Ubuntu 16.04: Changing PHP Versions

I was making some changes to a web server recently that I figured I would make a super short blog tutorial about!

Changing From PHP 5.6-7.0

The same instructions will work for pretty much any version of PHP you would like to install or change from. Just change the version of PHP in the commands and you’re good to go.

Firstly, you’ll need to add the public PHP repository. Then you’ll need to update your packages. Then you need to install PHP. I’ve included both versions in case you’re switching one way or the other. It won’t matter if you have both installed, we’ll only be referencing one by the end.

sudo apt-get-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.0 php5.6 php5.6-mysql php7.0-mysql php-gettext php5.6-mbstring php-mbstring php7.0-mbstring php-xdebug libapache2-mod-php5.6 libapache2-mod-php7.0

Once everything has run its course, you can start disabling and enabling which module is being used in Apache2.

sudo a2dismod php5.6; sudo a2enmod php7.0; sudo service apache2 restart

As we all know, there are two versions of PHP that run: Apache2 and CLI. To change the CLI version fo PHP, you’ll have to run the following command.

sudo update-alternatives --set php /usr/bin/php7.0

This means when you run php -v you’ll see PHP 7.0 as your PHP CLI version.

That’s it! Super simple stuff!

Hardening Apache2 on Ubuntu 16.04 LTS with Vim and Vigour!

There really isn’t much that’s more important than securing your web server when launching a website. Most of your development tasks are completed (hopefully), your designs are wonderful, and your designers are excited to finally get this project off their plate. So how do we go about securing our web server after launch?

Today, I’ll be talking specifically about the Apache2 web server. The particular flavour of Linux OS that I’ll be addressing is Ubuntu 16.04 (Debian also) considering it seems to be one of the most frequently used web servers today. There are some minor file location differences with RHEL/CentOS/Fedora, though not major. There are other tutorials addressing the particulars floating around. So I won’t include them here.

I’ll be using my favourite command line text editor Vim, but feel free to replace any vim command with nano if you’re more familiar with. I’ll include some basic information to help you through using Vim if you’re unfamiliar.

Shut-out Server Specification: Hide Your Server Version and OS Details

When hitting a server display page like a directory listing or a 404, you may notice that there exists a small colophon reading your servers version, IP, and Port. You can get rid of this tidbit of revealing data by changing some code in your Apache2 configuration files.

Type sudo vim /etc/apache2/apache2.conf to edit the file.

You may quickly notice a nice little message describing that your configuration file has been split for simplicity at the top. Always read documentation!

# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See http://httpd.apache.org/docs/2.4/ for detailed information about
# the directives and /usr/share/doc/apache2/README.Debian about Debian specific
# hints.
#
#
# Summary of how the Apache 2 configuration works in Debian:
# The Apache 2 web server configuration in Debian is quite different to
# upstream's suggested way to configure the web server. This is because Debian's
# default Apache2 installation attempts to make adding and removing modules,
# virtual hosts, and extra configuration directives as flexible as possible, in
# order to make automating the changes and administering the server as easy as
# possible.

# It is split into several files forming the configuration hierarchy outlined
# below, all located in the /etc/apache2/ directory:
#
# /etc/apache2/
# |-- apache2.conf
# | `-- ports.conf
# |-- mods-enabled
# | |-- *.load
# | `-- *.conf
# |-- conf-enabled
# | `-- *.conf
# `-- sites-enabled
# `-- *.conf
#
#
# * apache2.conf is the main configuration file (this file). It puts the pieces
# together by including all remaining configuration files when starting up the
# web server.
#
# * ports.conf is always included from the main configuration file. It is
# supposed to determine listening ports for incoming connections which can be
# customized anytime.
#
# * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
# directories contain particular configuration snippets which manage modules,
# global configuration fragments, or virtual host configurations,
# respectively.
#
# They are activated by symlinking available configuration files from their
# respective *-available/ counterparts. These should be managed by using our
# helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
# their respective man pages for detailed information.
#
# * The binary is called apache2. Due to the use of environment variables, in
# the default configuration, apache2 needs to be started/stopped with
# /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
# work with the default configuration.

The actual file will be located in a separate configuration folder. Press esc to enter command mode and type :q or :q! if you accidentally changed the file to exit the file in Vim.

Type sudo vim /etc/apache2/conf-enabled/security.conf to edit the file containing security features.

Look for the string ServerSignature by typing /ServerSignature in Vim command mode (press esc at any time to enter command mode). You can use the arrow keys or h,j,k, and l to move your cursor left, down, up, and right respectively in command mode.

press i to enter text edit mode. This is the mode that you will be most familiar with when typing using a keyboard. Press esc to go back into command mode.

Change the following variables as follows:

ServerSignature Off
ServerTokens Prod

Once you’re done editing the file, enter command mode (esc) and type :wq to write the file and quit. If you’ve messed up the file, feel free to :q! to forcefully quit the file and ignore all changes as :q may not do the job alone. Typing u in command mode will undo any changes you’ve recently made as well, if that suits you better.

Once you’re back in the Ubuntu command line, restart the server by typing sudo service apache2 restart

Now when you visit the same 404 or directory listing page, you won’t be seeing that server signature! Congrats on completing step one!

Disable Detailed Directories: Hide Directory Listing and Files

Your Apache2 server will want to list out all the directories and files if you don’t have a base index.html or index.php (or other if specified in Apache2) in your directory. You can hide this functionality by adding a simple line of code to your apache2.conf file.

