LAMP

Installation

Install Apache

# apt install apache2
# systemctl start apache2
# systemctl status apache2

To test, go to http://localhost

NOTE : default root is /var/www/html/

NOTE 2 : Apache configuration file is located in /etc/apache2/apache2.conf

Install PHP

# apt install php-fpm libapache2-mod-php php-mysql

Check PHP version:

php -v

Start PHP and Apache:

# systemctl restart apache2

To test, go to http://localhost/info.php

Install MariaDB

# apt install mariadb-server

The MariaDB service will start automatically. You can verify it by typing:

# systemctl status mariadb

Set MySQL/MariaDb root user password:

# mysql_secure_installation
Enter current password for root (enter for none): ## Press Enter
Set root password? [Y/n] ## Press Enter
New password: ## Enter password
Re-enter new password: ## Re-enter password
Remove anonymous users? [Y/n] ## Press Enter
Disallow root login remotely? [Y/n] ## Press Enter
Remove test database and access to it? [Y/n] ## Press Enter
Reload privilege tables now? [Y/n] ## Press Enter

Additional Steps

When setting up our LAMP stack, we only required a very minimal set of extensions in order to get PHP to communicate with MySQL. WordPress and many of its plugins leverage additional PHP extensions.

We can download and install some of the most popular PHP extensions for use with WordPress by typing:

sudo apt update
sudo apt install php-curl php-gd php-mbstring php-mcrypt php-xml php-xmlrpc
sudo systemctl restart apache2

Adjust Apache's Configuration to Allow for .htaccess Overrides and Rewrites

Enable .htaccess Overrides

Open the primary Apache configuration file to make our first change:

$ sudo nano /etc/apache2/apache2.conf

To allow .htaccess files, we need to set the AllowOverride directive to All within a Directory block pointing to our document root. Towards the bottom of the file, add the following block:

<Directory /var/www/html/>
    AllowOverride All
</Directory>

If you are using a local VPS set up instead as explained here, you must edit <Directory /var/www/> :

<Directory /var/www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

Alternatively, for a local VPS set up, you can edit /etc/apache2/sites-available/example.com.conf and add the following between lines :

<Directory />
        Options FollowSymLinks
        AllowOverride None
        Require all denied
</Directory>
<Directory /var/www/example.com/public_html>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

Enable the Rewrite Module (for Permalink)

Next, we can enable mod_rewrite so that we can utilize the WordPress permalink feature:

$ sudo a2enmod rewrite

Bash Script - LAMP management

If you don't want LAMP to be enabled on start up, you can disable it:

sudo systemctl disable apache2 php7.2-fpm mysql

You can now create a file and the following bash script to manage the LAMP services manually and efficiently:

#!/bin/bash
if [ "$1" == "" ]
then
   systemctl start apache2 mariadb php7.2-fpm
elif [ "$1" == "-s" ]
then
   systemctl stop apache2 mariadb php7.2-fpm
elif [ "$1" == "-r" ]
then
   systemctl restart apache2
elif [ "$1" == "-status" ]
then
   echo "apache2:"
   systemctl status apache2 | grep "Active"
   echo "mariadb:"
   systemctl status mariadb | grep "Active"
   echo "php-fpm:"
   systemctl status php7.2-fpm | grep "Active"
elif [ "$1" == "--help" ] || [ "$1" == "-h" ]
then
   echo "Usage:"
   echo "'sudo ./server' will launch apache, mariadb and php-fpm"
   echo "'sudo ./server -s' will stop apache, mariadb and php-fpm"
   echo "'sudo ./server -r' will restart apache"
   echo "'./server -status' will show the status of apache, mariadb and php-fpm"
else
   echo "Wrong argument supplied"
fi

Save the file as file_name
chmod +x file_name
Usage:
- Start LAMP: sudo ./file_name
- Stop LAMP: sudo ./file_name -s
- Restart Apache: sudo ./file_name -r
- Help command: ./file_name -h or ./file_name --help

Securing Apache Server

Disable Trace HTTP Request

Edit the config file at /etc/apache2/sites-available/ and be sure that TraceEnable on is not in the file, or it is commented, or it is set as TraceEnable off.

To check if it is disabled, run:

$ curl -i -X TRACE example.com

If disabled (what we want), you must get:

HTTP/1.1 405 Method Not Allowed

If enabled, you must get:

HTTP/1.1 200 OK

Disable Signature

Edit the config file at /etc/apache2/sites-available/ and be sure that ServerSignature on is not in the file, or it is commented, or it is set as ServerSignature off.

Edit the config file at /etc/apache2/sites-available/ and be sure that ServerTokens Prod is in the file.

Disable directory listing

Edit /etc/apache2/apache/apache2.conf and set "Options" to "None":

<Directory />
        ...
        Options None
        ...
</Directory>

Run Apache as separate User & Group

$ sudo groupadd apache
$ sudo useradd –G apache apache
$ chown –R apache:apache /etc/apache2

Running Apache in its own non-root account is good. Modify User & Group Directive in config file at /etc/apache2/sites-available/ by adding:

User apache
Group apache

Restart Apache server and check changes are in effect:

$ sudo ps –ef | grep http

More info at https://geekflare.com/apache-web-server-hardening-security/