In this article, we’ll look at how to enable CORS in Nginx.

How to Enable CORS in Nginx

Nginx is an open-source web server that is often used to serve static content. It is also used to proxy requests to other web servers, such as Apache. In order to enable CORS in Nginx, we need to add a few configuration directives.

A simple configuration to enable CORS in Nginx looks like this:

location / { 
     add_header "Access-Control-Allow-Origin" *; 
     add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS"; 
     add_header "Access-Control-Allow-Headers" "Authorization"; 
}

The first directive adds a header to the response that allows all origins to access the resource. The second directive adds a header that specifies which methods are allowed. The third directive adds a header that allows for the authorization header to be sent with requests.

In addition to these directives, you also need to configure a Sub URL in your Nginx configuration. This block will specify which specific URLs are allowed to be accessed via CORS. For example:

location /api/ { 
     add_header "Access-Control-Allow-Origin" *; 
     add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS"; 
     add_header "Access-Control-Allow-Headers" "Authorization"; 
}

This configuration will allow any origin to access the URLs that begin with /api/. It is also possible to specify specific domains that are allowed to access the resource. For example:

location /api/ { 
     add_header "Access-Control-Allow-Origin" "https://example.com"; 
     add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS"; 
     add_header "Access-Control-Allow-Headers" "Authorization"; 
}

This will allow only requests from example.com to access the URLs that begin with /api/. You can allow multiple domains by repeating that line with other domains.

To allow Access-Control-Allow-Origin (CORS) authorization for specific files only. For example to allow CORS for fonts only uses the following example:

if ($filename ~* ^.*?\.(eot)|(otf)|(ttf)|(woff)$){
  add_header Access-Control-Allow-Origin *;
}

Once you have added the necessary configuration directives, you can restart Nginx and the changes will take effect.

Wide Open Nginx CORS Configuration

Here is the wide-open Nginx CORS configuration file, which you can use with the Nginx servers. With this configuration, you can enable CORS and other parameters based on the request types.

location / {
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        #
        # Om nom nom cookies
        #
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';

        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain charset=UTF-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
     }
}

Resource: https://michielkalkman.com/snippets/nginx-cors-open-configuration/

Testing Your CORS Configuration

Once you have enabled CORS in Nginx, you should test your configuration to make sure it is working properly. The easiest way to do this is to use a tool such as Postman or curl to make a request to the resource you want to test.

When making the request, you should add the Origin header. For example, if you are testing a URL that begins with /api/, you should add the header Origin: https://example.com. You should also add the Access-Control-Request-Method header with the method you want to test.

curl -v http://your_domain.com 

Once you have made the request, you should check the response. If CORS is enabled properly, you should see the Access-Control-Allow-Origin header with the value of the origin you specified in the request.

Understanding CORS Requests

In order to understand how CORS works, it is important to understand the different types of requests that can be sent. There are two types of requests: simple requests and preflight requests.

Simple requests are requests that do not require preflight checks. These requests are typically GET or POST requests that do not have any custom headers.

Preflight requests are more complex requests that require an additional step. These requests will typically have custom headers or a method other than GET or POST. Before the request can be sent, the browser will make an initial request, known as a preflight request, to determine if the request should be allowed.

If the preflight request is allowed, the browser will then send the actual request. If the preflight request is not allowed, the browser will not send the actual request and the resource will not be accessed.

Conclusion

In this article, we looked at how to enable CORS in Nginx. We saw how to add the necessary configuration directives and location blocks to our Nginx configuration. We also looked at how to test our CORS configuration and how to understand CORS requests.

Thanks for reading! If you have any questions or comments, please leave them in the comments section below.

The post How to Enable CORS in Nginx appeared first on TecAdmin.

Tomcat installation provides an shell script version.sh for the Linux-based systems and version.bat for Windows systems. This script provides detailed information about the Tomcat version and other details. This quick blog post will help you to find the Tomcat version installed on your system.

Check Tomcat Version

1. Use the cd command to switch to the Tomcat installation bin directory. The location of the directory depends on the installation types. The packages installed on the official repository are generally installed under the /etc/tomcat directory. Custom installation is generally done under the /opt or /usr/share directory.

   cd /usr/share/tomcat/bin 
   

   Note: If you still have not found the directory, I have discussed a few methods at the end of this article.

