Configuring web services (revision 2)

Introduction

This page describes how Alexis Huxley installed and configured his front-end Apache web server. Important points the configuration described are:

• each web service (e.g. Subversion, personal web pages, Jira) is contained in its own Apache virtual host, not simply in a different Apache <Location>; this presents fewer client-side password-caching problems for services that do not specify their realm correctly (e.g. Jira)
• for the “heavier” web services (e.g. Jira) the corresponding virtual hosts proxies to a backend webserver that runs on a different machine
• for the “lighter” web services (e.g. Subversion, personal web pages) the corresponding virtual host provides the web service itself
• configuration of the lighter web services is described on this page
• configuration of the heavier web services is described somewhere else but generic instructions for proxying them is described on this page

Basic installation

1. Run:

   apt-get install apache2

2. Create a ‘combined2’ logging format, which we will refer to below, by running:

   echo 'LogFormat "%h (%a) %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined2' > /etc/apache2/conf-available/combined2.conf
   a2enconf combined2
   systemctl reload apache2
   

3. Edit /etc/logrotate.d/apache2 and set:

   rotate 10000

4. Enable https (albeit without a proper certicate yet) by running:

   a2enmod ssl headers proxy proxy_http proxy_html rewrite xml2enc
   systemctl restart apache2
   nmap localhost

   and verify that ports 80 and 443 are open.

5. Create a basic template configuration file for http by editing /etc/apache2/sites-available/WEBSITENAME.conf to contain only:

   <VirtualHost *:80>
       ServerName WEBSITENAME
       CustomLog /var/log/apache2/WEBSITENAME/WEBSITENAME-access.log combined2
       ErrorLog /var/log/apache2/WEBSITENAME/WEBSITENAME-error.log
       RedirectMatch permanent /(.*) https://WEBSITENAME/$1
   </VirtualHost>

6. Create a basic template configuration file for https by editing /etc/apache2/sites-available/WEBSITENAME-ssl.conf to contain only:

   <VirtualHost *:443>
       ServerName WEBSITENAME
       ServerAdmin webmaster@dont-use-this-address
       CustomLog /var/log/apache2/WEBSITENAME/WEBSITENAME-access.log combined2
       ErrorLog /var/log/apache2/WEBSITENAME/WEBSITENAME-error.log
       LogLevel warn
       ServerSignature Off
       
   
       # Use a self-signed certificate until we have 
       # a LetsEncrypt certificate.
       SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
       SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
   
       # Keep this commented out until we have a LetsEncrypt certificate.
       #Include /etc/letsencrypt/options-ssl-apache.conf
       #SSLCertificateFile /etc/letsencrypt/live/WEBSITENAME/fullchain.pem
       #SSLCertificateKeyFile /etc/letsencrypt/live/WEBSITENAME/privkey.pem
   
       # fancy-index is in the DocumentRoot and certbot
       # requires a DocumentRoot so we declare one.
       #DocumentRoot /var/www/WEBSITENAME
       #<Directory /var/www/WEBSITENAME>
       #    Require all granted
       #</Directory>
   </VirtualHost>

7. Make the current document root into a document root template by running:

   mv /var/www/html /var/www/WEBSITENAME

8. The remove the factory default http and https sites; we’ll make our own shortly:

   a2dissite 000-default
   a2dissite default-ssl
   systemctl reload apache2

Lightweight web service: empty default vhost

Nothing should access the default vhost since all services that might be accessed are in non-default vhosts. However, I have seen that some programs (particularly on Android) get this wrong. Therefore we set up a default vhost simply in order to stop bad clients going to vhosts that are providing real services.

