This document describes the creation of this system and initial Apache setup

Target Architecture

This system is created with the following target architecture in mind:

Jezus lives!

Creating the System

Create the system, either a VM in a hypervisor of your liking or in a cloud environment.
If installing from the CDROM:

'Try or Install Ubuntu Server'
choose language of your liking
update to the new installer
chose appropriate keyboard
chose Ubuntu Server
chose appropriate network settings, Proxy and archive Mirror address
disk setup: personally I don't use LVM
setup server's name a <user> used for system administration
install OpenSSH Server
I don't install any 'snaps'

Create an admin user

If not installed from CDROM, you may need to create an admin user:

useradd -m -s /bin/bash <user>
usermod -aG sudo <user>

Then create ~/.ssh/authorized_keys and:

chown -R <user>:<user> ~<user>/.ssh

Update the system

To update the system run:

sudo apt update
sudo apt upgrade
sudo shutdown -r now

Set DNS Server

For some obscure reason I trust 1.1.1.1 (1.1.1.1 (Cloudflare)https://1.1.1.1/) as DNS server. On Ubuntu 22.04 running netplan you can change DNS using the following steps:

sudo vi /etc/netplan/50-cloud-init.yaml

change the following lines:

nameservers:
 addresses:
  - 1.1.1.1
  - 1.0.0.1

and restart netplan to apply the changes:

sudo netplan apply

Set correct timezone

To set the correct timezone for the system run:

timedatectl list-timezones

And in my case:

sudo timedatectl set-timezone Europe/Amsterdam

Enable the Firewall

A system connected to the internet should always run a firewall, for Ubuntu this can be done by:

sudo ufw status
sudo ufw app list
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status

Output should be like this:

<user>@<hostname>:~$ sudo ufw status
Status: inactive
<user>@<hostname>:~$ sudo ufw app list
Available applications:
  OpenSSH
<user>@<hostname>:~$ sudo ufw allow OpenSSH
Rules updated
Rules updated (v6)
<user>@<hostname>:~$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
<user>@<hostname>:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

The firewall now only allows ssh.

Install tinyproxy (if you want this system to function as a proxy)

In order to use the system as a proxy install and configure tinyproxy:

sudo apt update
sudo apt upgrade
sudo ufw allow 8888
sudo apt install tinyproxy
sudo touch /var/log/tinyproxy/tinyproxy.log
sudo chown tinyproxy:tinyproxy  /var/log/tinyproxy/tinyproxy.log

Configure tinyproxy

Add the IP addresses of systems you want to make use of the proxy to /etc/tinyproxy/tinyproxy.conf:

sudo vi /etc/tinyproxy/tinyproxy.conf

Add lines like:

Allow 198.35.34.96

And restart tinyproxy:

sudo systemctl restart tinyproxy.service
sudo systemctl status tinyproxy.service

Status should look like:

 <user>@<hostname>:~$ sudo systemctl status tinyproxy.service                     
 ● tinyproxy.service - Tinyproxy lightweight HTTP Proxy
     Loaded: loaded (/lib/systemd/system/tinyproxy.service; enabled; vendor pre>
     Active: active (running) since Thu 2022-07-14 12:44:52 UTC; 6s ago
       Docs: man:tinyproxy(8)
             man:tinyproxy.conf(5)
    Process: 2523 ExecStart=/usr/bin/tinyproxy $FLAGS (code=exited, status=0/SU>
   Main PID: 2525 (tinyproxy)
      Tasks: 1 (limit: 956)
     Memory: 1.1M
        CPU: 6ms
     CGroup: /system.slice/tinyproxy.service
             └─2525 /usr/bin/tinyproxy

Jul 14 12:44:52 t2202 systemd[1]: Starting Tinyproxy lightweight HTTP Proxy...
Jul 14 12:44:52 t2202 systemd[1]: tinyproxy.service: Can't open PID file /run/tinyproxy/tinyproxy.pid (yet?) after start: Operation not permitted
Jul 14 12:44:52 t2202 systemd[1]: Started Tinyproxy lightweight HTTP Proxy.

(I do not care about the message 'tinyproxy.service: Can't open PID file /run/tinyproxy/tinyproxy.pid' as long as the proxy works...)

Install and configure Apache2

Install apache2 and configure the firewall:

sudo apt install apache2
sudo ufw app list
sudo ufw allow 'Apache Full'
systemctl status apache2

Apache2 status should look like:

<user>@<hostname>:~$ sudo systemctl status apache2
● apache2.service - The Apache HTTP Server
     Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor prese>
     Active: active (running) since Thu 2022-07-14 11:27:14 UTC; 1h 7min ago
       Docs: https://httpd.apache.org/docs/2.4/
   Main PID: 1749 (apache2)
      Tasks: 55 (limit: 956)
     Memory: 5.4M
        CPU: 268ms
     CGroup: /system.slice/apache2.service
             ├─1749 /usr/sbin/apache2 -k start
             ├─1751 /usr/sbin/apache2 -k start
             └─1752 /usr/sbin/apache2 -k start

Firewall status should now look like:

<user>@<hostname>:~$ sudo ufw app list
Available applications:
  Apache
  Apache Secure
  OpenSSH

Append a ServerName to /etc/apache2/apache2.conf:

# ServerName
ServerName <hostname>

Disable directory listings:

sudo a2dismod --force autoindex

That should look like:

sudo a2dismod --force autoindex
Module autoindex disabled.
To activate the new configuration, you need to run:
  systemctl restart apache2

Restart:

sudo systemctl restart apache2

Within Apache create a virtual domain:

sudo mkdir /var/www/<YOUR_DOMAIN>
sudo chown -R $USER:$USER /var/www/<YOUR_DOMAIN>
sudo chmod -R 755 /var/www/<YOUR_DOMAIN>

Create a test index.html for this domain:

  
cat << EOT > /var/www/<YOUR_DOMAIN>/index.html
<html>
    <head>
        <title>Welcome to <YOUR_DOMAIN>!</title>
    </head>
    <body>
        <h1>Success!  The <YOUR_DOMAIN> virtual host is working!</h1>
    </body>
</html>
EOT

Configure the domain:

cat  << EOT > /tmp/<YOUR_DOMAIN>.conf
<VirtualHost *:80>
    ServerAdmin <YOUR_MAIL>
    ServerName <YOUR_DOMAIN>
    ServerAlias www.<YOUR_DOMAIN>
    DocumentRoot /var/www/<YOUR_DOMAIN>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
EOT
sudo mv /tmp/<YOUR_DOMAIN>.conf /etc/apache2/sites-available/

(For some reason sudo and 'here documents' don't go well together, so 2 steps.)
Enable the domain:

 sudo a2ensite <YOUR_DOMAIN>

That should look like:

<user>@<hostname>:~$ sudo a2ensite <YOUR_DOMAIN>
Enabling site <YOUR_DOMAIN>.
To activate the new configuration, you need to run:
  systemctl reload apache2

Now disable the default end reload Apache2:

sudo a2dissite 000-default.conf
sudo systemctl reload apache2

Test using a browser or by running:

curl http://127.0.0.1:80

The curl should return the index page.

Enable Apache as a reverse proxy

Enable mod_proxy on Apache2:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo systemctl restart apache2

Setup https using Let’s Encrypt

Requirement to use Let's Enrypt https is that your system name is resolvable in public DNS.
Follow the steps described here at letsencrypt:

sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
sudo certbot --apache

Your website should now be configured for https.

Setup HTTP/2

Eanable the HTTP/2 module:

sudo a2enmod http2

This will result in:

Enabling module http2.
To activate the new configuration, you need to run:
  systemctl restart apache2

Edit your domains SSL virtual host file, if you used Let's Encrypt that will be named: /etc/apache2/sites-enabled/<YOUR_DOMAIN>-le-ssl.conf.
Add a line 'Protocols h2 http/1.1' immedialty after the line ''.
Then restart Apache:

sudo systemctl restart apache2

The proper functioning of HTTP/2 can be checked using 'curl':

curl -I --http2 https://<YOUR_DOMAIN>/index.html

That should show something like:

HTTP/2 200
last-modified: Mon, 06 Feb 2023 16:03:45 GMT
etag: "11c8-5f40a2cfab9f6"
accept-ranges: bytes
content-length: 4552
vary: Accept-Encoding
access-control-allow-origin: *
access-control-allow-methods: POST, GET
access-control-allow-headers: Content-Type,X-Requested-With,Accept,Authorization,Origin,Access-Control-Request-Method,Access-Control-Request-Headers
content-type: text/html
date: Fri, 10 Mar 2023 22:47:05 GMT
server: Apache/2.4.52 (Ubuntu)

Enable and configure sysstat

Sysstat is a utility that includes a number of useful programs for monitoring system resources, performance, et cetera. It contains 'sar' (system activity reporter) that gathers and keeps performance and activity data. Install:

sudo apt install sysstat

Enable sar by setting "ENABLED" to 'true' in /etc/default/sysstat and enabling and starting data collection:

sudo systemctl enable sysstat
sudo systemctl start sysstat

The 'sar' command (please read the man pages) will allow you to gain into system performance like CPU usage from the 21st:

sar -f /var/log/sysstat/sa26

.
.
21:00:00        CPU     %user     %nice   %system   %iowait    %steal     %idle
.
.
23:20:00        all      1.03      0.00      0.32      1.23      0.02     97.40
23:30:00        all     18.85      0.00     16.59      1.34      0.03     63.19
23:40:00        all     19.95      0.00     20.78      0.96      0.03     58.28
23:50:00        all     16.13      0.00     15.68      0.96      0.03     67.20
Average:        all      0.53      0.01      0.47      0.39      0.01     98.58

Some links:

Initial Server Setup with Ubuntu 20.04 By Brian Boucheron
How To Install the Apache Web Server on Ubuntu 20.04 By Erin Glass
How To Use Apache as a Reverse Proxy with mod_proxy on Ubuntu 16.04 By Mateusz Papiernik
Information on 'sysstat'
Information on HTTP/1.1 vs HTTP/2