2. You will find a version.sh script under the bin directory. You can execute this script to find the installed Tomcat version along with a few other details.

   ./version.sh 
   

   Using CATALINA_BASE:   /usr/share/tomcat
   Using CATALINA_HOME:   /usr/share/tomcat
   Using CATALINA_TMPDIR: /usr/share/tomcat/temp
   Using JRE_HOME:        /usr
   Using CLASSPATH:       /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar
   Using CATALINA_OPTS:
   Server version: Apache Tomcat/10.0.23
   Server built:   Jul 14 2022 08:16:11 UTC
   Server number:  10.0.23.0
   OS Name:        Linux
   OS Version:     5.15.0-47-generic
   Architecture:   amd64
   JVM Version:    17.0.1+12-LTS-39
   JVM Vendor:     Oracle Corporation
   

Here is the screenshot of the Tomcat version running on a Ubuntu 22.04 system. I have recently installed it from the source code.

Note: If you don’t know the installation directory. You can try the following commands to find it.

find / -type d -name "*tomcat*"
find / -type f -name version.sh

Conclusion

It’s a good practice to keep servers up to date. You may also need to check the currently installed Tomcat version to find if a newer version is available. This blog post will help you to find the Tomcat version via the command line interface.

The post How to Check Tomcat Version on Linux appeared first on TecAdmin.

There are two redirect types:

• Permanent Redirect: A 301 Redirect is a permanent redirection. When a user types in a URL and gets redirected to another page, the new page comes up with a fresh title and description in the search engine results. The user will not be able to see the previous URL, and the previous URL will be replaced with the new URL in the browser’s history.
• Temporary Redirect: The 302 Redirect is a temporary redirect. Once the user clicks on the link from the new page, the browser will show the old URL in the address bar. However, if the user finds the page through a search engine, the page title and description remain the same. A 302 Redirect can be used to redirect the user to another page temporarily, but it is not ideal for redirecting to a permanent URL.

Redirect Syntax

Apache mod_alias module provides a Redirect directive that used to make temporary or permanent redirects. The basic syntax of Redirect is:

Redirect [status] [URL-path] URL

Here

• The Redirect is a directive to maps an old URL into a new one. The keyword is case-sensitive.
• The status can be either 301 for permanent redirects or 302 for temporary redirects. We can also use keywords instead permanent or temp.
• The old URL-path is is the case-sensitive path that begins with a slash. It’s optional with settings, the default will redirect the entire site.
• The new URL is the new URL to redirect. It can be the directory path (URL-path) beginning with a slash (/) or an absolute URL beginning with a scheme and hostname.

Redirect Examples

Let’s discuss a few examples of redirecting domains or URLs to other URLs.

1. Redirect one page to another: Sometimes you changed the permalink (URL) of any page. Then you can redirect all users to a new page, who are still connecting to the old page.

   # Redirect to a new URL on the same host
   Redirect 301 "/old-path" "/new-new"
   Redirect 301 "/app/services.html" "/app/v2/services.html"
   

2. Redirect to other domains: This is useful when you want to redirect users to a page hosted on other domains.

   # Redirect to a URL on a different host
   Redirect 301 "/app/service" "https://app.example.com/service"
   

3. Redirect the entire website: If you have planned to change your domain name. It will be the best practice to configure 301 redirects for your entire website to a new domain. That will help you to restore all SEO.

   # Redirect the entire website to a new domain
   Redirect "/" "https://example.net"
   

   All the URLs and sub URLs of the website will be redirected to new https://example.net.

Benefits of using .htaccess to implement redirects

You don’t have to change the content of your website. This means that you don’t have to worry about making sure the content remains the same. You can add redirects without changing the content at all.

You don’t have to worry about Google penalizing your website. When you change the content on a page, you can trigger a penalty from Google. However, Google understands that redirects are essential for a healthy website.

Limitations of using .htaccess for 301 Redirects

If you are transferring a website to a new domain, you will probably want to change the content in the source code to redirect visitors to the new domain. Using a .htaccess redirect will only redirect the URL, but will not change the content.

Editing the .htaccess file is often a quick way of doing things, but it can also be a quick way of breaking things. If you make a mistake while editing the .htaccess file, you might break the whole site.

You cannot use .htaccess to redirect users from one subdomain to another subdomain. For example, if you have www.example.com and example.com as subdomains, you can’t redirect users from www.example.com to example.com.