1. Set some environment variables; special consideration needs to be made for this website as its name must be alphabetically ahead of all others:

   WEBSITENAME=<name-of-website>       #  e.g. WEBSITENAME=aaa.pasta.freemyip.com

2. Clone the template components by running:

   cp -ar /var/www/WEBSITENAME /var/www/$WEBSITENAME
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME.conf \
           > /etc/apache2/sites-available/$WEBSITENAME.conf
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME-ssl.conf \
           > /etc/apache2/sites-available/$WEBSITENAME-ssl.conf

3. Since there is no data associated with this website there should be no data migration to perform.
   1. Install libapache2-mod-security2.
   2. Because no client should not be specifying a ‘Host:’ HTTP header, then the default host should never be visited (except by hackers). Therefore we can simply block all accesses or use it as a honey trap, etc. I investigated using mod_security, which allows the connection to be dropped. but it log requests as if mod_security was not enabled (e.g. 403 when no DocumentRoot or Location stanzas provided), which is not what I wanted. Sending a 410 status to the client seems the most lightweight action. So add this to the config:

      <Location />
          Redirect 410
      </Location>

4. Enable the required modules and the website with:

   a2ensite $WEBSITENAME
   a2ensite $WEBSITENAME-ssl
   systemctl reload apache2

5. To test:
   1. Enable selective website redirection to facilitate testing without affecting your viewers as described below.
   2. Visit the new site and check everything works (though you can expect certificate warnings).
   3. Disable selective website redirection (by undoing what you did earlier).
6. To activate:
   1. You can now set up SSL certification according to Setting up LetsEncrypt (revision 2) but note that, if that procedure requires you to make changes on the firewall, then you need to keep those changes in place on the firewall until all websites have been migrated (otherwise unmigrated sites won’t work).
   2. If there is an old frontend webserver and you’re in the process of replacing it with the new frontend webserver you’re currently configuring then on the old webserver proxy all traffic for this specific website to the new webserver with something like:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://anelli.pasta.net/
      ProxyPassReverse / https://anelli.pasta.net/
      ProxyPreserveHost On

      (Note the ProxyPreserveHost which is necessary so that the website name requested by the client is passed on to the new frontend webserver so that it knows to which vhost to pass the request; otherwise it will serve the default vhost.)

Lightweight web service: personal home pages

1. Set some environment variables:

   WEBSITENAME=<name-of-website>       #  e.g. WEBSITENAME=home.pasta.freemyip.com

2. Clone the template components by running:

   cp -ar /var/www/WEBSITENAME /var/www/$WEBSITENAME
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME.conf \
           > /etc/apache2/sites-available/$WEBSITENAME.conf
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME-ssl.conf \
           > /etc/apache2/sites-available/$WEBSITENAME-ssl.conf

3. Since the data is in users’ homes then there should be no data migration to perform.
4. Configure as follows:
   1. Tailor /etc/apache2/mods-available/userdir.conf as follows:
      1. Change all occurences of ‘public_html’ to ‘.public_html’
      2. Change any occurences of ‘SymLinksIfOwnerMatch’ to ‘FollowSymLinks’
   2. Enable fancy indexes as described below.
   3. Add the following to the config file (the order of the stanza is important):

      <LocationMatch ^(?!/~).*$>
          Deny from all
          Options None
          ErrorDocument 403 Forbidden.
      </LocationMatch>
      
      <Location /fancy-index/>
          Allow from all
      </Location>

   4. Check that users’ homes are accessible:

      ls ~alexis/    #  or whoever

5. Enable the required modules and the website with:

   a2enmod userdir
   a2ensite $WEBSITENAME
   a2ensite $WEBSITENAME-ssl
   systemctl reload apache2

6. To test:
   1. Enable selective website redirection to facilitate testing without affecting your viewers as described below.
   2. Visit the new site and check everything works (though you can expect certificate warnings).
   3. Disable selective website redirection (by undoing what you did earlier).
7. To activate:
   1. You can now set up SSL certification according to Setting up LetsEncrypt (revision 2) but note that, if that procedure requires you to make changes on the firewall, then you need to keep those changes in place on the firewall until all websites have been migrated (otherwise unmigrated sites won’t work).
   2. If there is an old frontend webserver and you’re in the process of replacing it with the new frontend webserver you’re currently configuring then on the old webserver proxy all traffic for this specific website to the new webserver with something like:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://anelli.pasta.net/
      ProxyPassReverse / https://anelli.pasta.net/
      ProxyPreserveHost On

      (Note the ProxyPreserveHost which is necessary so that the website name requested by the client is passed on to the new frontend webserver so that it knows to which vhost to pass the request; otherwise it will serve the default vhost.)

