apt install certbot python3-certbot-apache installs ‘certbot’ and its Apache plugin on the system. ‘Certbot’ is a free, automated tool designed to obtain SSL certificates from Let’s Encrypt, a free certificate authority. The Apache plugin, ‘python3-certbot-apache’, is specifically used for configuring SSL certificates on Apache servers. After the installation, the command sudo certbot --apache is executed. This runs ‘certbot’ with the Apache plugin, which not only obtains the SSL certificate from Let’s Encrypt but also automatically configures Apache to use this certificate, enabling HTTPS on the server.

    SSL certificate for our Apache web-server website has been create and deployed
    SSL certificate for our Apache web-server website has been create and deployed
  9. Test Secure SSL website: At this point the Apache2 web server should automatically redirect any HTTP requests to port HTTPS. Test your website and confirm that it run on secure SSL http port.
    After refresh the website now runs on secure SSL HTTPS port
    After refresh the website now runs on secure SSL HTTPS port

    Test your website with wget command for more verbose output
    Test your website with wget command for more verbose output
  10. Harden Apache Security: Finally, harden your Apache installation by modifying the Apache configuration file. This includes disabling trace requests, hiding the Apache version, and turning off server signatures. 
    $ sudo nano /etc/apache2/apache2.conf

    Add or modify the following lines:

    TraceEnable Off
ServerTokens Prod
ServerSignature Off

    The Apache configuration directives TraceEnable Off, ServerTokens Prod, and ServerSignature Off are important for enhancing server security. TraceEnable Off disables the TRACE HTTP request method, preventing any potential Cross-Site Tracing (XST) attacks. ServerTokens Prod limits the amount of information (specifically, the server version and OS type) that is sent in the server response headers, thus reducing information exposure to potential attackers. ServerSignature Off further restricts information leakage by removing the server version from error pages and server-generated documents. Collectively, these settings are crucial for obscuring server details that could otherwise be exploited by attackers in crafting targeted attacks.

    In addition to the configuration directives TraceEnable Off, ServerTokens Prod, and ServerSignature Off, you may consider adding the following settings to further enhance the security and performance of your Apache server. You can add to .htaccess, httpd.conf or VirtualHost section:


    Header always set X-Content-Type-Options "nosniff": This header prevents browsers from performing MIME-type sniffing, which can reduce exposure to drive-by download attacks.

    Header always set X-Frame-Options "SAMEORIGIN": This setting prevents clickjacking by instructing the browser to not allow the page to be displayed in a frame unless it is being requested from the same origin.

    Header always set X-XSS-Protection "1; mode=block": This enables the Cross-Site Scripting (XSS) filter built into most recent web browsers and tells it to block responses that contain detected attacks.

    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1: This line disables older, less secure SSL/TLS protocols (SSLv3, TLSv1, and TLSv1.1) and only allows more secure protocols, reducing the risk of protocol downgrade attacks.

    SSLCipherSuite HIGH:!aNULL:!MD5: This sets a strong Cipher Suite for SSL/TLS connections, which defines the encryption algorithms used.

    Adding these settings enhances the overall security by mitigating several common web vulnerabilities and ensuring that communication with your server remains encrypted and secure. Remember to restart Apache after making these changes to apply them.

    Save and exit, then restart Apache

    $ sudo systemctl restart apache2

Conclusion

By following these steps, you have successfully set up a secure Apache server on Ubuntu 24.04. This setup provides a solid foundation for hosting your website, ensuring both functionality and security. Remember to keep your server updated and periodically review your security settings to maintain a robust and secure web presence.

Related Linux Tutorials:

Comments and Discussions
Linux Forum