Who is this guide for? Self-hosting web content is relevant to small to medium companies, business owners, non-profit organizations and individuals. There is no real limit to who may self-host, but will benefit directly and see immediate results. Small to medium companies will get a fully functioning system that adheres to all current encryption and security protocols, especially the PCI specification. privacy conscious groups Why self-hosting? There are tons of reasons why self-hosting is beneficial, here are some of them: Privacy Enhanced security Customization Lower costs Email hosting This article is about web server hosting, if you are interested about email hosting then please read the article  on . Self-Hosting Your Own Email Server Prerequisites A new server, dedicated or virtual, with internet access A RHEL-based Linux distribution: Alma, Rocky, Oracle or Fedora Server Root access Server hostname Please make sure your server has a fully qualified domain name (FQDN) and the file has the IP of the server point to the FQDN and not the short name. This is a requirement for some tools like OpenDKIM, which will fail to work without an FQDN. /etc/hosts To test if your FQDN is properly setup, run: # hostname -f
server.example.tld If you only see the server name and not the FQDN then use the systemd command to set your FQDN: hostnamectl # hostnamectl set-hostname server.example.tld Step 1 - Required packages The first step is to install some basic packages, use your package manager: dnf for newer versions of EL8/EL9: # dnf install php php-cli php-pdo php-mbstring epel-release unzip wget yum for EL7: # yum install php php-cli php-pdo php-mbstring epel-release unzip wget for Fedora the packages are slightly different: # dnf install php php-cli php-pdo php-mbstring unzip wget Step 2 - Install Aetolos In the second step we’ll install the Aetolos virtual hosting control panel, which only generates configuration files and does not make any other modifications to the system: # wget -O /root/master.zip 'https://gitlab.com/noumenia/aetolos/-/archive/master/aetolos-master.zip'
# unzip /root/master.zip -d /root/
# mv /root/aetolos-master /root/aetolos
# rm -rf /root/master.zip The latest development code can be downloaded from the git repository: git clone 'https://gitlab.com/noumenia/aetolos.git' Step 3 - Enable services Now it is time to choose what services the server will provide. Run Aetolos with the status parameter to get an idea of all the available services: # ~/aetolos/aetolos --status
+---------+--------------+---------+------------+--------------+
| Enabled | Module       | SystemD | Repository | Dependencies |
+---------+--------------+---------+------------+--------------+
| [ ]     | apache       |         |            |              |
| [ ]     | clamav       |         | epel       | postfix      |
| [ ]     | dehydrated   |         |            |              |
| [ ]     | dovecot      |         |            |              |
| [ ]     | haproxy      |         |            |              |
| [ ]     | mariadb      |         |            |              |
| [ ]     | mtasts       |         |            | apache       |
| [ ]     | nsd          |         | epel       |              |
| [ ]     | opendkim     |         | epel       | postfix      |
| [ ]     | opendmarc    |         | epel       | postfix      |
| [✓]     | php          |         |            |              |
| [ ]     | postfix      |         |            |              |
| [ ]     | postgrey     |         | epel       | postfix      |
| [ ]     | spamassassin |         |            | postfix      |
| [✓]     | virtualhost  |         |            |              |
+---------+--------------+---------+------------+--------------+ As this is going to be a self-hosted web server, we are going to enable the services that give us a complete set of features for web hosting: Apache, a web server for responding on ACME requests Dehydrated, a bash script for Let’s Encrypt certificates MariaDB, the database If you have a separate server for email with DKIM signatures, you should also enable OpenDKIM in this server as well. Then share the key among servers for proper signing. Let’s enable these services with Aetolos: # ~/aetolos/aetolos --enable=apache
# ~/aetolos/aetolos --enable=dehydrated
# ~/aetolos/aetolos --enable=mariadb Now we may re-run Aetolos with the status parameter to see the following table: +---------+--------------+---------+------------+--------------+
| Enabled | Module       | SystemD | Repository | Dependencies |
+---------+--------------+---------+------------+--------------+
| [✓]     | apache       | dead    |            |              |
| [ ]     | clamav       |         | epel       | postfix      |
| [✓]     | dehydrated   |         |            |              |
| [ ]     | dovecot      |         |            |              |
| [ ]     | haproxy      |         |            |              |