Conclusion

Redirects are an essential part of maintaining a healthy website. They help ensure that broken links don’t lead to 404 pages and that your content is accessible. There are two redirect types: The 302 Redirect is a temporary redirect. Once the user clicks on the link from the new page, the browser will show the old URL in the address bar.

However, if the user finds the page through a search engine, the page title and description remain the same. A 302 Redirect can be used to redirect the user to another page temporarily, but it is not ideal for redirecting to a permanent URL. A 301 Redirect is a permanent redirect.

The post Simple Redirects with .htaccess appeared first on TecAdmin.

Each letter in the acronym refers to a separate software package: That being said, let’s see how we can install and setup LEMP Stack on Ubuntu.

Pre-Requisities

Assuming that you have a running Ubuntu 22.04 Linux system with sudo (or root) privileged access.

Access your system and open a terminal. It will be good to update the package manager cache and upgrade currently installed packages. To do this execute:

sudo apt update && sudo apt upgrade 

Let’s begin the LEMP (Linux, Nginx, MySQL, and PHP) stack installation on Ubuntu 22.04 Jammy Jellyfish Linux system.

Step 1 – Installing NGINX

First, we will install the Latest Nginx web server on our system. Use the following commands to add PPA for installing the latest Nginx version on your Ubuntu 22.04 Linux.

Use the following commands to install Nginx web server.

sudo apt install nginx 

This will install the Nginx web server and start the service.

Now, you need to allow webserver ports in the firewall. To allow ports 80 and 443 in the UFW firewall, execute the following commands.

sudo ufw allow 80/tcp 
sudo ufw allow 43/tcp 

Open a web browser on your system and type the server’s IP in the address bar. You will get the default Nginx server page

Step 2 – Installing PHP

First, you need to decide on the PHP version to install on your system. You can also install multiple PHP versions on a single system. Currently the repository contains PHP 5.6, PHP 7.1, 7.2, 7.3, 7.4 and PHP 8.0, 8.1. The below instruction will install PHP 8.1. Please change the version as per your requirements.

The ondrej/php ppa contains all PHP version’s for Ubuntu systems. So add this repository in your system with command below:

sudo add-apt-repository ppa:ondrej/php 

Now update the apt cache and install PHP 8.1.

sudo apt update 
sudo apt install php8.1 

This will install PHP on your Ubuntu system along with some useful PHP extensions.

Step 3 — Install and Configure PHP-FPM

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features. Nginx web server required php-fpm for processing the PHP scripts.

To install PHP-FPM, run the following command based on the installed PHP version:

sudo apt install php8.1-fpm 

Once the installation finished, check the service status:

sudo systemctl status php8.1-fpm 

● php8.1-fpm.service - The PHP 8.1 FastCGI Process Manager
     Loaded: loaded (/lib/systemd/system/php8.1-fpm.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2022-04-07 06:26:55 UTC; 11min ago
       Docs: man:php-fpm8.1(8)
    Process: 108650 ExecStartPost=/usr/lib/php/php-fpm-socket-helper install /run/php/php-fpm.sock /etc/php/8.1/fpm/pool.d/www.conf 81 (code=exited, status=0/SUCCESS)
   Main PID: 108647 (php-fpm8.1)
     Status: "Processes active: 0, idle: 2, Requests: 2, slow: 0, Traffic: 0req/sec"
      Tasks: 3 (limit: 1034)
     Memory: 10.7M
        CPU: 88ms
     CGroup: /system.slice/php8.1-fpm.service
             ├─108647 "php-fpm: master process (/etc/php/8.1/fpm/php-fpm.conf)
             ├─108648 "php-fpm: pool www
             └─108649 "php-fpm: pool www

Apr 07 06:26:55 ubuntu2204 systemd[1]: Starting The PHP 8.1 FastCGI Process Manager...
Apr 07 06:26:55 ubuntu2204 systemd[1]: Started The PHP 8.1 FastCGI Process Manager.

In Step 6, we will configure the Nginx virtual host with PHP-FPM to serve PHP applications.

Step 4 – Installing MySQL

The default Ubuntu repositories contain MySQL 8.0. Which can be directly installed using the package manager. To install the available MySQL server version, execute the following command.

sudo apt-get install mysql-server 

Once the installation is finished, you can secure the MySQL server by executing the following command.

sudo mysql_secure_installation 

This will ask for a few questions to secure the MySQL server.

