Website Configuration Reference: Difference between revisions

From Sympl Wiki
Jump to navigation Jump to search
No edit summary
Tag: visualeditor-wikitext
Tag: visualeditor
Line 149: Line 149:
!File or Directory
!File or Directory
!Used For
!Used For
!
|-
|-
|<code>.../config/ip</code>
|<code>.../config/ip</code>
|Contains a list of IP addresses which a website will be bound to. Defaults to the primary IPs (IPv4 and IPv6) of your server.
|Contains a list of IP addresses which a website will be bound to. Defaults to the primary IPs (IPv4 and IPv6) of your server.
|
|-
|-
| colspan="2" |
| colspan="2" |
|
|-
|-
|<code>.../config/ssl-only</code>
|<code>.../config/ssl-only</code>
|Redirects all non-HTTPS traffic for the site to HTTPS. [[Website Configuration Reference#Enforcing HTTPS|<small>''More...''</small>]]
|Redirects all non-HTTPS traffic for the site to HTTPS.  
|[[Website Configuration Reference#Enforcing HTTPS|<small>''More...''</small>]]
|-
|-
|<code>.../config/hsts</code>
|<code>.../config/hsts</code>
|Enables HSTS for HTTPS sites. <small>''[[Website Configuration Reference#HTTP Strict Transport Security (HSTS)|More...]]''</small>
|Enables HSTS for HTTPS sites.
|<small>''[[Website Configuration Reference#HTTP Strict Transport Security (HSTS)|More...]]''</small>
|-
|-
| colspan="2" |
| colspan="2" |
|
|-
|-
|<code>.../config/disable-php-security</code>
|<code>.../config/disable-php-security</code>
|Existence of this file will disable some of the PHP security functions in the automatically generated [[Apache]] configurations. ''<small>[[Website Configuration Reference#PHP Security|More...]]</small>''
|Existence of this file will disable some of the PHP security functions in the automatically generated [[Apache]] configurations.  
|''<small>[[Website Configuration Reference#PHP Security|More...]]</small>''
|-
|-
| colspan="2" |
| colspan="2" |
|
|-
|-
|<code>.../config/disable-filesystem-security</code>
|<code>.../config/disable-filesystem-security</code>
|Existence of this file will disable the automatic filesystem security tasks on this domain. ''<small>[[Website Configuration Reference#Filesystem Permissions|More...]]</small>''
|Existence of this file will disable the automatic filesystem security tasks on this domain.  
|''<small>[[Website Configuration Reference#Filesystem Permissions|More...]]</small>''
|-
|-
|<code>.../config/public-user</code>
|<code>.../config/public-user</code>
|UID or user name of the user to change ownership of the <code>public/</code> directory to. Defaults to www-data.
|UID or user name of the user to change ownership of the <code>public/</code> directory to. Defaults to www-data.
|''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|-
|-
|<code>.../config/public-group</code>
|<code>.../config/public-group</code>
|GID or group name of the user to change ownership of the <code>public/</code> directory to. Defaults to www-data.
|GID or group name of the user to change ownership of the <code>public/</code> directory to. Defaults to www-data.
|''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|-
|-
| colspan="2" |
| colspan="2" |
|
|-
|-
|<code>.../config/stats</code>
|<code>.../config/stats</code>
|This file enables automatic generation of [[Web Statistics|web stats]] with [[Webalizer]]. ''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|This file enables automatic generation of [[Web Statistics|web stats]] with [[Webalizer]]. ''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|-
|-
|<code>.../config/stats.htpasswd</code>
|<code>.../config/stats.htpasswd</code>
|A '[[htpasswd]]' format file used to access the [[Web Statistics|web stats]]. ''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|A '[[htpasswd]]' format file used to access the [[Web Statistics|web stats]].  
|''<small>[[Website Configuration Reference#Web Statistics|More...]]</small>''
|}<section end=config />
|}<section end=config />
   
   

Revision as of 08:47, 16 July 2019

This page is a detailed breakdown of all the configuration options and files available when configuring website hosting on Sympl.

As with all the other documentation here, the site example.com will used, and you should substitute this for your domain.

All configuration for this domain will be in the /srv/example.com/ directory.

Sympl uses the Apache web server, along with the relevant version of PHP for your version of Debian, along with the typical PHP extensions.

  • PHP 7.0 for Debian Stretch (Sympl 9.x)
  • PHP 7.3 for Debian Buster (Sympl 10.x)

Getting Started

The files for example.com are in the /srv/example.com/public/htdocs directory which is the site root.