| [✓]     | mariadb      | dead    |            |              |
| [ ]     | mtasts       |         |            | apache       |
| [ ]     | nsd          |         | epel       |              |
| [ ]     | opendkim     |         | epel       | postfix      |
| [ ]     | opendmarc    |         | epel       | postfix      |
| [✓]     | php          | dead    |            |              |
| [ ]     | postfix      |         |            |              |
| [ ]     | postgrey     |         | epel       | postfix      |
| [ ]     | spamassassin |         |            | postfix      |
| [✓]     | virtualhost  |         |            |              |
+---------+--------------+---------+------------+--------------+ Note the SystemD column which shows most services as . This is not an issue, because we have not configured/started those services, yet. dead Step 4 - Setup Finally, we may run Aetolos setup to install the required RPM packages and generate all the configuration files. We prefer to see the verbose output with the extra parameter. --verbose You will notice a warning about the dehydrated script, which tells us to specify the registration email address for Let’s Encrypt # ~/aetolos/aetolos --verbose --setup
[DEBUG] Check running system
[DEBUG] Detected: AlmaLinux 8.7 (Stone Smilodon)
[DEBUG] Check system memory
[DEBUG] Detected: 460MiB
[DEBUG] Check CPU cores
[DEBUG] Detected: 2
[DEBUG] Check proxy
[DEBUG] Loading Aetolos configuration
[DEBUG] Starting operating system setup
[DEBUG] Checking repository dependencies
[DEBUG] Checking package dependencies
[DEBUG] Installing package: php-fpm
[DEBUG] Checking SELinux requirements
[DEBUG] SELinux: enable httpd_can_network_connect
[DEBUG] SELinux: enable httpd_can_sendmail
[DEBUG] SELinux: enable httpd_read_user_content
[DEBUG] SELinux: enable httpd_enable_homedirs
[DEBUG] SELinux: enable httpd_home_tmp_aetolos.pp
[DEBUG] Checking certificate requirements
[DEBUG] Generating a self-signed certificate
[DEBUG] Certificate: /etc/pki/tls/certs/localhost.crt
[DEBUG] Fullchain: /etc/pki/tls/certs/localhost.fullchain
[DEBUG] Key: /etc/pki/tls/private/localhost.key
[DEBUG] Checking ACME client
[DEBUG] Downloading ACME client: dehydrated 0.7.1
[DEBUG] Installing ACME client under: /root/dehydrated/
[WARNING] ACME registration email set to: postmaster
[WARNING] Please change the ACME registration email by executing: '/root/aetolos/aetolos --verbose --module=dehydrated --registration-email=new-email'
[DEBUG] Checking module dependencies
[DEBUG] Save configuration: apache
[DEBUG] Writing to file: /etc/httpd/conf/httpd.conf
[DEBUG] Writing to file: /etc/httpd/conf.d/ssl.conf
[DEBUG] Writing to file: /etc/sysconfig/htcacheclean
[INFO] System memory: 460MB
[INFO] Allocate 50% of system memory to MariaDB: 230MB
[INFO] 70% of the above usage goes to total thread memory: 161MB
[INFO] The rest 30% goes to server buffers: 69MB
[INFO] MariaDB memory per connection: 18MB
[INFO] MariaDB max connections: 10
[INFO] MariaDB temporary table size: 16MB
[INFO] MariaDB query cache: 16MB
[INFO] Allocate 40% of system memory to Apache/PHP-FPM: 184MB
[INFO] Estimated average number of connections per CPU core: 9
[INFO] Apache StartServers: 1
[INFO] Apache ServerLimit: 2
[INFO] Apache ThreadsPerChild: 18
[INFO] Apache MinSpareThreads: 18
[INFO] Apache ThreadLimit: 22
[INFO] Apache MaxRequestWorkers: 36
[INFO] Apache maximum number of concurrent connections: 108
[DEBUG] Writing to file: /etc/logrotate.d/httpd
[DEBUG] Save configuration: dehydrated
[DEBUG] Writing to file: /root/dehydrated/config
[DEBUG] Writing to file: /root/dehydrated/hook.sh
[DEBUG] Writing to file: /etc/pki/letsencrypt/domains.txt
[DEBUG] Writing to file: /etc/cron.daily/dehydrated.cron
[DEBUG] Save configuration: mariadb
[DEBUG] Writing to file: /etc/systemd/system/mariadb.service.d/limitnofile.conf
[DEBUG] Writing to file: /etc/my.cnf.d/mariadb-server.cnf
[DEBUG] Save configuration: php
[DEBUG] Writing to file: /etc/php.ini
[DEBUG] Writing to file: /etc/php.d/10-opcache.ini
[DEBUG] Save configuration: virtualhost
[DEBUG] Writing to file: /etc/tmpfiles.d/hometmp.conf
[DEBUG] Reloading systemd As per the warning, we add an email address for Let’s Encrypt: # ~/aetolos/aetolos --verbose --module=dehydrated --registration-email=postmaster@example.tld Start MariaDB Unlike other services, MariaDB needs to be started and working, for Aetolos to add virtual hosts and the corresponding database permissions. So lets enable and start MariaDB: # systemctl --now enable mariadb At this point we may secure the MariaDB instance by running: /usr/bin/mysql_secure_installation This requires that you also create the file with the login details for root: /root/.my.cnf [client]
default-character-set="utf8mb4"
user="root"