1. Press ‘y’ to enable validate password plugin. This will allow you to set a strict password policy for user accounts.

   VALIDATE PASSWORD COMPONENT can be used to test passwords
   and improve security. It checks the strength of password
   and allows the users to set only those passwords which are
   secure enough. Would you like to setup VALIDATE PASSWORD component?
   
   Press y|Y for Yes, any other key for No: y
   

2. Chose the password complexity level. Read all 3 options and choose one. For production servers we recommend to choose STRONG policy.

   LOW    Length >= 8
   MEDIUM Length >= 8, numeric, mixed case, and special characters
   STRONG Length >= 8, numeric, mixed case, special characters and dictionary file
   
   Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
   

3. Enter a new password and re-enter it. Make sure it matches the complexity level as described above.

   New password: *************
   Re-enter new password: *************
   

4. Press ‘y’ to continue with provided password.

   Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
   

5. Remove default anonymous users from MySQL server:

   Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
   

6. Disable root login from remote systems

   Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
   

7. Remove test database form MySQL created by default during installation.

   Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
   

8. Reload all privileges to apply above changes immediately.

   Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
   

You have secured the MySQL server in the LAMP stack on Ubuntu 22.04 Linux system.

Remember that the above password set for the root accounts is used for remote users only. To log in from the same system, just type mysql on terminal.

sudo mysql 

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 14
Server version: 8.0.28-0ubuntu4 (Ubuntu)

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Type ‘quit’ to exit from the MySQL shell and return to the system terminal.

Step 5 – Installing Additional Packages

You may also need to install modules like MySQL and other extensions for PHP based on the application requirements. Use the following command to find our available PHP extensions.

sudo apt search php8.1-* 

The above command will list all available PHP7 modules for installation, Let’s begin the installation of modules.

sudo apt install php8.1-mysql php8.1-curl php8.1-xml 

You may also need to install other required PHP extensions on your system.

Step 6 — Configure Nginx VirtualHost

Finally, do the configuration of the Nginx virtual host. For this example, we are editing the default configuration file.

sudo nano /etc/nginx/sites-enabled/default 

and make changes as below.

server {
        listen   80;

        root /var/www/example.com;
		
        index index.php;
		
        server_name  example.com www.example.com;

        location / {
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php8.1-fpm.sock;
        }

}

In the above configuration file, look for location ~ \.php$ section. Which is required to service PHP scripts via Nginx server.

You have to do the same changes in all VirtualHosts configured.

Step 7 – Verify Setup

You have successfully completed the installation of Nginx, MySQL, and PHP on the Ubuntu 22.04 Linux system. To verify the PHP integration with Nginx, create a PHP script (example: info.php) on the website document root and write the below content.

<?php
   phpinfo();
?>

Now access this file in the web browser. It will so all the details about versions and installation.

http://server-ip-or-domain-name/info.php 

Conclusion

This tutorial helped you to set up the LEMP (Linux, Nginx, MySQL, and PHP) stack on Ubuntu 22.04 LTS system. Now, you can host PHP-based web applications on your server.

The post How To Install Linux, Nginx, MySQL, & PHP (LEMP Stack) on Ubuntu 22.04 appeared first on TecAdmin.

In this quick FAQ, you will learn to change the request timeout in NGINX web server.

Increase Request Timeout in NGINX

For example, you want to increase request timeout to 300 seconds. Then you need to add proxy_read_timeout, proxy_connect_timeout, proxy_send_timeout directives to http or server block. Here the http block allows the changes in all server in NGINX.

To make changes for all servers, edit the NGINX main configuration file and add the following content under http block.

http{
   ...
   proxy_read_timeout 300;
   proxy_connect_timeout 300;
   proxy_send_timeout 300;
   ...
}

In case, you just want to increase request timeout for a specific server or subdomain, then add the directives for its server block only. Edit the specific server block configuration file and add the following settings:

server{
   ...
   proxy_read_timeout 300;
   proxy_connect_timeout 300;
   proxy_send_timeout 300; 
   ...
}

After making the changes, you must restart the NGINX service to apply changes. The systems running with Systemd can use the following command.

sudo systemctl restart nginx 

All done, With the above changes, you have successfully increased the request timeout in NGINX server.

Conclusion

This tutorial helps you to increase request timeout in NGINX web server.