Type sudo vim /etc/apache2/apache2.conf to edit the base configuration file and hide directories from all sites located in your web folder.

Type /Directory /var/www/html to find the code you need to edit. It should be a block that looks like this:

<Directory /var/www/html>
 AllowOverride All
</Directory>

Just below AllowOverride All you’ll want to add Options -Indexes. You should end up with this.

<Directory /var/www/html>
 AllowOverride All
 Options -Indexes
</Directory>

Once you’ve changed your code, :wq out of the file and restart your server with sudo service apache2 restart. Once you hit a directory, you’ll now find a message forbidding you from accessing that folder. Congrats on completing step 2!

Write Where We’re Willed: Web Server File Permissions

Web servers are left open to hackers when using open file permissions (777 or -rwxrwxrwx / drwxrwxrwx). It’s important to make sure that your web server is given proper permissions to access and write directories, without opening them to hackers and visitors.

One simple way to do this is to disable write and execution tags where applicable in the permissions for folders and files. Permissions use binary triplets to turn on and off permissions. First, the base ten digit is converted to binary, and those positions turn on and off file and folder features.

To change all directories within your web folder to 755 (rwxr-xr-x):

find /var/www/html -type d -exec chmod 755 {} \;

To change all files within your web folder to 644 (rw-r--r--):

find /var/ww/html -type f -exec chmod 644 {} \;

These permissions not only work well for statically built websites, but also for content management systems like Magento and WordPress.

Updating Ubuntu: Specifically Apache2

Updating your server, and specifically updating Apache2 is very important. You’ll want to make sure you’re updating regularly to make sure the most important security patches have been applied.

Firstly you’ll want to update your package information by using sudo apt-get update

If you’d simply like to install updates for Apache2, just type sudo apt-get install apache2. You should be returned a message that looks something like the following.

Reading package lists... Done
Building dependency tree
Reading state information... Done
apache2 is already the newest version (2.4.18-2ubuntu3.3).
0 upgraded, 0 newly installed, 0 to remove and 21 not upgraded.

As you can see, I have 21 packages that are not upgraded on my server. If you’d like to update all of these packages, you can type sudo apt-get upgrade.

If you’d rather view the packages that need updating and install them one by one (using a command similar to the one for apache2), you can do so by typing sudo apt-get upgrade --dry-run or /usr/lib/update-notifier/apt-check -p for a simpler return.

Conclusion

These are only a few of the many ways you can harden your Apache2 web server. I’ll be adding to and maintaining this list as time passes, but there are a few extra things you’ll want to be sure to check out.

HTTPS and SSL Certificates

You’ll want to make sure that you’re installing SSL Certificates on all of your sites. Whether they’re extended validation or self signed, this can help keep traffic encrypted, and your users feeling safe. There are many other reasons to install SSL, a big reason is that Google promotes sites that use it more than ones that don’t (for obvious reasons). With tools like Lets Encrypt there really is no reason not to install a cert on all of your servers.

Firewalls Firewalls Firewalls

Personally, I like to host on AWS where their console and security features allow for very strict access to your cloud network infrastructure. If you don’t have access to such strong security measures on your own personal server, you’ll want to ensure that you take advantage of the firewall tools available in Ubuntu.

If you have any questions, make sure you comment below!

Cheers,
Cole Speelman

The Value Of Good Web Design

I came across an article on one of my favourite blogs/websites and thought I’d share. I encourage everyone who reads this to continue on and read the original article as well.

I, Website

I was having a conversation with a friend recently about the value of being unique in video game creation. The conversation led me to think about how I evaluate different things in my life. I found myself asking questions I may not have thought to ask myself when making assessments. Should we value unique idea more than ideas that are recycled? What if the execution of the recycled is better than the original? Should we give appreciation to those that create, or those that revolutionize?

Our conversation and the above article made me think about the way programmers create in modern society. We live in a world where open source affords us the incredible ability to steal ideas and cheat our way through solutions, but find ourselves contributing to the community instead. We find dedicated communities that build amazing solutions to problems that we all have, and are all able to share in the value of a finished project.

That left me to think about how we build websites (or anything with code, really). Are we stealing every time we use a code snippet or open source project? Should our work be devalued for using an existing solution to supplement one of our own? Where do we draw the line, as developers, in saying that something is built from scratch? Can we consider anything built from scratch?

As we build better creation tools, higher level programming languages, abstracted development processes, scratch becomes farther and farther from where we started. For example, tools like Sass and Less allow us to create CSS programmatically and save time. Does this mean the final product has a lesser value because we were able to complete it with greater ease and in less time? Should we assign it a greater value, considering the extra time and effort that went into learning the tools? The answer seems pretty simple when it comes to investing time into learning another language, but where does that answer land when we look at website building tools like Squarespace?

I’ve seen web developers go from writing lines of HTML, CSS, and JavaScript for hundreds of dollars to dragging and dropping widgets for thousands.

I guess it all comes down to the end result.

What’s in a name? That which we call a rose
By any other name would smell as sweet.

Hello World

I’ve finally decided that I would like to have a blog.

Why a blog? Mainly, I’d like to resolve and track problems while having a recorded set of instructions that I can visit when the problem eventually turns up again. Partially, I’m getting tired of all the nonsense on social media, and would like a more intellectually stimulating outlet to air my thoughts.

That leaves me with the task of writing my first blog and setting the tone for future blogs to come. To that, I say what I’ve been conditioned to output on any primary run.

Hello World!