bradchesney79 · August 29, 2015 14:09
diff --git a/Minimal commands to set up b/Minimal commands to set up
 # Debian Linux Apache MySQL and PHP with SSL
 # http://youtu.be/0bUo7mg2ZFw

 # First things first-- update the system.

 apt-get update
 apt-get upgrade

 # add the IP address, the fully qualified domain name, and the machine
 # name

 vi /etc/hosts

 -----

 ###.###.###.### hostname.domain-name.tld hostname

 -----

 # this should be just the machine name
 vi /etc/hostname

 -----

 hostname

 -----

 # Install the web server we will attach everything to.
 apt-get install apache2

 # The most important configuration directories and files can be
 # found in /etc/apache2 and then your error logs will be in /var/log/apache2

 # You will want the two following libraries installed, trying to install them twice
 # doesn't really hurt anything better safe than sorry.
 apt-get install ssh openssl

 # Enable the SSL module in Apache
 a2enmod ssl

 # Enable mod_headers in Apache
 a2enmod headers

 # Make a private key and subsequently a Certificate Signing Request (CSR).
 # Don't get spooked by the questions.
 openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.csr

 ----------
 Generating a 2048 bit RSA private key
 ....................................................................+++
 ...........+++
 writing new private key to '/etc/ssl/enc-ssl.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [AU]:US
 State or Province Name (full name) [Some-State]:Ohio
 Locality Name (eg, city) []:Eastlake
 Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Rust Belt Rebellion
 Organizational Unit Name (eg, section) []:
 Common Name (e.g. server FQDN or YOUR name) []:list255.com
 Email Address []:[email protected]

 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:password2014
 An optional company name []:
 ----------

 # Use the CSR to get a SSL certificate from a Certificate Authority (CA).
 tail -n100 /etc/ssl/ssl.csr

 # This command will remove the passphrase from the key.
 # It is rare to have a key requiring human interaction.
 # Non-human passphrase entry is out of scope for today.
 openssl rsa -in /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.key

 # It is a good idea to install a Certificate Authority Chain Certificate
 # (a.k.a. Intermdiate Certificate & Subordinate Certificate Authority Certificates).
 # You may get lucky and the browser happens to know your CA.
 # If not, these documents point your browser closer to a Root Certificate Authority your browser trusts.
 # Your browser may follow several chain certificates to get to a CA it knows it can trust.
 # The whole system is based on these chains of trust.
 vi /etc/ssl/certs/sub.class2.server.sha2.ca.pem

 ### I prepared the certificate set ahead of time-- I am going to replace
 ### what I just put in with what I have prepared beforehand here.

 # The definitions of the websites are in /etc/apache2/sites-available .
 # Time to modify the default virtual host listening for SSL requests
 vi /etc/apache2/sites-available/default-ssl



 ----------

 <IfModule mod_ssl.c>
 <VirtualHost _default_:443>
 	ServerAdmin webmaster@localhost

 	DocumentRoot /var/www
 	<Directory />
 		Options FollowSymLinks
 		AllowOverride None
 	</Directory>
 	<Directory /var/www/>
 		Options Indexes FollowSymLinks MultiViews
 		AllowOverride None
 		Order allow,deny
 		allow from all
 	</Directory>

 	#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 	<Directory "/usr/lib/cgi-bin">
 		AllowOverride None
 		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
 		Order allow,deny
 		Allow from all
 	</Directory>

 	ErrorLog ${APACHE_LOG_DIR}/error.log

 	# Possible values include: debug, info, notice, warn, error, crit,
 	# alert, emerg.
 	LogLevel warn

 	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined


 	# SSL Engine Switch:
 	# Enable/Disable SSL for this virtual host.
 	SSLEngine on

 	#####################################
 	### We added/modified these lines ###
 	### SSLv2 has been compormised as well as SSLv3 (POODLE)
 	SSLProtocol all -SSLv2 -SSLv3
 	SSLHonorCipherOrder On
 	### Notice the completely missing RC4 cipher and other specifically disallowed encryption methods (Null & MD5 specifically)
 	SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

