LAMP Stack: Run a web server on Debian Etch Print E-mail
Written by Administrator   
Monday, 23 July 2007 11:25
Setting up a LAMP stack on Debian is "wicked easy". In this tutorial I dispense with the usual blah, blah, blah and get right to the meat. Also, we'll be setting up ssl so we'll have encryption, and we'll be using different rules for the way our port 80 virtual server works as well as port 443. Maintaining to tradition of tutorials here at "debtoots" I do bounce around a bit forcing you to read the whole tutorial first (I'm cool like that). You could have a web server running in as little as 15 minutes, and most of that is typing time or downloading time. Check this for a simple local web server.

WARNING:

As a commenter has pointed out, this tutorial leaves a little up to you to figure out. If you have zero knowledge then you might want to seek assistance elsewhere. I will be writing a more detailed tutorial very soon that will endeavor to explain more about DNS and I'll add more on security.

We'll be doing everything form the command line in this tutorial because it's so quick and easy this way. If you need to install Etch first, go ahead, I'll wait the 10 minutes. Keep it simple, don't install anything but the base system. Don't forget to have your /etc/apt/sources.list repos all set. I like to add the mod-security repo to my sources.list file...because I use it. You should, too. Add the following repository to your list:
deb http://etc.inittab.org/~agi/debian/libapache-mod-security/etch ./ (don't worry about the key warning)

My web server doubles as an NFS server as well and is pretty bare. No audio, no nvidia setup, no desktop. Just a plain server box serving stuff up on my LAN. Let's begin.

Everyone should be at the root terminal right now...You are either working on your server box directly or you are ssh'd in.

#apt-get update

I like to install all the LAMP components in a certain order. First up: MySQL

#apt-get install mysql-server mysql-client libmysqlclient15-dev

Immediately following the MySQL install you need to set a password.

#mysqladmin -u root password <PASSWORD>

Next up comes Apache2

#apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert

See how easy? Finally we install php5

#apt-get install libapache2-mod-php5 php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-mcrypt php5-mysql php5-ps php5-pspell php5-recode php5-xsl

Now, there are all kinds of crazy things that you can install to make php do marvelous things. The above list is pretty complete, but if you know that you need something else, have at it.

You now what? While we're at it, how 'bout we go ahead and install phpmyadmin as well. It does make things easier -- although I get a certain sense of "that's cool" when running MySQL from the command line. All 3 things that I know -- LOL.

#apt-get install phpmyadmin

I like to install a couple more things as well.

#apt-get install munin munin-node webalizer apachetop

Munin has nothing to do with Apache per say, it monitors the machine. Feel free to install your favorites, they are probably in Debian repos anyway.

After we've got everything installed (which was cake, wasn't it?) we can now start configuring the components. MySQL is all set as is. However if you know that you need to mod my.cnf then go ahead. Like, for allowing MySQL to listen on all addresses. What I do first is allow php to work with MySQL.

#nano /etc/php5/apache2/php.ini

ctrl+w in nano will search, so go ahead and search for "mysql". You'll find the following

; Example lines:

;extension=mysql.so
;extension=gd.so

Those semi-colons are comments so go ahead and delete them, both - from the gd line as well. Save and close nano but don't restart Apache2 just yet. We need to do a little more tweaking.

READ: you don't have to do this. Your server is set up now and is ready for use. If you're just playing with a web server for the first time and serving up a site to your machine only or maybe a document repository on your local network, then you can leave the rest of this tutorial alone and run

#/etc/init.d/apache2 restart

right now. Otherwise...

On to Apache2. As I wrote earlier we'll be using different rules for how regular sites work (http - port 80) and how encrypted sites (https - port 443) work. This means minimal changes to apache2.conf and instead we set up rules for virtual servers in a different file. Security wise it's a good idea not to give too much information away about the software that you're running. It's pretty easy to narrow exploits or attack vectors when a bad-guy knows what versions of software you are running. So we hide that. Go ahead and

#nano /etc/apache2/apache2.conf

We're only changing 1 thing here, so ctrl+w to search for it. Find ServerTokens. You'll see that it reads

ServerTokens Full

Change the full to Prod. Save and close the file. We are going to turn off Server Signature as well, but this is done elsewhere.

Now we'll tell Apache to listen on port 443 (encryption) in addition to port 80.

#nano /etc/apache2/ports.conf

See how it reads Listen 80? Add Listen 443 beneath that line, save and close the file.

Let's go ahead and create a security certificate for your server now. This is a piece of cake on your Linux machine.

#openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/sitecert.pem -keyout /etc/apache2/sitecert.pem

You can call your certificate whatever you like. I just use "sitecert".

Following, let's protect that certificate...

#chmod 600 /etc/apache2/sitecert.pem

We're almost finished. I mentioned earlier that I set up different rules for how my regular sites and encrypted ones work. This is done in /etc/apache2/sites-enabled/000-default. Apache2 has a function server-status that I like to use, but only on my machine on my LAN, and only encrypted (originally just for this exercise). I allow this in the virtual server settings for my encrypted sites. I also have slightly different rules for what I allow on my regular sites -- port 80. See the following contents of my 000-default file.

NameVirtualHost *:80
<VirtualHost *:80>
        ServerAdmin root@localhost
        DocumentRoot /var/www/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from 192.168.0.1/8
                # This directive allows us to have apache2's default start page
                # in /apache2-default/, but still have / go to the right place
                RedirectMatch ^/$ /apache2-default/
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature Off
    Alias /doc/ "/usr/share/doc/"
   <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>
</VirtualHost>

NameVirtualHost *:443
ServerSignature Off
ExtendedStatus On
<VirtualHost *:443>
ServerAdmin root@localhost
SSLEngine on
SSLCertificateFile /etc/apache2/sitecert.pem
DocumentRoot /var/www/
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
RedirectMatch ^/$ /apache2-default/
</Directory>
<Location /server-status>
SetHandler server-status
Order deny,allow
Allow from crumbly.home.org
Allow from 192.168.0.102
Allow from 192.168.0.103
</Location>
</VirtualHost>

Some of you may be able to tell from this configuration that I allow .htaccess overrides on my port 80 sites and not on my port 443 sites. I do this so I can enable SEO, or, URLs without special characters. You can see that I allow overrides to all computers on my LAN. Apache uses mod_rewrite for this and since we're at this point, basically finished, we can enable the mods that we want running in Apache.

a2enmod suexec
a2enmod rewrite
a2enmod include
a2enmod ssl

If you want to use server-status like I do, then you can

#a2enmod info

You can disable mods just as easily: a2dismod.

Go ahead and make your modifications to the 000-default file. Save and close the file.

Now you can

#/etc/init.d/apache2 force-reload

visit Your server now: if on your regular machine just point your browser to http://127.0.0.1 and you'll see a default Apache page. If you set this machine up as a web server to your LAN then pick a machine on your LAN and goto your new server install - http://server.domain.

You can read up on how I try to scare people away from starting websites at my friend's Xmodfree Forum here I don't really try to scare potential web site owners away so much as give them some cold-hard-facts. In my regular crotchety manner.

--machiner 12 may 07, finally published 23 July 2007

Last Updated on Sunday, 09 March 2008 04:11