  • If this directory doesn't exist, is empty, or has no index.php or index.html, the default page will be served, mentioning there is no content on the site.
  • The content in the directory will be served for both www.example.com and example.com, so theres no need to prefix the domain with www.
  • If you want to serve different content for www.example.com and example.com, you can create /srv/www.example.com as a separate directory.
  • Within an hour of the directory creation, a new configuration will automatically be created for Apache.

More detailed information about how Sympl serves content can be found at How Web Hosting Works on Sympl.

Testing Your Sites

New sites can be tested before they are made live using the 'testing' domains. If your hosting provider provides a wildcard DNS entry on your server pointing to its hostname (and the default site is set to match), then sites can be accessed via this method.

You can confirm if this is the case using dig or a similar tool - if your server is named server.example.host, if you run dig +short randomname.server.example.host and get a response with the server's IP address, then this is the case.

If so, you can access any of the sites via this method in the format <domain_directory>.testing.<server_hostname>, for example example.com.testing.server.example.host. Note that the www. should not be included in this case.

Note that this only applies to websites (not email, FTP and similar), and will not work fully in all instances, as some sites will redirect to their expected hostname or similar. If this is the case, you can test by editing your hosts file on your local computer.

Serving the Same Content on Multiple Domains.

In some cases you may want to accept traffic for and serve the same content for multiple domains, such as WordPress multi-site configurations.

Both of these assume you have the main site already configured and working.

Aliasing the Whole Domain

The most simple option is to alias the whole domain. This will result in the whole configuration including other services such as email, SSL certificates, and FTP sites all sharing the same domain.

To do this, you only need to create a symbolic link to the directory of the site you want to alias. Aliasing example.org (new domain) to example.com (existing domain) you would use

ln -s /srv/example.com /srv/example.org

Aliasing the Web Content Only

Slightly more complicated, but more flexible is to alias only the public/ or public/htdocs/ directory. This allows separate email, SSL certificates and individual, which don't reference the main domain. Some sites access content at the directory above htdocs/, in which case you should link at the public/ point, otherwise public/htdocs/ is usually preferable as it provides separate logging and allows individual FTP access.

In the examples below, example.com is the site which already exists, and example.org is the new domain.

Aliasing public/htdocs/ Only

mkdir -p /srv/example.org/public
ln -s /srv/example.com/public/htdocs /srv/example.org/public/htdocs

Aliassing public/ and Subdirectories

mkdir -p /srv/example.org
ln -s /srv/example.com/public /srv/example.org/public

Enforcing HTTPS

By default, Sympl will attempt to download a Let's Encrypt SSL certificate for each site automatically, and will then adjust the Apache configuration to enable it.

In many cases you will likely want to enforce HTTPS usage on a domain to ensure end-to-end security, and this can be done easily by creating the file /srv/example.com/config/ssl-only.

This change will take effect automatically within the next hour, but requires a working certificate.

HTTP Strict Transport Security (HSTS)

Once SSL has been enforced, you may also want to ensure users only ever access the site via HTTPS. This can be done by enabling HSTS, which instructs the users browser to only connect via HTTPS for the next six months.

You should ensure the site is working properly via HTTPS before enabling this function, but once done, create the file /srv/example.com/config/hsts and the configuration will be updated within the next hour.

Redirecting to a Preferred Domain

In the event you want to force all traffic to the same domain name, this can be done with an Apache rewrite. This this example, we want to ensure the domain being used is always www.example.com, preventing anyone from using example.com without the www..

To do this, you would create a file named .htaccess in the htdocs/ directory with this content:

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.*$ [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=302,L]

What this set of rules do is:

  1. Enable the rewriting of content.
  2. If the hostname being used does not start with 'www.' (case insensitive)
  3. Temporarily redirect the request to the same hostname but with 'www.' added and don't process any rules.

Once this is working as expected, you can change the R=302 to R=301 to swap the temporary redirect to a permanent one which will be cached by the browser.

More information is available at Apache Rewrites.

PHP Security

By default, a number of rules are included in the Apache configuration which limit the access of sites running PHP, preventing a compromised site from accessing content outside the /srv/example.com/public/ directory, and setting both a domain specific temp directory and session directory as /srv/example.com/php_tmp/ and /srv/example.com/php_sessions/ respectively.

A default configuration is also in place for the ever-popular WordPress, which prevents PHP files from being accessed or executed from within the upload folder, which tend to be the source of most site compromises.

These restrictions can be disabled by creating the file /srv/example.com/config/disable-php-security, and running sudo sympl-web-configure.

PHP Lockdown

Also available but not enabled by default is a 'lockdown' configuration, which limits a number of potentially dangerous functions in PHP for all sites when being run by Apache.

This can be enabled with the command line...