The post How to Increase Request Timeout in NGINX appeared first on TecAdmin.

This tutorial explains, how to disable HTTP methods for an apache web server.

Disable HTTP Methods in Apache

Create a “.htaccess” file under the document root directory and add the following code. Make sure that the Apache rewrite module and .htaccess are enabled.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|PUT|DELETE|PATCH|TRACK|OPTIONS) 
RewriteRule .* - [F]

The above configuration will disable HEAD, PUT, DELETE, PATCH, TRACK, and OPTIONS methods.

Next, restart the Apache webserver to apply changes.

sudo systemctl restart apache2 

Verify Setup

You can verify changes using the curl command line utility. Let’s send a request from your system to verify that the server accepts specific header requests. For example, the below command will send an “OPTIONS” request to the server.

curl -i -X OPTIONS https://tecadmin.net 

Output 
HTTP/1.1 403 Forbidden
Date: Thu, 30 Dec 2021 05:50:03 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 281
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache Server at tecadmin.net Port 443</address>
</body></html>

You will see a forbidden message in the result. This means that the Apache server rejected the OPTIONS request.

Conclusion

Hopefully, this article will help you disable the HTTP methods for your Apache webserver.

The post How To Disable HTTP Methods in Apache appeared first on TecAdmin.

So, in this article, we will discuss the installation of the Apache web server and how to secure it after installation on Debian 11.

Requirements

Before installation, you must be logged into the Debian System with access to all sudo privileges. We also recommend completing the initial server setup on newly install Debian 11 systems.

Step 1 – Installing Apache on Debian

The latest version of Apache packages is available under the default Debian 11 repository. So we can directly install it using the packages manager.

After login, open the terminal and update apt cache by below mentioned command:

sudo apt update 

After updating of apt cache, now install the Apache2 on your Debian 11 Bullseye by the command:

sudo apt install apache2 

Press “y” for any confirmation prompted by the installer.

Once the installation process completed. Verify the installed Apache version by running the following command:

apache2 -v 

Output:
Server version: Apache/2.4.48 (Debian)
Server built:   2021-08-12T11:51:47

Another way to verify the installation of Apache is by accessing the Apache2 default page using your Server’s IP Address or hostname. If you don’t know your hostname then run the below-mentioned command first:

hostname -I 

Enter your Server’s hostname or IP address in the URL bar of the browser and press Enter, Apache2 Debian Default page will open as shown below:

Step 2 – Managing the Apache Service

After successful installation, Apache service can be managed using “systemctl” commands, run the below-mentioned command to check the status of the server:

sudo systemctl status apache2.service 

Press “q” to quit. Few commands to manage Apache Service in Debian 11 are:

To start the server use the command:

sudo systemctl start apache2.service 

Similarly, to stop service, replace start with a stop in the above command:

sudo systemctl stop apache2.service 

The service can be restarted using:

sudo systemctl restart apache2.service 

Step 3 – Configuring Firewall Settings

If your system has a firewall, you’ll need to authorize access to certain web ports so that external users can utilize them. Run the below-mentioneds command to allow port 80 (HTTP) and 443 (HTTPS) in the Debian terminal:

sudo ufw allow 80/tcp 
sudo ufw allow 443/tcp 

Now verify by checking the status:

sudo ufw status 

if it is not active, to enable its to use:

sudo ufw enable 

Step 4 – Creating Virtual Host in Apache

In Apache, virtual hosts allow you to operate numerous websites on a single server. In the Apache web server, we’ll create a virtual host. To accomplish it, we’ll first create a website called sample.com with the server block that comes standard with Apache.

Let’s start by setting up your Apache server’s first virtual host. We’ll use the sample domain as “sample.com”, but you can name it according to your preference:

sudo mkdir -p /var/www/sample.com 

Now change the permissions and owner by below-mentioned command:

sudo chown -R www-data:www-data /var/www/sample.com 
sudo chmod -R 755 /var/www/sample.com 

Running below-mentioned command, to test our testdomain.info site, we’ll now construct an example index page. To accomplish so, we’ll use the nano editor to generate an HTML file that looks like this:

sudo nano /var/www/sample.com/index.html 

Insert the below mentioned content into index page and press Ctrl+O to save the file an Ctrl+X to exit the file and return to terminal:

<html>
 <head>
   <title>Welcome to the page sample.com!</title>
 </head>
 <body>
   <h1>Congratulations! Your sample.com server succeeded!</h1>
 </body>
</html>

Running the below-mentioned command in a terminal, we’ll build a virtual host file, which will serve the content of server:

sudo nano /etc/apache2/sites-available/sample.com.conf 

A text file will be open, insert the following content:

<VirtualHost *:80>
  ServerAdmin admin@sample.com
  ServerName sample.com
  ServerAlias www.sampe.com
  DocumentRoot /var/www/sample.com
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Press Ctrl+O to save the file and Ctrl+X to exit the file and return to the terminal.