Lightweight web service: Subversion

1. See this page.

Lightweight web service: software repositories

1. Set some environment variables:

   WEBSITENAME=<name-of-website>       #  e.g. WEBSITENAME=repo.pasta.freemyip.com

2. Clone the template components by running:

   cp -ar /var/www/WEBSITENAME /var/www/$WEBSITENAME
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME.conf \
           > /etc/apache2/sites-available/$WEBSITENAME.conf
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME-ssl.conf \
           > /etc/apache2/sites-available/$WEBSITENAME-ssl.conf

3. If there are repositories to migrate then migrate them now.
4. Configure as follows:
   1. For public repositories (accessible from inside and outside), add something like the following to /etc/apache2/sites-available/$WEBSITENAME:

      Alias /debian/ "/pub/computing/software/local/debian/localpublic-deb/"
      <Directory "/pub/computing/software/local/debian/localpublic-deb/">
          Options Indexes FollowSymLinks MultiViews
          AllowOverride None
          Require all granted
      </Directory>

   2. For public repositories (accessible only from inside), add something like the following to /etc/apache2/sites-available/$WEBSITENAME:

      Alias /debian-private/ "/pub/computing/software/local/debian/localprivate-deb/"
      <Directory "/pub/computing/software/local/debian/localprivate-deb/">
          Options Indexes FollowSymLinks MultiViews
          AllowOverride None
          Require ip 192.168.0.0/16
      </Directory>

   3. Add stanzas for all repositories (redhat/debian, private/public, source/binary).
   4. To redirect https://repo.pasta.freemyip.com/ to https://repo.pasta.freemyip.com/, add this to /etc/apache2/sites-available/$WEBSITENAME

      RedirectMatch ^(/|/index\.html)$ /debian/

   5. Enable fancy indexes as described below.
   6. Check that users’ homes are accessible:

      ls /pub/computing/software/local/debian/localpublic-deb/    #  or whereever

5. Enable the required modules and the website with:

   a2ensite $WEBSITENAME
   a2ensite $WEBSITENAME-ssl
   systemctl reload apache2

6. To test:
   1. Enable selective website redirection to facilitate testing without affecting your viewers as described below.
   2. Visit the new site and check everything works (though you can expect certificate warnings).
   3. Disable selective website redirection (by undoing what you did earlier).
7. To activate:
   1. You can now set up SSL certification according to Setting up LetsEncrypt (revision 2) but note that, if that procedure requires you to make changes on the firewall, then you need to keep those changes in place on the firewall until all websites have been migrated (otherwise unmigrated sites won’t work).
   2. If there is an old frontend webserver and you’re in the process of replacing it with the new frontend webserver you’re currently configuring then on the old webserver proxy all traffic for this specific website to the new webserver with something like:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://anelli.pasta.net/
      ProxyPassReverse / https://anelli.pasta.net/
      ProxyPreserveHost On

      (Note the ProxyPreserveHost which is necessary so that the website name requested by the client is passed on to the new frontend webserver so that it knows to which vhost to pass the request; otherwise it will serve the default vhost.)

Heavyweight web services: proxying to a backend webserver

1. Set some environment variables:

   WEBSITENAME=<name-of-website>       #  e.g. ...
   WEBSITENAME=checkmk.pasta.freemyip.com
   WEBSITENAME=i2p.pasta.freemyip.com
   WEBSITENAME=iplayer.pasta.freemyip.com
   WEBSITENAME=jira.pasta.freemyip.com
   WEBSITENAME=judithhabgood.freemyip.com
   WEBSITENAME=mail.pasta.freemyip.com
   WEBSITENAME=nzb.pasta.freemyip.com
   WEBSITENAME=suzanneramsay.freemyip.com
   WEBSITENAME=www.pasta.freemyip.com
   WEBSITENAME=openproject.pasta.freemyip.com
   WEBSITENAME=nextcloud.pasta.freemyip.com