For Sympl 9.x

sudo ln -s /etc/php/7.0/mods-available/sympl-web-lockdown.ini /etc/php/7.0/apache2/conf.d/01-sympl-web-lockdown.ini
sudo service apache2 reload

For Sympl 10.x

sudo ln -s /etc/php/7.3/mods-available/sympl-web-lockdown.ini /etc/php/7.0/apache2/conf.d/01-sympl-web-lockdown.ini
sudo service apache2 reload

Note that this will significantly restrict PHP access, and will affect all sites on the same server, so you should confirm that all sites work as expected once this has been run.

Filesystem Permissions

By default, Sympl adjusts the permissions of files and directories in /srv/example.com/public to ensure web applications can update themselves correctly, and FTP users can make changes as desired.

This defaults to changing the files and directories to be readable, writable, and owned by the www-data user and the www-data group (which the sympl user is a member of). These defaults can be changed by placing the name or ID of the desired user and group into config/public-user and config/public-group.

This functionality can be coupled with individual PHP instances for each site (not yet implemented in Sympl) or can be disabled on each domain by creating the file /srv/example.com/config/disable-filesystem-security.

See Filesystem Security for more information.

Logging

By default, the Apache logs are written to /srv/example.com/public/logs, named as either access.log and error.log for HTTP requests, and ssl_access.log and ssl_error.log for HTTPS.

These are automatically rotated daily, and compressed after two days.

For any sites being served with mass hosting, the logs can be found at /var/log/apache2/zz-mass-hosting.access.log and /var/log/apache2/zz-mass-hosting.error.log .

Logging for any other traffic is written to /var/log/apache2/other_vhosts_access.log, with any errors for Apache itself at /var/log/apache2/error.log.

Web Statistics

Basic traffic statistics can be optionally generated for the domain from the web logs using Webalizer, and are written to /srv/example.com/public/htdocs/stats, making them available at https://example.com/stats.

To trigger the generation, create a file at /srv/example.com/config/stats, and they will be generated automatically overnight for the previous day(s).

As they contain potentially sensitive information (i.e. client IPs), they are automatically protected by a username and password. To access them you must create a username and password in config/stats.htpasswd using htpasswd:

Note: If the file already exists, you should omit the -c parameter or a fresh configuration file will be created and overwrite anything there.

htpasswd -c /srv/example.com/config/stats.htpasswd username

You will be prompted for a password and confirmation, and you will then be able to log in.

A template for Webalizer will automatically be written to config/webalizer.conf when the statistics are created, and this can be edited as desired.

CGI Scripts

If you want to use CGI Scripts on your domain, you should copy them to /srv/example.com/public/cgi-bin/ and ensure they are marked executable with 775 permissions.

With SSH, you would run the command:

sudo chmod 775 /srv/example.com/public/cgi-bin/*

In FileZilla and other FTP clients, this can usually be done by right clicking the file and selecting 'File Permissions...' from the menu, however you should check your FTP client for instructions.

Modifying the Apache Configuration

The majority of typical changes to the Apache configuration can be made via relevant .htaccess files.

In the event you need to modify the Apache configuration for an individual site, configuration files can be found in /etc/apache/sites-enabled. Note that if you make any changes, the configuration will no longer be managed by Sympl and it won't make any changes if the templates are updated. If you want to revert to a Sympl generated configuration for a specific domain, you can do this with sudo sympl-web-configure --verbose example.com

If you want to update the configuration of all sites, then you can edit the templates used to generate the Apache configurations, but you should take care when making any changes to ensure the result is valid. These can be found in /etc/sympl/apache.d, and the existing templated configurations can be regenerated with sudo sympl-web-configure --verbose.

Finally, if you want to create your own Apache configurations not managed by Sympl you can do, as it will not make any changes to them.

Configuration Reference

File or Directory Used For
.../config/ip Contains a list of IP addresses which a website will be bound to. Defaults to the primary IPs (IPv4 and IPv6) of your server.
.../config/ssl-only Redirects all non-HTTPS traffic for the site to HTTPS. More...
.../config/hsts Enables HSTS for HTTPS sites. More...
.../config/disable-php-security Existence of this file will disable some of the PHP security functions in the automatically generated Apache configurations. More...
.../config/disable-filesystem-security Existence of this file will disable the automatic filesystem security tasks on this domain. More...
.../config/public-user UID or user name of the user to change ownership of the public/ directory to. Defaults to www-data. More...
.../config/public-group GID or group name of the user to change ownership of the public/ directory to. Defaults to www-data. More...
.../config/stats This file enables automatic generation of web stats with Webalizer. More... More...
.../config/stats.htpasswd A 'htpasswd' format file used to access the web stats. More...

See also Configuration Reference for other configuration files.