October 8, 2025
Wednesday 12:46 AM
Wednesday 12:46 AM
| Public Links |
|---|
| - CenTex NWS Alerts |
| Synapse Misfires |
|---|
| - Eww, That Smell |
| - Here Ya Go! |
| - Texas Weather |
| - Takes a Village |
| - It Was Vewy Quiet |
| - TPWD Geocaching |
| Not Logged In |
| Originals |
|---|
| - On Photography |
| Not Logged In |
| Topical Collections - My Online Memory |
|---|
| - HippoFan Geocaching |
| - Home Automation |
| - 3D Printing |
| - Build Your Own Server |
| - Amateur Radio |
| - Daily Compute |
| - Recreational Vehicles |
| - Drones |
| - Live Streaming |
| - Smokers |
| - Woodworking |
| Not Logged In |
Installing the WebServer Components
Using the PHP Scripting Language With a Web Server
PHP-FPM - A simple and robust FastCGI Process Manager for PHP, an alternative implementation with some additional features useful for sites of any size, especially busier sites.
#For all websites you'll need to install the web server software [httpd]. [root@localhost ~]# dnf -y install httpd #For a more dynamic and easier to update web presence you'll need some form of scripting language, in this case php [root@localhost ~]# dnf -y install php php-fpm
PHP-FPM - A simple and robust FastCGI Process Manager for PHP, an alternative implementation with some additional features useful for sites of any size, especially busier sites.
Configuration File Locations and Content
Once the files are in palce and https restarted, you'll be able to visit
As is true with many linux server components there are some file tweaks needed to tailor the new system to its environment.
You can comment out the line by placing a '#' in the first column.
Change the following to match your server's web administrator account and hostname.
If you want a specific 404 error page, this is the place to add it.
/etc/httpd/conf/httpd.confSeveral lines in the httpd.conf can or should be customized.
You can comment out the line by placing a '#' in the first column.
Change the following to match your server's web administrator account and hostname.
#ServerAdmin root@localhost ServerAdmin webbie@mynewserver.net #ServerName www.example.com:80 ServerName www.mynewserver.net:80At about the 41% mark, remove the ability of the webserver to display a file directory if an index file (like index.html) is not present. That has always seemed like a security problem to me, not sure why the wrong behavior is the default.
# Options Indexes FollowSymLinks
Options FollowSymLinks
Same security deault override a few lines later. The 'All' setting allows each directory to define a unique policy via a local .htaccess file. Setting it to 'None' means the system has exactly one .htaccess policy that cannot be different in any directory.
# AllowOverride None
AllowOverride All
A few lines later is a key setting. This allows the server to display specific files if a URL ends in a directory but contains no file name. For example, if you browse to http://www.mynewseerver.net you don't mention a filename. The DirectoryIndex entry tells the server to display the first of the files listed when no filename is listed. In this case, if the index.php exists it will be sent. If it is not present, then index.html will be sent. If neither exists the server will return a 404 error for 'File Not Found'.
Around line 358 are several error responses that can be customized to the system.# DirectoryIndex index.html DirectoryIndex index.php index.html
If you want a specific 404 error page, this is the place to add it.
#ErrorDocument 404 /missing.html
/etc/hosts (vital for local testing)As described in the Networking page, the hosts file defines IP addresses and hostnames at the local level. This is useful if the server is supporting several web domains.
# /etc/hosts file format #IP ADDRESS hostname hostname hostname hostname hostname 192.168.1.100 mynewserver.net www.mynewserver.net www.myothernewserver.net myothernewserver.net iot.myservername.com
/etc/httpd/conf.d/mynewserver.confThere's a lot going on in the website configuration files. If you run multiple domains you will have one of these .conf files for every web domain you're hosting.
<VirtualHost *:80> ServerAdmin webmaster DocumentRoot "/var/www/mynewserver.net/" ServerName mynewserver.net ServerAlias www.mynewserver.net ServerAlias myothernewserver.net ServerAlias www.myothernewserver.net LogLevel warn ErrorLog "/var/log/httpd/mynewserver.net-error_log" CustomLog "/var/log/httpd/mynewserver.net-access_log" combined <Directory "/var/www/mynewserver.net/"> DirectoryIndex index.html index.php Options FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost>
/etc/httpd/conf.d/iot.conf as a virtual hostThis is an example of an actual Virtual Host using a separate file structure, hostname, and even logging name.
Once the files are in palce and https restarted, you'll be able to visit
http://iot.myservername.net and see anentirely different webserver (virtually speaking).