Step 5 – Enabling the Domain Configuration

Run the following command to turn on the virtual host file:

sudo a2ensite sample.com.conf 

Disable the default Apache Configuration by running below mentioned command:

sudo a2dissite 000-default.conf 

New changes to Apache are made applicable by running below mentioned command:

sudo systemctl restart apache2 

Step 6 – Resolve Hostname Error

Now, we have to check our configuration for any syntax error, for testing configuration run the below-mentioned command:

sudo apache2ctl configtest 

This will cause an error but don’t worry we will resolve this. Create a new configuration “servername.conf” and edit in a text editor:

sudo nano /etc/apache2/conf-avaialable/servername.conf 

Now insert the following content into the file:

ServerName sample.com

Press Ctrl+O to save the file and Ctrl+X to exit the file. Make sure to change “sample.com” with your actual domain name. Now to enable the conf server name run the below-mentioned command:

sudo a2enconf servername 

Now again run the above command to test configuration:

sudo apache2ctl configtest 

You will see that the hostname error is resolved now.

Step 7 – How to secure Apache2 on Debian 11

To secure the Apache server, edit the “security.conf” file, run the below-mentioned command to open the file:

sudo nano /etc/apache2/conf-enabled/security.conf 

Insert or update the below content into the file:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header always append X-Frame-Options SAMEORIGIN
Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Content-Type-Options: "nosniff"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

Save the file and close it.

Set the server-wide SSLCipherSuite and SSL protocol to use secure ciphers to serve the website by editing ssl.conf file:

sudo nano /etc/apache2/mods-enabled/ssl.conf 

Now insert the below-written content into the file and press Ctrl+O to save the file and Ctrl+X to exit the file:

SSLProtocol -all +TLSv1.2
SSLCipherSuite HIGH:!aNULL:!MD5

Now run the reload command of Apache to save configuration:

sudo systemctl restart apache2.service 

That’s it. You have successfully installed and secured the Apache server.

Conclusion

Apache Web Server is an open-source server used by many websites on the internet and allows developers to publish their work on the internet. This server is available on all OS but in this article, we discuss its installation on the latest version of Debian (Linux OS) and also tell how to test and secure it after its successful installation. You will be able to successfully install Apache2 on Debian 11 Bullseye and configure the server after going through this guide.

The post How to Install and Secure Apache on Debian11 appeared first on TecAdmin.

The Brotli compression is opted by the top tech fortunes like Cloudflare etc. This is the reason, we recommend switching to brotli from the old deflate data compression algorithm.

This tutorial helps you to enable brotli compression in the Apache webserver.

Prerequisites

Shell access to your server with sudo privileged account.

We assume that you already have a running Apache server. Also created a virtual host for the web application.

Step 1 – Installing Brotli

First, install the brotli package on your system. For the Ubuntu and Debian systems, it’s available in the default repositories.

Open a terminal and type:

sudo apt install brotli -y 

This will install the required package containing the algorithm files on your system.

Step 2 – Configure Brotli with Apache

The Apache server contains the Brotli module default. You can enable the brotli module in Apache with the following command.

sudo a2enmod brotli 

Next, you have to configure the Apache virtual host to enable compression with brotli. You need to add the below code in the virtual host configuration file.

<IfModule mod_brotli.c>
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
</IfModule>

After enabling the brotli compression the Virtual host configuration file looks like below:

<VirtualHost *:80>
      ServerAdmin webmaster@localhost
      ServerName example.com
      DocumentRoot /var/www/

      <IfModule mod_brotli.c>
            AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
      </IfModule>
	
      ErrorLog ${APACHE_LOG_DIR}/error.log
      CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save the configuration file and close it. Then reload the Apache service to apply changes.

sudo systemctl restart apache2 

That’s it. You have successfully enabled brotli compression in the Apache server.