2. Clone the template components by running:

   cp -ar /var/www/WEBSITENAME /var/www/$WEBSITENAME
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME.conf \
           > /etc/apache2/sites-available/$WEBSITENAME.conf
   sed "s/WEBSITENAME/$WEBSITENAME/g" \
           < /etc/apache2/sites-available/WEBSITENAME-ssl.conf \
           > /etc/apache2/sites-available/$WEBSITENAME-ssl.conf

3. Since these heavyweight websites are entirely proxied then there should be no data migration to perform.
4. Configure as follows:
   1. If the backend server is running CheckMK then add to /etc/apache2/sites-available/$WEBSITENAME-ssl.conf:

      SSLProxyEngine off
      ProxyPass / http://chifferi.pasta.net:5000/
      ProxyHTMLURLMap http://chifferi.pasta.net:5000/ /
      <Location "/">
         ProxyPassReverse /
         SetOutputFilter proxy-html
         RequestHeader unset Accept-Encoding
         Require all granted
      </Location>

   2. If the backend server is running I2P then add to /etc/apache2/sites-available/$WEBSITENAME-ssl.conf:

      SSLProxyEngine off
      <Location />
          ProxyPass http://rombi.pasta.net:7657/
          ProxyPassReverse http://rombi.pasta.net:7657/
          AuthType Basic
          AuthName "I2P Service"
          AuthBasicProvider file
          AuthUserFile /etc/apache2/i2p.htpasswd
          Require valid-user
      </Location>

      and if you want to user LDAP for authentication then replace AuthType ... valid-user with:

      AuthType Basic
      AuthName "Subversion Service"
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ziti.pasta.net/ou=Users,dc=pasta,dc=net?uid
      Require valid-user

   3. If the backend server is running get_iplayer then add to /etc/apache2/sites-available/$WEBSITENAME-ssl.conf:

      SSLProxyEngine off
      <Location />
      ProxyPass http://localhost:1935/
      ProxyPassReverse http://localhost:1935/
          AuthType Digest
          AuthName "iPlayer Service"
          AuthBasicProvider file
          AuthUserFile /etc/apache2/iplayer.htdigest
          Require valid-user
      </Location>

      and if you want to user LDAP for authentication then replace AuthType ... valid-user with:

      AuthType Basic
      AuthName "iPlayer Service"
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ziti.pasta.net/ou=Users,dc=pasta,dc=net?uid
      Require valid-user

   4. If the backend server is running Jira then add to /etc/apache2/sites-available/$WEBSITENAME:

      SSLProxyEngine off
      ProxyPass / http://girandole.pasta.net:8080/
      ProxyPassReverse / http://girandole.pasta.net:8080/
      ProxyPreserveHost On

   5. If the backend server is running WordPress then add to /etc/apache2/sites-available/$WEBSITENAME:

      SSLProxyEngine on
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off
      ProxyPass / https://rotelle-judithhabgoodfreemyipcom.pasta.net/
      ProxyPassReverse / https://rotelle-judithhabgoodfreemyipcom.pasta.net/
      RewriteEngine On
      RewriteRule ^/$ https://rotelle-judithhabgoodfreemyipcom.pasta.net/index.php [P]

      or:

      SSLProxyEngine on
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off
      ProxyPass / https://rotelle-suzanneramsayfreemyipcom.pasta.net/
      ProxyPassReverse / https://rotelle-suzanneramsayfreemyipcom.pasta.net/
      RewriteEngine On
      RewriteRule ^/$ https://rotelle-suzanneramsayfreemyipcom.pasta.net/index.php [P]

      or:

      SSLProxyEngine on
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off
      ProxyPass / https://rotelle-wwwpastafreemyipcom.pasta.net/
      ProxyPassReverse / https://rotelle-wwwpastafreemyipcom.pasta.net/ 
      RewriteEngine On
      RewriteRule ^/$    https://rotelle-wwwpastafreemyipcom.pasta.net/index.php [P]