 	SSLCertificateFile /etc/ssl/ssl.crt
 	SSLCertificateKeyFile /etc/ssl/ssl.key
 	SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.sha2.ca.pem

 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See
 	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
 	#   If both key and certificate are stored in the same file, only the
 	#   SSLCertificateFile directive is needed.
 	# SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
 	### End modified lines ###
 	##########################

 	#   A self-signed (snakeoil) certificate can be created by installing
 	#   the ssl-cert package. See
 	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
 	#   If both key and certificate are stored in the same file, only the
 	#   SSLCertificateFile directive is needed.
 	#SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
 	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

 	#   Server Certificate Chain:
 	#   Point SSLCertificateChainFile at a file containing the
 	#   concatenation of PEM encoded CA certificates which form the
 	#   certificate chain for the server certificate. Alternatively
 	#   the referenced file can be the same as SSLCertificateFile
 	#   when the CA certificates are directly appended to the server
 	#   certificate for convinience.
 	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

 	#   Certificate Authority (CA):
 	#   Set the CA certificate verification path where to find CA
 	#   certificates for client authentication or alternatively one
 	#   huge file containing all of them (file must be PEM encoded)
 	#   Note: Inside SSLCACertificatePath you need hash symlinks
 	#         to point to the certificate files. Use the provided
 	#         Makefile to update the hash symlinks after changes.
 	#SSLCACertificatePath /etc/ssl/certs/
 	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

 	#   Certificate Revocation Lists (CRL):
 	#   Set the CA revocation path where to find CA CRLs for client
 	#   authentication or alternatively one huge file containing all
 	#   of them (file must be PEM encoded)
 	#   Note: Inside SSLCARevocationPath you need hash symlinks
 	#         to point to the certificate files. Use the provided
 	#         Makefile to update the hash symlinks after changes.
 	#SSLCARevocationPath /etc/apache2/ssl.crl/
 	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

 	#   Client Authentication (Type):
 	#   Client certificate verification type and depth.  Types are
 	#   none, optional, require and optional_no_ca.  Depth is a
 	#   number which specifies how deeply to verify the certificate
 	#   issuer chain before deciding the certificate is not valid.
 	#SSLVerifyClient require
 	#SSLVerifyDepth  10

 	#   Access Control:
 	#   With SSLRequire you can do per-directory access control based
 	#   on arbitrary complex boolean expressions containing server
 	#   variable checks and other lookup directives.  The syntax is a
 	#   mixture between C and Perl.  See the mod_ssl documentation
 	#   for more details.
 	#<Location />
 	#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
 	#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
 	#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
 	#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
 	#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
 	#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
 	#</Location>

 	#   SSL Engine Options:
 	#   Set various options for the SSL engine.
 	#   o FakeBasicAuth:
 	#     Translate the client X.509 into a Basic Authorisation.  This means that
 	#     the standard Auth/DBMAuth methods can be used for access control.  The
 	#     user name is the `one line' version of the client's X.509 certificate.
 	#     Note that no password is obtained from the user. Every entry in the user
 	#     file needs this password: `xxj31ZMTZzkVA'.
 	#   o ExportCertData:
 	#     This exports two additional environment variables: SSL_CLIENT_CERT and
 	#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
 	#     server (always existing) and the client (only existing when client
 	#     authentication is used). This can be used to import the certificates
 	#     into CGI scripts.
 	#   o StdEnvVars:
 	#     This exports the standard SSL/TLS related `SSL_*' environment variables.
 	#     Per default this exportation is switched off for performance reasons,
 	#     because the extraction step is an expensive operation and is usually
 	#     useless for serving static content. So one usually enables the
 	#     exportation for CGI and SSI requests only.
 	#   o StrictRequire:
 	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 	#     under a "Satisfy any" situation, i.e. when it applies access is denied
 	#     and no other module can change it.
 	#   o OptRenegotiate:
 	#     This enables optimized SSL connection renegotiation handling when SSL
 	#     directives are used in per-directory context.
 	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 		SSLOptions +StdEnvVars
 	</FilesMatch>
 	<Directory /usr/lib/cgi-bin>
 		SSLOptions +StdEnvVars
 	</Directory>