Step 3 – Test Compression

Access your web application in a browser and check headers value in the browser console. You need to search for the Content-Encoding value. It must contain br as value, which denotes that the web page is compressed with brotli compression.

The command line heroes can also use curl command to access the header values as below:

curl -I -H 'Accept-Encoding: br' http://example.com 

You will see the result below.

HTTP/1.1 200 OK
Date: Thu, 01 Jul 2021 06:26:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Fri, 05 Feb 2021 08:55:44 GMT
ETag: "33-5ba92fc4cecdf-br"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: br
Content-Length: 46
Content-Type: text/html

Check for the value of Content-Encoding option.

Conclusion

This tutorial helped you to configure Brotli compression in the Apache webserver.

The post How To Enable Brotli Compression in Apache appeared first on TecAdmin.

This tutorial will help you to how to install Apache Tomcat 10 on Debian 10 Buster Linux system.

Prerequisites

A running Debian 10 system with sudo privileged account shell access.

You can get cheaper instances from DigitalOcean hosting.

Step 1 – Install Java

Tomcat 10 required JRE 8 or higher version installed on your system. If your system doesn’t have JRE installed, Use the following commands to install OpenJDK to fulfil the requirements.

sudo apt update 
sudo apt install default-jdk -y 

Check the current active Java version:

java -version 

openjdk 11.0.9.1 2020-11-04
OpenJDK Runtime Environment (build 11.0.9.1+1-post-Debian-1deb10u2)
OpenJDK 64-Bit Server VM (build 11.0.9.1+1-post-Debian-1deb10u2, mixed mode, sharing)

Step 2 – Create Tomcat User

It is good to have a dedicated user account for running a Tomcat server. To create a new user with the name “tomcat”, which is recommended for security purposes mainly for production deployments.

To create a new account, type:

sudo useradd -m -d /opt/tomcat -U -s /bin/false tomcat 

The above command will create a user and group with the name “tomcat” in your system.

Step 3 – Install Tomcat on Debian 10

The Apache Tomcat development team releases the latest version of Tomcat from time to time. So it will be good check download latest Tomcat version from the official download server. Use the below command to download Tomcat 10.

wget https://dlcdn.apache.org/tomcat/tomcat-10/v10.0.16/bin/apache-tomcat-10.0.16.tar.gz 

After downloading the archive file, extract the file under the tomcat home directory /opt/tomcat with skipping parent folder.

sudo tar xzvf apache-tomcat-10*tar.gz -C /opt/tomcat --strip-components=1 

Next, set the proper file permissions.

sudo chown -R tomcat:tomcat /opt/tomcat/ 
sudo chmod -R u+x /opt/tomcat/bin 

You have now the latest Tomcat application on your system.

Step 4 – Create Tomcat User

Now, configure your tomcat with user accounts to secure access of admin/manager pages. To do this, edit conf/tomcat-users.xml file in your editor and paste the following code inside <tomcat-users> </tomcat-users> tags. We recommend changing the password in the below configuration with high secured password.

sudo nano /opt/tomcat/conf/tomcat-users.xml 

Add the following values. Make sure to change the password for admin and manager access.

<!-- user manager can access only manager section -->
<role rolename="manager-gui" />
<user username="manager" password="_SECRET_PASSWORD_" roles="manager-gui" />

<!-- user admin can access manager and admin section both -->
<role rolename="admin-gui" />
<user username="admin" password="_SECRET_PASSWORD_" roles="manager-gui,admin-gui" />

Save file and close.

Step 5 – Enable Remote Tomcat Access

The default Tomcat manager and host-manager applications are accessible for localhost only. To allow access to these pages from the remote system, you need to modify the following configuration files.

You can either allow specific remote system or allow all. Edit the context.xml file for manager and host manager application:

sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

Comment out the section added for IP address restriction to allow connections from anywhere.

<Context antiResourceLocking="false" privileged="true" >
  <CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
                   sameSiteCookies="strict" />
  <!-- <Valve className="org.apache.catalina.valves.RemoteAddrValve"
         allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" /> -->
  ...
</Context>

Also, edit the context.xml for the host-manager interface and comment on the similar section as above.

sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

Save all files and close them.