   6. If the backend server is running mailman then add to /etc/apache2/sites-available/$WEBSITENAME:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://marille.pasta.net/
      ProxyPassReverse / https://marille.pasta.net/

   7. If the backend server is running Nextcloud then add to /etc/apache2/sites-available/$WEBSITENAME-ssl.conf:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://gnocchi.pasta.net/
      ProxyPassReverse / https://gnocchi.pasta.net/

   8. If the backend server is running Sabnzbd then add to /etc/apache2/sites-available/$WEBSITENAME-ssl.conf:

      SSLProxyEngine off
      <Location />
          ProxyPass http://rombi.pasta.net:8080/
          ProxyPassReverse http://rombi.pasta.net:8080/
          AuthType Digest
          AuthName "Sabnzbd Service"
          AuthBasicProvider file
          AuthUserFile /etc/apache2/sabnzbd.htdigest
          Require valid-user
      </Location>
      

      and if you want to user LDAP for authentication then replace AuthType ... valid-user with:

      AuthType Basic
      AuthName "Sabnzbd Service"
      AuthBasicProvider ldap
      AuthLDAPUrl ldap://ziti.pasta.net/ou=Users,dc=pasta,dc=net?uid
      Require valid-user

   9. If the backend server is running OpenProject then add /etc/apache2/sites-available/$WEBSITENAME-ssl.conf:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      ProxyPreserveHost On
      ProxyPass / https://testaroli.pasta.net/
      ProxyPassReverse / https://testaroli.pasta.net/

      (‘ProxyPreserveHost’ is needed because otherwise a complaint regarding a mismatch is displayed in OpenProject’s web interface.)

5. Enable the website with:

   a2ensite $WEBSITENAME
   a2ensite $WEBSITENAME-ssl
   systemctl reload apache2

6. To test:
   1. Enable selective website redirection to facilitate testing without affecting your viewers as described below.
   2. Visit the new site and check everything works (though you can expect certificate warnings).
   3. Disable selective website redirection (by undoing what you did earlier).
   4. Note that in the specific case of mail.pasta.freemyip.com, the SSL certificate is valid from outside the home network but invalid from inside the home network. The reason for this is as follows:
      • (s)smtp and imap(s) traffic originating from the internet and sent to mailserver mail.pasta.freemyip.com is directed by my router/firewall directs to marille.pasta.net, and that must provide a valid certificate for mail.pasta.freemyip.com to mail clients
      • https traffic originating from the internet and sent to webserver mail.pasta.freemyip.com is directed by my router/firewall directs to anelli.pasta.net, and that must provide a valid certificate for mail.pasta.freemyip.com to web clients
      • (s)smtp and imap(s) traffic originating from the home network and sent to mailserver mail.pasta.freemyip.com (because that’s what /etc/postfix/main.cf says to do) is directed by my DNS server to marille.pasta.net, and that must provide a valid certificate for mail.pasta.freemyip.com to mail clients
      • https traffic originating from the home network and sent to webserver mail.pasta.freemyip.com should be directed to anelli.pasta.net, which could provide a valid certificate for mail.pasta.freemyip.com to web clients, but those web clients use my DNS and that is telling them (as explained in the previous bullet point) to marille.pasta.net, and that can’t provide a valid certificate for mail.pasta.freemyip.com to web clients because anelli.pasta.net is in charge of that certificate!
      • Since LetsEncrypt relies on issuing challenges sent over http, I cannot configure both anelli.pasta.net and marille.pasta.net to answer these challenges, so, for traffic originating from the home network, either mail certification works or web certification works, but not both! The lesser evil is to have mail certification working and not web certification. But remember this only applies to traffic originating from the home network; traffic originating from the internet, be it mail or web, is correctly certified (because the router can direct them to difference machines based on destination TCP port number).
      • A possible solution would be for the mail server to use IPtables to direct https traffic coming from anywhere except the frontend webserver to the frontend webserver, which would then serve the web certificate and proxy the traffic onto the webserver process running on the mailserver machine.
7. To activate:
   1. You can now set up SSL certification according to Setting up LetsEncrypt (revision 2) but note that, if that procedure requires you to make changes on the firewall, then you need to keep those changes in place on the firewall until all websites have been migrated (otherwise unmigrated sites won’t work).
   2. If there is an old frontend webserver and you’re in the process of replacing it with the new frontend webserver you’re currently configuring then on the old webserver proxy all traffic for this specific website to the new webserver with something like:

      SSLProxyEngine on
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      ProxyPass / https://anelli.pasta.net/
      ProxyPassReverse / https://anelli.pasta.net/
      ProxyPreserveHost On

      (Note the ProxyPreserveHost which is necessary so that the website name requested by the client is passed on to the new frontend webserver so that it knows to which vhost to pass the request; otherwise it will serve the default vhost.)

8. Proxying of specific services is described elsewhere:
   • Configuring Jira services
   • Configuring I2P services
   • Configuring mail services
   • Configuring WordPress services
   • Configuring get-iplayer
   • Streaming webcams
   • Configuring monitoring services using Check_MK
   • Configuring monitoring services using Icinga
   • Configuring monitoring services using Zabbix
   • Configuring Nextcloud
9. Remember to set up any htdigest files for these services.

Enabling selective website redirection

Do not complete this section unless the section you came from instructed you do to so.

If there is not a masquerader/firewall between the web browser  and the frontend webserver then use this simple method:

1. Add an entry to a client’s /etc/hosts file to say that the IP address of frontend host has the name of the website, e.g.:

   1.2.3.4 home.pasta.freemyip.com

If there is a masquerader/firewall between the web browser  and the frontend webserver then use this more complicated method:

1. Make sure that the client host (where the browser will run) has ssh access (client-side user and server-side user are both irrelevant) to the webserver.
2. If public key authentication is in use then make sure that the entry in authorized_keys on the server does not specify any restrictions (e.g. no-port-forwarding,no-X11-forwarding,no-pty) on the beginning of the key line.
3. On the host running the web browser run something like:

   ssh -gfND 4445 <new-web-server>
   

4. On the new web server add an entry to /etc/hosts something like:

   127.0.0.1 <new-web-server>

5. In the web browser configure the proxy to be localhost:4445 and type SOCKS v5.

Fancy indexes

Do not complete this section unless the section you came from instructed you do to so.

1. Run:

   cd /var/www/$WEBSITENAME
   git clone https://github.com/Vestride/fancy-index
   rm -fr fancy-index/{.git,test}
   mv /etc/apache2/mods-available/autoindex.conf /etc/apache2/mods-available/autoindex.conf.orig
   mv fancy-index/.htaccess /etc/apache2/mods-available/autoindex.conf

2. Edit /var/www/$WEBSITENAME/fancy-index/script.js and change:

    const parts = path.split('/');
    path = parts[parts.length - 1];
    titleText = titleize(path).replace(/-|_/g, ' ');

   to:

   const parts = path.split('/');
   titleText = path;
   path = parts[parts.length - 1];
   // titleText = titleize(path).replace(/-|_/g, ' ');
   

3. Edit /var/www/$WEBSITENAME/fancy-index/style.css and change:

    font-size: 0.875rem;

   to:

   /* font-size: 0.875rem; */
   font-size: 1.500rem;

HTTPS Support

1. Ensure the firewall is forwarding port 443 to the appropriate host.
2. Obtain SSL certificates (maybe see Setting up LetsEncrypt).

nftables

1. Install nftables.
2. Download this script and customise it to suit your requirements.
3. Make the script executable and run it.
4. More info about nftables (showing command-line method to add rules) can be found here.

See also

• Computing
• Configuring Jira services
• Configuring I2P services
• Configuring mail services
• Configuring WordPress services
• Configuring get-iplayer
• Configuring Icinga services
• http://httpd.apache.org/
• https://certbot.eff.org/#ubuntuxenial-apache
• https://github.com/Vestride/fancy-index
• Alexis Huxley

• Apache Authentication And Authorization Using LDAP on linux.com