 	#   SSL Protocol Adjustments:
 	#   The safe and default but still SSL/TLS standard compliant shutdown
 	#   approach is that mod_ssl sends the close notify alert but doesn't wait for
 	#   the close notify alert from client. When you need a different shutdown
 	#   approach you can use one of the following variables:
 	#   o ssl-unclean-shutdown:
 	#     This forces an unclean shutdown when the connection is closed, i.e. no
 	#     SSL close notify alert is send or allowed to received.  This violates
 	#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
 	#     this when you receive I/O errors because of the standard approach where
 	#     mod_ssl sends the close notify alert.
 	#   o ssl-accurate-shutdown:
 	#     This forces an accurate shutdown when the connection is closed, i.e. a
 	#     SSL close notify alert is send and mod_ssl waits for the close notify
 	#     alert of the client. This is 100% SSL/TLS standard compliant, but in
 	#     practice often causes hanging connections with brain-dead browsers. Use
 	#     this only for browsers where you know that their SSL implementation
 	#     works correctly.
 	#   Notice: Most problems of broken clients are also related to the HTTP
 	#   keep-alive facility, so you usually additionally want to disable
 	#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	#   "force-response-1.0" for this.
 	BrowserMatch "MSIE [2-6]" \
 		nokeepalive ssl-unclean-shutdown \
 		downgrade-1.0 force-response-1.0
 	# MSIE 7 and newer should be able to use keepalive
 	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

 </VirtualHost>
 </IfModule>

 ----------

 vi /etc/apache2/conf.d/security 

 ----------

 #
 # Disable access to the entire file system except for the directories that
 # are explicitly allowed later.
 #
 # This currently breaks the configurations that come with some web application
 # Debian packages.
 #
 #<Directory />
 #       AllowOverride None
 #       Order Deny,Allow
 #       Deny from all
 #</Directory>


 # Changing the following options will not really affect the security of the
 # server, but might make attacks slightly more difficult in some cases.

 #
 # ServerTokens
 # This directive configures what you return as the Server HTTP response
 # Header. The default is 'Full' which sends information about the OS-Type
 # and compiled in modules.
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
 #
 #ServerTokens Minimal
 #ServerTokens OS
 #ServerTokens Full
 ServerTokens Prod

 #
 # Optionally add a line containing the server version and virtual host
 # name to server-generated pages (internal error documents, FTP directory
 # listings, mod_status and mod_info output etc., but not CGI generated
 # documents or custom error documents).
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 #
 ServerSignature Off
 #ServerSignature On

 #
 # Allow TRACE method
 #
 # Set to "extended" to also reflect the request body (only for testing and
 # diagnostic purposes).
 #
 # Set to one of:  On | Off | extended
 #
 TraceEnable Off
 #TraceEnable On

 #
 # Forbid access to version control directories
 #
 # If you use version control systems in your document root, you should
 # probably deny access to their directories. For example, for subversion:
 #
 #<DirectoryMatch "/\.svn">
 #       Deny from all
 #       Satisfy all
 #</DirectoryMatch>

 #
 # Setting this header will prevent MSIE from interpreting files as something
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
 Header set X-Content-Type-Options: "nosniff"

 #
 # Some browsers have a built-in XSS filter that will detect some cross site
 # scripting attacks. By default, these browsers modify the suspicious part of
 # the page and display the result. This behavior can create various problems
 # including new security issues. This header will tell the XSS filter to
 # completely block access to the page instead.
 # Requires mod_headers to be enabled.
 #
 Header set X-XSS-Protection: "1; mode=block"

 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
 Header set X-Frame-Options: "sameorigin"

 ----------

 # Now we have to enable the default virtual host listening for SSL requests
 a2ensite default-ssl

 # It doesn't hurt to reload the Apache server then visit the website
 # to verify it works.
 service apache2 reload

 # I generally add the PHP package next
 apt-get install php5 libapache2-mod-php5

 # Your PHP configurations are going to be found in /etc/php5 .
 # Make a short script that contains <?php phpinfo() ?> to check that PHP works.
 # You should be able to browse to it and see the particulars of your installation
 vi /var/www/phpinfo.php

