Apache Virtual Hosts are great because they let you host multiple websites on the same server. The public IP address can also be re-used – Apache knows, based on the HTTP host header, which website to show.

But have you considered this scenario? website1.com gets compromised and some malicious person has access to the server. What can they do? Most certainly they have access to every other website on the server because, by default, every Virtual Host runs under the same user www-data. Fortunately, there is a module that allows us to use different users for every Apache2 Virtual Host called apache2-mpm-itk.

It is very easy to install:

apt-get install libapache2-mpm-itk

a2enmod mpm_itk

If you face any issues, disable mpm-prefork and try enabling mpm_itk again.

a2dismod mpm_prefork

Now, in the Virtual Host config file, insert these lines (user www-site1 and group www-site1):

<IfModule mpm_itk_module>
AssignUserId www-site1 www-site1
</IfModule>

The user could be added with useradd:

useradd www-site1

Lastly, give owner rights to the new user and no one else.

chown www-site1:www-site1 -R /var/www/site1

Or even better, give the www-site user write rights on the upload folder. Everything else is readable only.

find /var/www/site1/ -type d -exec chmod 0755 {} \; #Change directory permissions rwxr-xr-x

find /var/www/site1/ -type f -exec chmod 0644 {} \; #Change file permissions rwxr-xr-x

chown ajni:ajni -R /var/www/site1/ # Let your useraccount be owner

chown www-site1:www-site1 -R /var/www/site1/uploads/ #Let apache be owner of upload folder

Oh yeah. Don’t forget to restart apache:

service apache2 restart

References:

https://cloudkul.com/blog/apache-virtual-hosting-with-different-users/

Today I got a new Linux VPS, therefore I decided to show you all the steps I took to migrate to my WordPress site to the new server.

So let’s get started.

Firstly, it is always good practice to update the OS.

apt update

apt upgrade

Install apache2

apt install apache2

Install php7.3. By default, version 7.3 will not be detected. The repository PPA must be added. You might need the first command if the “add-apt-repository” is not available.

apt install software-properties-common

add-apt-repository ppa:ondrej/apache2

apt-get install php7.3

You should see the Apache2 default site if you enter the IP address in your browser:

Now enable the MySQL extension in the PHP config file:

nano /etc/php/7.3/apache2/php.ini

Remove the comment (semicolon) at extension=pdo_mysql. You can search with CTRL+W in Nano GNU editor.

CTRL+X saves the file.

Now install php7.3-mysql

apt-get install php7.3-mysql

The root directory of your WordPress files can be created:

mkdir -p /var/www/website

Make a config file for Apache2 from the default config.

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/website.conf

Change the config file. ServerName and ServerAlias should be your site name along with the DocumentRoot.

I use https exclusively, check my tutorial if you want to know how it is done (I highly recommend using https): https://www.ajni.it/2019/06/claiming-a-free-ssl-certificate-for-your-website/

nano /etc/apache2/sites-available/website.conf

Enable the site:

a2ensite website.conf

Reload the service like advised.

service apache2 reload

Download the latest WordPress version from https://wordpress.org/latest.tar.gz.

Since I am doing a migration, I just unzipped the files from my backup.

cd /var/www/website

wget https://wordpress.org/latest.tar.gz -O wordpress.tar.zip && tar -xzvf wordpress.tar.zip

mv wordpress/* .

Install MySQL server

apt-get install mysql-server

Now create a new database and a user in MySQL. As root you don’t have to enter a password.

mysql -u root -p

CREATE DATABASE wordpress;

CREATE USER ‘someusername’@’localhost’ IDENTIFIED BY ‘somepassword’;

GRANT ALL PRIVILEGES ON wordpress . * TO ‘someusername’@’localhost’;

I have to import the WordPress database from backup:

mysql -u root -D wordpress < db_20-05-2020.db

exit

Now you can access the WordPress through a browser, you will be asked to enter a site name, username with a password, etc.