Step 6 – Create a Tomcat Systemd Unit File

Tomcat provides bash scripts to start, stop service. But, to make it simple, create a start-up script to manage Tomcat as systemd service. Let’s create a tomcat.service file with the following content:

sudo nano /etc/systemd/system/tomcat.service 

[Unit]
Description=Tomcat
After=network.target

[Service]
Type=forking

User=tomcat
Group=tomcat

Environment="JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat"
Environment="CATALINA_HOME=/opt/tomcat"
Environment="CATALINA_PID=/opt/tomcat/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

Reload the systemd daemon service to load newly create files.

sudo systemctl daemon-reload 

Now, start the Tomcat application for the first time.

sudo systemctl start tomcat.service 

Next, enable the tomcat service to auto-start for subsequent system boots. This is more important for the production deployments.

sudo systemctl enable tomcat.service 

As of now, the tomcat application is running on your system. You can verify the service status by executing the command as below. Make sure the status is showing “active (running)“.

sudo systemctl status tomcat.service 

That’s it. You have successfully configured Tomcat 10 on your Debian system.

Step 7 – Access the Tomcat Web Interface

The default Tomcat server runs on port 8080. As you have configured Tomcat on your system, you can access the web interface from your system. You can access tomcat interfaces by entering your server’s IP address or a domain name pointed to that server, followed by port 8080 in your browser:

Change tecadmin.local with your server ip or domain or localhost.

http://tecadmin.local:8080/

You will see the page like below:

Tomcat Manager App is a web application packaged with the Tomcat server application. The Manager interface provides us with the basic functionality we need to manage our deployed web applications.

Click Manager App button home page or directly type /manager in browser url of main Tomcat server to access it.

http://tecadmin.local:8080/manager/

Tomcat Host Manager App is another web application packaged with Tomcat server application. Which is used to creates/removes Virtual Hosts within the Tomcat service. A Virtual Host allows you to define multiple hostnames on a single server.

Click Host Manager button home page or directly type /host-manager url in main Tomcat server to access it.

http://tecadmin.local:8080/host-manager/

Conclusion

Congratulations, You have a running Tomcat server on a Debian system. You can deploy a Java-based application using a tomcat server.

You may also need to create Virtualhosts in Tomcat or Secure your Tomcat applications with Let’s Encrypt SSL certificate.

The post How to Install Tomcat 10 on Debian 10 appeared first on TecAdmin.

Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS.

This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.

Prerequisites

This tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.

Step 1 – Installing Certbot

Certbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems.

Debian-based users can install certbot by running the following command. Other operating system users can install it from here.

sudo apt install certbot 

Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the tomcat.tecadmin.net subdomain.

sudo certbot certonly --standalone -d tomcat.tecadmin.net 

Once the certificate issued, you can see all the related files at below location:

sudo ls /etc/letsencrypt/live/tomcat.tecadmin.net/ 

Output
cert.pem  chain.pem  fullchain.pem  privkey.pem  README

These are all the files you need for the SSL certificate setup.

Step 2 – Configure Tomcat with Let’s Encrypt SSL

Next, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests.

Copy SSL certificate’s and private key files under /opt/tomcat/conf directory:

cd /etc/letsencrypt/live/tomcat.tecadmin.net 
sudo cp {cert,chain,privkey}.pem /opt/tomcat/conf/ 

Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file.

sudo nano /opt/tomcat/conf/server.xml 

Remove <!-- and --> to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem"
                 certificateChainFile="conf/chain.pem" />
        </SSLHostConfig>
    </Connector>

Press CTRL+O to save changes and CTRL+X to exit from the editor.

Now, restart the Tomcat service to apply changes.

sudo systemctl restart tomcat 

That’s it. You have configured Let’s Encrypt SSL with Tomcat.

The next step is to verify the setup.

Step 3 – Verify Tomcat SSL Certificate

Default tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.

• https://tomcat.tecadmin.net:8443

That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.

Step 4 – Renew SSL Certificate

The default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration.

Type the below command to refresh the SSL certificate.

certbot certonly --standalone -d tomcat.tecadmin.net 

Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory.

cd /etc/letsencrypt/live/tomcat.tecadmin.net 
cp {cert,chain,privkey}.pem /opt/tomcat/conf 

Restart the Tomcat service to apply changes.

sudo systemctl restart tomcat 

Conclusion

In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.

The post How To Secure Tomcat with Let’s Encrypt SSL appeared first on TecAdmin.