 # The last packages are for the MySQL server that listens for requests,
 # the MySQL-client that requests information from the command line, and
 # php5-mysql that facilitates making MySQL requests from PHP.
 # You will be asked for your MySQL root user password twice.
 # This is important for later, remember it.
 apt-get install mysql-server mysql-client php5-mysql

 # At this point everything works, but I wouldn't feel good about this install
 # until we lock MySQL down just a little more.
 # This script removes a lot of the insecure configurations & resources from
 # an initial installation.
 mysql_secure_installation

 # You will be asked for your password from a few seconds ago.
 ----------
 Change the root password? [Y/n] n
 Remove anonymous users? [Y/n] Y
 Disallow root login remotely? [Y/n] Y
 Remove test database and access to it? [Y/n] Y
 Reload privilege tables now? [Y/n] Y
 ----------

 # We are going to log in to MySQL and modify the default users.
 mysql -uroot -p

 # We will be working exclusively in the database that MySQL uses to store
 # information about itself.
 USE mysql
 
 # A common vector is to attack the MySQL root user since it is the default
 # omipotent user put on almost all MySQL installs.
 #So, give your 'root' user a different name.
 # (Is admin more secure than root, meh. Yeah, I guess.)
 GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
 GRANT ALL PRIVILEGES ON *.* TO 'admin'@'127.0.0.1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
 GRANT ALL PRIVILEGES ON *.* TO 'admin'@'::1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;

 # Then we get rid of the known 'root' user. Cannot hack what is not there...
 DELETE FROM mysql.user WHERE  user='root';

 # This following command makes our changes active.
 FLUSH PRIVILEGES;

 # We have finished what we wanted inside the MySQL client.
 EXIT

 # When I am done, I restart the server instead of reloading it for no good reason.
 service apache2 restart

 # I don't use webmin. But, we did talk about installing webmin
 wget http://prdownloads.sourceforge.net/webadmin/webmin_1.710_all.deb
 apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libapt-pkg-perl
 dpkg --install webmin_1.710_all.deb

 !!!Post Addendum: Just read about something that may be better than webmin, http://ajenti.org/ . I don't use either and I have never tried ajenti, but there it is.

 # We also talked about installing phpMyAdmin.
 apt-get install phpmyadmin
	# Debian Linux Apache MySQL and PHP with SSL
	# http://youtu.be/0bUo7mg2ZFw

	# First things first-- update the system.

	apt-get update
	apt-get upgrade

	# add the IP address, the fully qualified domain name, and the machine
	# name

	vi /etc/hosts

	-----

	###.###.###.### hostname.domain-name.tld hostname

	-----

	# this should be just the machine name
	vi /etc/hostname

	-----

	hostname

	-----

	# Install the web server we will attach everything to.
	apt-get install apache2

	# The most important configuration directories and files can be
	# found in /etc/apache2 and then your error logs will be in /var/log/apache2

	# You will want the two following libraries installed, trying to install them twice
	# doesn't really hurt anything better safe than sorry.
	apt-get install ssh openssl

	# Enable the SSL module in Apache
	a2enmod ssl

	# Enable mod_headers in Apache
	a2enmod headers

	# Make a private key and subsequently a Certificate Signing Request (CSR).
	# Don't get spooked by the questions.
	openssl req -new -sha256 -newkey rsa:2048 -nodes -keyout /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.csr

	----------
	Generating a 2048 bit RSA private key
	....................................................................+++
	...........+++
	writing new private key to '/etc/ssl/enc-ssl.key'
	-----
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:US
	State or Province Name (full name) [Some-State]:Ohio
	Locality Name (eg, city) []:Eastlake
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:The Rust Belt Rebellion
	Organizational Unit Name (eg, section) []:
	Common Name (e.g. server FQDN or YOUR name) []:list255.com
	Email Address []:[email protected]

	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:password2014
	An optional company name []:
	----------

	# Use the CSR to get a SSL certificate from a Certificate Authority (CA).
	tail -n100 /etc/ssl/ssl.csr

	# This command will remove the passphrase from the key.
	# It is rare to have a key requiring human interaction.
	# Non-human passphrase entry is out of scope for today.
	openssl rsa -in /etc/ssl/enc-ssl.key -out /etc/ssl/ssl.key