<VirtualHost *:80> ServerAdmin webmaster DocumentRoot "/var/www/iot/" ServerName iot.myservername.com ErrorLog "/var/log/httpd/iot-error_log" CustomLog "/var/log/httpd/iot-access_log" combined <Directory "/var/www/iot/"> DirectoryIndex index.php Options FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost>How many Virtual hosts can be defined on a single physical server? The Apache webserver has no numerical limit, but each instance draws a little more memory for caching, and more storage space for the files. As long as you don't have lots of people simultaneously moving lots of data, the number of virtual hosts should not be an issue.
Warning. If you use the router settings below and open up the firewall to allow IP traffic to the server, you are going to start being attacked.
"Why would they do that to me?" is irrelevant.
"They don't know I'm here!" is also irrelevant.
Get it? They literally use all of the numbers in the IP addressing schema, from 1.1.1.1 to 255.255.255.255, on port 80, port 443, port 22, port 20, and all other commonly defined port numbers to see if anything responds in a way "they" can use.
If anything responds to the scanned ports there might be a second wave attack using focused software to expand and exploit the opening. That's problem 1.And a more minor Problem 2 is that all of these accesses are logged into the access log for your website, and it's possible "they" could copy or view your default web pages or worse. This is obviously not why we set up the server. Fortunately, all of the attacks on this apache (httpd) server hit the first (alphabetically) website defined in your virtual hosts list. We can use that bug/feature to our advantage and keep the noise out of our real website logs.
With a little creativity and small amount of programming, we can generate statistics about the systems attacking ours, what they're looking for, and create report pages to make the information easy to find. Maybe even report them to their site authorities. That might be worthy of another webpage here./etc/httpd/conf.d/aaaaaaa.conf as a attack logging virtual host
<VirtualHost *:80> ServerAdmin webmaster DocumentRoot "/var/www/aaaaaaa/" ErrorLog "/var/log/httpd/aaaaaaa-error_log" CustomLog "/var/log/httpd/aaaaaaa-access_log" combined <Directory "/var/www/aaaaaaa/"> DirectoryIndex index.php index.html Options FollowSymLinks AllowOverride All Require all granted </Directory> </VirtualHost>I'm sure some settings require a tweak for absolute security, but for now copy this aaaaaaa.conf file into the /etc/httpd/conf.d folder and restart httpd.
systemctl restart httpdNow we're ready to see the attacks in real time once we open up the router and firewall. More on that later. But remember, unless you want the server exposed to the outside world, ALL the outside world, you don't need to change any router settings. The firewall tweaks will be necessary if you want anything inside your home to reach the server. To see the attacks (or inadvertant web accesses) look at the accesslog:
[root@localhost ~]# tail /var/log/httpd/aaaaaaa-access_log 183.136.225.32 - - [09/Apr/2023:08:39:41 -0500] "GET /favicon.ico HTTP/1.1" 404 196 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ..." 172.104.11.34 - - [09/Apr/2023:08:59:43 -0500] "\x16\x03\x01" 400 226 "-" "-" 185.225.74.227 - - [09/Apr/2023:09:41:11 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 404 196 "http://123.234.56.78:80/admin/login.asp" "..." 167.88.61.141 - - [09/Apr/2023:10:03:33 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 404 196 "http://123.234.56.78:80/admin/login.asp" "..." 162.142.125.121 - - [09/Apr/2023:10:04:20 -0500] "GET / HTTP/1.1" 200 84 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" 162.142.125.121 - - [09/Apr/2023:10:04:20 -0500] "PRI * HTTP/2.0" 400 226 "-" "-" 162.142.125.121 - - [09/Apr/2023:10:04:20 -0500] "GET /favicon.ico HTTP/1.1" 404 196 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)" 62.171.175.68 - - [09/Apr/2023:10:17:59 -0500] "CONNECT 84.153.75.193:4444 HTTP/1.1" 405 224 "-" "-" 85.15.66.193 - - [09/Apr/2023:10:38:18 -0500] "GET / HTTP/1.1" 200 84 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 ..." 194.55.224.203 - - [09/Apr/2023:10:55:25 -0500] "POST /boaform/admin/formLogin HTTP/1.1" 404 196 "http://123.234.56.78/admin/login.asp" "..." # Or if you want to watch in real time, type the following and let it run. You'll see the entries pop up when the accesses occur. ^C to exit [root@localhost ~]# tail -f /var/log/httpd/aaaaaaa-access_log
Web page Locations and Content
/var/www/html/ (normal single-site top-level directory) /var/www/site1name/ (multi-site top-level directory) /var/www/site2name/ /var/www/site3name/All files in your website will be contained within the correct /var/www/sitename folder. Unless a specific file is appended to the URL (www.myservername.net), the webserver will look down the list in "DirectoryIndex" above until it finds a file that exists and present that to the client's browser. In the example for the virtual site aaaaaaa, if index.php exists, the server will send it. If not, it will look for index.html. If nothing exists it will return the dreaded 404 error code. You can see the reast of them on Mozilla's developer site.