You might also need to enable URL rewriting for Permalinks.

a2enmod rewrite

Disabling the default site is also a good idea

a2dissite 000-default.conf

There are some other important things you should enable in order to secure your server properly.

nano /etc/apache2/apache2.conf

These lines will not advertise the Apache2 version, enforce TLS 1.2 and strong ciphers, while unsafe ones (like MD5) are discarded.

ServerTokens Prod

SSLProtocol TLSv1.2

SSLHonorCipherOrder On

SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS:!AESCCM

service apache2 restart

That’s it. If you have questions, just comment down here!

Today my free SSL certificate expired, so I decided I could guide you to claim yours as well.

You will generate a Certificate Signing Request (CSR) on your local machine (I have a Linux VM hosting my site on Apache2), send the request to www.sslforfree.com and after that download your new signed certificate.

The process of obtaining a certificate is very simple and painless, however there is a catch: these kinds of certificates usually have a validity period of 4 months. Which means you have to renew it every so often.

Like mine here:

So let’s get started.

Generating your Certificate Signing request with openssl

First of all, you will need a config file, which contains all of the certificate’s attributes. Mine is named ajni.conf. Here is the content of the config file. I have highlighted the attributes you need to adapt based on your environment.

[ REQ ]
default_bits = 2048
prompt = no
encrypt_key = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ DN ]
CN = ajni.it #Common Name
emailAddress = ajnik@outlook.com
O = Non Profit #Organization
OU = Ajni #Organizational Unit
L = Meran #Locality
ST = Suedtirol #State
C = IT #Country
[ REQ_EXT ]
subjectAltName = DNS: www.ajni.it, DNS: ajni.it

Now that you have a config file, you can execute the openssl command to generate a CSR. Once again, I have marked the variables.

openssl req -new -config ajni.conf -keyout ajni_key.pem -out ajni.csr

Copy the content of your CSR (in my case ajni.csr) somewhere for later use. The string should have the following format

—–BEGIN CERTIFICATE REQUEST—-
dUKFAPtXm076zSFdoriy4v7p1Xa4N9nteRxkbi66bK0GqsqoeoUMprOOoOLMwzPOlvkLS0= dUKFAPtXm076zSFdoriy4v7p1Xa4N9nteRxkbi66bK0GqsqoeoUMprOOoOLMwzPOlvkLS0=
—–END CERTIFICATE REQUEST—–

Send your CSR to SSLforFree.com

Go to www.sslforfree.com, insert your domain name and hit Create Free SSL Certificate

You have 3 options to prove to SSLforFree that the domain belongs to you:

I chose to use the DNS verification (option 3). You will need to create 2 TXT records on your domain (for domain.it and for www.domain.it).

Once you have added both TXT records you can proceed to download the certificate. Select “I Have My Own CSR”, since you created one with openssl. It is, from a security standpoint, safer than letting SSLforFree create a private key for you.

Note that DNS records can take some time to replicate, so you might need to wait a few minutes before downloading the certificate.

You can verify the records at https://mxtoolbox.com/SuperTool.aspx.
The verify link on www.sslforfree.com didn’t always work for me.

Now copy the content of the public certificate itself and the CA Bundle (which contains the Root and Intermediate Certificate).
You will need them in order for the browser to trust your site/certificate.

Create 2 more text files, each containing the content of the 2 certificates. The files need a .pem extension:

Modify your Apache2 config file

At this point you have 3 files in total: your public certificate, your private certificate and your CA certificate. Now change the config file of your apache virtual site under /etc/apache2/sites-enabled/domain.conf or default-ssl.conf.

The relevant parameters are SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. Set the path of your files. For example, /etc/apache2/cert.pem. You might need to enable the SSL apache2 module.

The www-data user needs read permission on those files.

a2enmod ssl

Restart Apache2

Lastly, restart the apache2 service

service apache2 restart

One browser refresh and my site has already the new certificate:

If you have any questions feel free to comment down there, I will happily assist you.

Cheers!