	# It is a good idea to install a Certificate Authority Chain Certificate
	# (a.k.a. Intermdiate Certificate & Subordinate Certificate Authority Certificates).
	# You may get lucky and the browser happens to know your CA.
	# If not, these documents point your browser closer to a Root Certificate Authority your browser trusts.
	# Your browser may follow several chain certificates to get to a CA it knows it can trust.
	# The whole system is based on these chains of trust.
	vi /etc/ssl/certs/sub.class2.server.sha2.ca.pem

	### I prepared the certificate set ahead of time-- I am going to replace
	### what I just put in with what I have prepared beforehand here.

	# The definitions of the websites are in /etc/apache2/sites-available .
	# Time to modify the default virtual host listening for SSL requests
	vi /etc/apache2/sites-available/default-ssl



	----------

	<IfModule mod_ssl.c>
	<VirtualHost _default_:443>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>
	<Directory /var/www/>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Order allow,deny
	allow from all
	</Directory>

	#ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
	AllowOverride None
	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	Order allow,deny
	Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined


	# SSL Engine Switch:
	# Enable/Disable SSL for this virtual host.
	SSLEngine on

	#####################################
	### We added/modified these lines ###
	### SSLv2 has been compormised as well as SSLv3 (POODLE)
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	### Notice the completely missing RC4 cipher and other specifically disallowed encryption methods (Null & MD5 specifically)
	SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

	SSLCertificateFile /etc/ssl/ssl.crt
	SSLCertificateKeyFile /etc/ssl/ssl.key
	SSLCertificateChainFile /etc/ssl/certs/sub.class2.server.sha2.ca.pem

	# A self-signed (snakeoil) certificate can be created by installing
	# the ssl-cert package. See
	# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
	# If both key and certificate are stored in the same file, only the
	# SSLCertificateFile directive is needed.
	# SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	# SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
	### End modified lines ###
	##########################

	# A self-signed (snakeoil) certificate can be created by installing
	# the ssl-cert package. See
	# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
	# If both key and certificate are stored in the same file, only the
	# SSLCertificateFile directive is needed.
	#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
	#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

	# Server Certificate Chain:
	# Point SSLCertificateChainFile at a file containing the
	# concatenation of PEM encoded CA certificates which form the
	# certificate chain for the server certificate. Alternatively
	# the referenced file can be the same as SSLCertificateFile
	# when the CA certificates are directly appended to the server
	# certificate for convinience.
	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	# Certificate Authority (CA):
	# Set the CA certificate verification path where to find CA
	# certificates for client authentication or alternatively one
	# huge file containing all of them (file must be PEM encoded)
	# Note: Inside SSLCACertificatePath you need hash symlinks
	# to point to the certificate files. Use the provided
	# Makefile to update the hash symlinks after changes.
	#SSLCACertificatePath /etc/ssl/certs/
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

	# Certificate Revocation Lists (CRL):
	# Set the CA revocation path where to find CA CRLs for client
	# authentication or alternatively one huge file containing all
	# of them (file must be PEM encoded)
	# Note: Inside SSLCARevocationPath you need hash symlinks
	# to point to the certificate files. Use the provided
	# Makefile to update the hash symlinks after changes.
	#SSLCARevocationPath /etc/apache2/ssl.crl/
	#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

	# Client Authentication (Type):
	# Client certificate verification type and depth. Types are
	# none, optional, require and optional_no_ca. Depth is a
	# number which specifies how deeply to verify the certificate
	# issuer chain before deciding the certificate is not valid.
	#SSLVerifyClient require
	#SSLVerifyDepth 10

	# Access Control:
	# With SSLRequire you can do per-directory access control based
	# on arbitrary complex boolean expressions containing server
	# variable checks and other lookup directives. The syntax is a
	# mixture between C and Perl. See the mod_ssl documentation
	# for more details.
	#<Location />
	#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP\|NULL)/ \
	# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
	# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
	# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
	# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
	# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
	#</Location>