You can add folders below these for organization, like /images, /documents, /topics. The "DirectoryIndex" applies to all folders in the virtual website.
Domain Registrar Settings - Optional if you want the world to recognize your domain.
Definitions:
A The domain name associated with the IP address.
NS This is the name of the nameserver other computers will contact to get the IP address for your domain.
CNAME A 'canonical' name of your computer, like an alias pointing to the A name. in these examples, the when a request for the IP address of either www.myserver.net, blogs.myserver.net, or mail.myserver.net arrives, the name server will provide the IP address for myserver.net. This is a good way to make your virtual hosts visible. The webserver (apache) will use the servername (not the IP) to select the correct webpage folder.
SOA
MX A Mail eXchange record that points to the mail server for this domain. Must be the A name, CNAMEs are prohibited per RFC.
TXT
@ This is a shortcut that refers to the real domainname being edited on this page, here it means 'myserver.net'
Assuming you have registered a domain name, you'll need to set up the hosting agency's nameservers to point to you. In the world of cable modems, satellite internet and fiber, you need to know the dynamic IP address assigned to you. Serach for something like "what is my IP address" and look for the IPV4 numbers like "123.234.12.34". That represents the IP address your modem no matter whether satellite, cable, DSL or FIOS. It is the number you'll use for your ISP's DNS record for your server.
My DNS record at godaddy.com looks something like this:| Type | Name | Data | TTL | Delete | Edit |
|---|---|---|---|---|---|
| A | @ | 123.234.12.34 | 1 Hour | trashcan | pen |
| NS | @ | ns11.domaincontrol.com. | 1 Hour | Can't delete | Can't Edit |
| NS | @ | ns12.domaincontrol.com. | 1 Hour | Can't delete | Can't Edit |
| CNAME | www | myserver.net | 1 Hour | trashcan | pen |
| CNAME | blogs | myserver.net | 1 Hour | trashcan | pen |
| CNAME | myserver.net | 1 Hour | trashcan | pen | |
| SOA | @ | Primary nameserver: ns11.domaincontrol.com. | 1 Hour | trashcan | pen |
| MX | @ | myserver.net. (Priority: 0) | 1 Hour | trashcan | pen |
| TXT | @ | v=spf1 a mx mx:myserver.net -all | 1 Hour | trashcan | pen |
A The domain name associated with the IP address.
NS This is the name of the nameserver other computers will contact to get the IP address for your domain.
CNAME A 'canonical' name of your computer, like an alias pointing to the A name. in these examples, the when a request for the IP address of either www.myserver.net, blogs.myserver.net, or mail.myserver.net arrives, the name server will provide the IP address for myserver.net. This is a good way to make your virtual hosts visible. The webserver (apache) will use the servername (not the IP) to select the correct webpage folder.
SOA
MX A Mail eXchange record that points to the mail server for this domain. Must be the A name, CNAMEs are prohibited per RFC.
TXT
@ This is a shortcut that refers to the real domainname being edited on this page, here it means 'myserver.net'
Router Settings - Optional if you want the world to see you.
Port Forwarding
IP Addresses (Why we pick static or leased)
Firewall Settings - Optional if you want any other system to see you.
Open up for http and https
[root@localhost ~]# firewall-cmd --add-service=http success [root@localhost ~]# firewall-cmd --runtime-to-permanent success
Additional Configuration Files for Hosting Multiple Domains
/etc/httpd/conf.d/ Permissions
Adding Secure Protocols for https
You'll need to generate and install an encryption key to use port 443 for mildly secure web transactions.
It's basically of statement that "Yes, I validated this website via email with EFF every three months."
Fractionally better than the annual validation with your ISP.
Getting started with Let's Encrypt, an EFF www encryption layer
Step By Step Installation for a Single Domain
Step By Step Installation for Multiple Domains on a Single Server
It's basically of statement that "Yes, I validated this website via email with EFF every three months."
Fractionally better than the annual validation with your ISP.
Getting started with Let's Encrypt, an EFF www encryption layer
Step By Step Installation for a Single Domain
Step By Step Installation for Multiple Domains on a Single Server
|
"I think sometimes incumbents forget that we're sent here to reform Washington. We're not sent here to be co-opted by Washington." - Newt Gingrich |
| Geek Humor |
|---|
| Okay, you read the geek humor. That's enough social interaction for today. |
| Regular Reading |
|---|
| Blogs and RSS Feeds |
| Special Archives |
| People of The Son |
| People of the Gun |
| Groups of the Gun |
| People of the Hack |
| Legal Eagles |
| Mine, all Mine |
An exercise in truly free free-speech. No license required, no training wheels available.
"When words lose their meaning, people will lose their liberty." -- Confucius
vincit omnia veritas