Getting Started with Apache
Install Apache
apt install apache2Generating SSL/TLS Certificates
Downloading Certbot
To begin, we will install certbot, a simple script that automatically renews our certificates and allows much easier creation of them. The command below is for Ubuntu distributions, but you can always check Certbot’s Official Website for installation instructions. We have also included a command below to install certbot’s Apache plugin so you won’t have to stop your webserver.
apt update
apt install -y certbot python3-certbot-apacheCompleting the HTTP Challenge
- Make sure you have port 80 open on your firewall
- Request a certificate from Let’s Encrypt, you should replace example.comwith the domain you would like to generate a certificate for.
certbot certonly --apache -d example.comAutomatically Renewing SSL/TLS certificates
- Install crontab:
apt install cron- Create a crontab rule for the automatic renewal:
(crontab -l ; echo "0 23 * * * certbot renew --quiet --deploy-hook \"systemctl restart apache2\"")| crontab -Webserver Configuration
Remove the default configuration:
a2dissite 000-default.conf- Create a new Apache site configuration like website.confin/etc/apache2/sitesites-availableusing a text editor like nano or vim.
- Paste the text below into the file, replacing <domain>with your domain:
website.conf
<VirtualHost *:80>
  ServerName <domain>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/whmcs
  Options -Indexes
 
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
 
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
 
<VirtualHost *:443>
  ServerName <domain>
  ServerAdmin webmaster@localhost
  DocumentRoot /var/www/html
  Options -Indexes
 
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
 
  # SSL Configuration
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/<domain>/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/<domain>/privkey.pem
 
  # Security Headers
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Robots-Tag "none"
  Header always set Content-Security-Policy "frame-ancestors 'self'"
  Header always set X-Frame-Options "DENY"
  Header always set Referrer-Policy "same-origin"
  Header always set Permissions-Policy "accelerometer=(), camera=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), usb=()"
</VirtualHost>Link Config and Restart Apache
Enable your new Apache website configuration and required modules:
ln -s /etc/apache2/sites-available/website.conf /etc/apache2/sites-enabled/website.conf
a2enmod rewrite
a2enmod ssl
systemctl restart apache2