	# SSL Engine Options:
	# Set various options for the SSL engine.
	# o FakeBasicAuth:
	# Translate the client X.509 into a Basic Authorisation. This means that
	# the standard Auth/DBMAuth methods can be used for access control. The
	# user name is the `one line' version of the client's X.509 certificate.
	# Note that no password is obtained from the user. Every entry in the user
	# file needs this password: `xxj31ZMTZzkVA'.
	# o ExportCertData:
	# This exports two additional environment variables: SSL_CLIENT_CERT and
	# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
	# server (always existing) and the client (only existing when client
	# authentication is used). This can be used to import the certificates
	# into CGI scripts.
	# o StdEnvVars:
	# This exports the standard SSL/TLS related `SSL_*' environment variables.
	# Per default this exportation is switched off for performance reasons,
	# because the extraction step is an expensive operation and is usually
	# useless for serving static content. So one usually enables the
	# exportation for CGI and SSI requests only.
	# o StrictRequire:
	# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
	# under a "Satisfy any" situation, i.e. when it applies access is denied
	# and no other module can change it.
	# o OptRenegotiate:
	# This enables optimized SSL connection renegotiation handling when SSL
	# directives are used in per-directory context.
	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
	SSLOptions +StdEnvVars
	</FilesMatch>
	<Directory /usr/lib/cgi-bin>
	SSLOptions +StdEnvVars
	</Directory>

	# SSL Protocol Adjustments:
	# The safe and default but still SSL/TLS standard compliant shutdown
	# approach is that mod_ssl sends the close notify alert but doesn't wait for
	# the close notify alert from client. When you need a different shutdown
	# approach you can use one of the following variables:
	# o ssl-unclean-shutdown:
	# This forces an unclean shutdown when the connection is closed, i.e. no
	# SSL close notify alert is send or allowed to received. This violates
	# the SSL/TLS standard but is needed for some brain-dead browsers. Use
	# this when you receive I/O errors because of the standard approach where
	# mod_ssl sends the close notify alert.
	# o ssl-accurate-shutdown:
	# This forces an accurate shutdown when the connection is closed, i.e. a
	# SSL close notify alert is send and mod_ssl waits for the close notify
	# alert of the client. This is 100% SSL/TLS standard compliant, but in
	# practice often causes hanging connections with brain-dead browsers. Use
	# this only for browsers where you know that their SSL implementation
	# works correctly.
	# Notice: Most problems of broken clients are also related to the HTTP
	# keep-alive facility, so you usually additionally want to disable
	# keep-alive for those clients, too. Use variable "nokeepalive" for this.
	# Similarly, one has to force some clients to use HTTP/1.0 to workaround
	# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
	# "force-response-1.0" for this.
	BrowserMatch "MSIE [2-6]" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
	# MSIE 7 and newer should be able to use keepalive
	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
	</IfModule>

	----------

	vi /etc/apache2/conf.d/security

	----------

	#
	# Disable access to the entire file system except for the directories that
	# are explicitly allowed later.
	#
	# This currently breaks the configurations that come with some web application
	# Debian packages.
	#
	#<Directory />
	# AllowOverride None
	# Order Deny,Allow
	# Deny from all
	#</Directory>


	# Changing the following options will not really affect the security of the
	# server, but might make attacks slightly more difficult in some cases.

	#
	# ServerTokens
	# This directive configures what you return as the Server HTTP response
	# Header. The default is 'Full' which sends information about the OS-Type
	# and compiled in modules.
	# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod
	# where Full conveys the most information, and Prod the least.
	#
	#ServerTokens Minimal
	#ServerTokens OS
	#ServerTokens Full
	ServerTokens Prod

	#
	# Optionally add a line containing the server version and virtual host
	# name to server-generated pages (internal error documents, FTP directory
	# listings, mod_status and mod_info output etc., but not CGI generated
	# documents or custom error documents).
	# Set to "EMail" to also include a mailto: link to the ServerAdmin.
	# Set to one of: On \| Off \| EMail
	#
	ServerSignature Off
	#ServerSignature On

	#
	# Allow TRACE method
	#
	# Set to "extended" to also reflect the request body (only for testing and
	# diagnostic purposes).
	#
	# Set to one of: On \| Off \| extended
	#
	TraceEnable Off
	#TraceEnable On

	#
	# Forbid access to version control directories
	#
	# If you use version control systems in your document root, you should
	# probably deny access to their directories. For example, for subversion:
	#
	#<DirectoryMatch "/\.svn">
	# Deny from all
	# Satisfy all
	#</DirectoryMatch>

	#
	# Setting this header will prevent MSIE from interpreting files as something
	# else than declared by the content type in the HTTP headers.
	# Requires mod_headers to be enabled.
	#
	Header set X-Content-Type-Options: "nosniff"

	#
	# Some browsers have a built-in XSS filter that will detect some cross site
	# scripting attacks. By default, these browsers modify the suspicious part of
	# the page and display the result. This behavior can create various problems
	# including new security issues. This header will tell the XSS filter to
	# completely block access to the page instead.
	# Requires mod_headers to be enabled.
	#
	Header set X-XSS-Protection: "1; mode=block"

	#
	# Setting this header will prevent other sites from embedding pages from this
	# site as frames. This defends against clickjacking attacks.
	# Requires mod_headers to be enabled.
	#
	Header set X-Frame-Options: "sameorigin"

	----------

	# Now we have to enable the default virtual host listening for SSL requests
	a2ensite default-ssl

	# It doesn't hurt to reload the Apache server then visit the website
	# to verify it works.
	service apache2 reload

	# I generally add the PHP package next
	apt-get install php5 libapache2-mod-php5

	# Your PHP configurations are going to be found in /etc/php5 .
	# Make a short script that contains <?php phpinfo() ?> to check that PHP works.
	# You should be able to browse to it and see the particulars of your installation
	vi /var/www/phpinfo.php

	# The last packages are for the MySQL server that listens for requests,
	# the MySQL-client that requests information from the command line, and
	# php5-mysql that facilitates making MySQL requests from PHP.
	# You will be asked for your MySQL root user password twice.
	# This is important for later, remember it.
	apt-get install mysql-server mysql-client php5-mysql

	# At this point everything works, but I wouldn't feel good about this install
	# until we lock MySQL down just a little more.
	# This script removes a lot of the insecure configurations & resources from
	# an initial installation.
	mysql_secure_installation

	# You will be asked for your password from a few seconds ago.
	----------
	Change the root password? [Y/n] n
	Remove anonymous users? [Y/n] Y
	Disallow root login remotely? [Y/n] Y
	Remove test database and access to it? [Y/n] Y
	Reload privilege tables now? [Y/n] Y
	----------

	# We are going to log in to MySQL and modify the default users.
	mysql -uroot -p

	# We will be working exclusively in the database that MySQL uses to store
	# information about itself.
	USE mysql

	# A common vector is to attack the MySQL root user since it is the default
	# omipotent user put on almost all MySQL installs.
	#So, give your 'root' user a different name.
	# (Is admin more secure than root, meh. Yeah, I guess.)
	GRANT ALL PRIVILEGES ON . TO 'admin'@'localhost' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
	GRANT ALL PRIVILEGES ON . TO 'admin'@'127.0.0.1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;
	GRANT ALL PRIVILEGES ON . TO 'admin'@'::1' IDENTIFIED BY 'thepassword' WITH GRANT OPTION;

	# Then we get rid of the known 'root' user. Cannot hack what is not there...
	DELETE FROM mysql.user WHERE user='root';

	# This following command makes our changes active.
	FLUSH PRIVILEGES;

	# We have finished what we wanted inside the MySQL client.
	EXIT

	# When I am done, I restart the server instead of reloading it for no good reason.
	service apache2 restart

	# I don't use webmin. But, we did talk about installing webmin
	wget http://prdownloads.sourceforge.net/webadmin/webmin_1.710_all.deb
	apt-get install perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python libapt-pkg-perl
	dpkg --install webmin_1.710_all.deb

	!!!Post Addendum: Just read about something that may be better than webmin, http://ajenti.org/ . I don't use either and I have never tried ajenti, but there it is.

	# We also talked about installing phpMyAdmin.
	apt-get install phpmyadmin