password='the_password_set_in_the_previous_step' Add virtual hosts Now we are ready to add as many virtual hosts as we like (or as many as the server can handle). Before running any commands, we may take a second to think which virtual hosts will have a prefix subdomain, sometimes we may have a domain like example.tld with a www subdomain (www.example.tld), other times we may not want to use a prefix because we want our email addresses only at the top domain (user@example.tld and not user@www.example.tld). As an example, we will add three virtual hosts, two of them without a subdomain: # ~/aetolos/aetolos --verbose --module=virtualhost --add-virtualhost=example1.tld --no-prefix
[DEBUG] Verify domain: example1.tld
[DEBUG] Add virtual host: example1.tld
# ~/aetolos/aetolos --verbose --module=virtualhost --add-virtualhost=example2.tld --no-prefix
[DEBUG] Verify domain: example2.tld
[DEBUG] Add virtual host: example2.tld
# ~/aetolos/aetolos --verbose --module=virtualhost --add-virtualhost=example3.tld
[DEBUG] Verify domain: example3.tld
[DEBUG] Add virtual host: example3.tld We can now list all virtual hosts: # ~/aetolos/aetolos --module=virtualhost --list-virtualhosts
+----+---------------------+--------------+-------------+----------------+--------+--------------+
| ID | Timestamp           | Virtual host | System user | MariaDB prefix | Parked | Prefix alias |
+----+---------------------+--------------+-------------+----------------+--------+--------------+
| 1  | 2023-01-10 08:51:36 | example1.tld | example1tld | example1       | [ ]    |              |
| 2  | 2023-01-10 08:51:40 | example2.tld | example2tld | example2       | [ ]    |              |
| 3  | 2023-01-10 08:51:45 | example3.tld | example3tld | example3       | [ ]    | www          |
+----+---------------------+--------------+-------------+----------------+--------+--------------+ Each virtual host will “live” isolated within its own home directory, with its own user/group ownership, so lets take a look at our /home: # ls -la /home
total 0
drwxr-xr-x.  5 root        root         63 Jan 20 10:51 .
dr-xr-xr-x. 17 root        root        224 Dec 21  2021 ..
drwx--x--x.  8 example1tld example1tld 159 Jan 10 08:51 example1tld
drwx--x--x.  8 example2tld example2tld 159 Jan 10 08:51 example2tld
drwx--x--x.  8 example3tld example3tld 159 Jan 10 08:51 example3tld Setup After we made modifications with the Aetolos command, we need to generate new configuration files for all the relevant services (Apache, PHP-FPM, Dehydrated, etc). Thus, we execute Aetolos setup one last time. # ~/aetolos/aetolos --setup TLS certificates At this point all services will use the same self-signed certificate, thus it is now a good time to run dehydrated manually to gather all virtual host certificates. Since Aetolos uses the ACME protocol with domain validation via HTTP port 80, we first start our Apache server to service those requests. # systemctl start httpd
# ~/dehydrated/dehydrated --cron --config /root/dehydrated/config --keep-going
# systemctl stop httpd
# ~/aetolos/aetolos --setup Services We may now enable and start all services. # systemctl --now enable httpd httpd@example1.tld httpd@example2.tld httpd@example3.tld mariadb php-fpm
Created symlink /etc/systemd/system/multi-user.target.wants/httpd@example1.tld.service → /usr/lib/systemd/system/httpd@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/httpd@example2.tld.service → /usr/lib/systemd/system/httpd@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/httpd@example3.tld.service → /usr/lib/systemd/system/httpd@.service. You will notice that each virtual host has its own Apache service, this is a feature provided by systemd and allows us to define the virtual hosts into separate systemd services. The parameter will start all services. --now The architecture There should be special mention about the architecture used for hosting websites. For security reasons, each virtual host is isolated within unix accounts stored under their own directory. Public web content should be stored within the directory. /home public_html /home/example1tld                               -> virtual host home
/home/example1tld/etc                           -> email accounts
/home/example1tld/mail                          -> email storage
/home/example1tld/public_html                   -> web content
/home/example1tld/www                           -> symbolic link to public_html
/home/example1tld/tmp                           -> temp directory Aetolos At this point Aetolos has configured the server without any custom modifications, all changes are done on the default configuration files. We may delete Aetolos from the server and continue modifications manually or we may keep Aetolos in case we want to add more virtual hosts in the future. Credits Article photo by Manuel Geissinger from pexels

The writer is smart, but don't just like, take their word for it. #DoYourOwnResearch

The code in this story is for educational purposes. The readers are solely responsible for whatever they build with it.

Too Long; Didn't Read

Making security fun one episode at a time

Stick It to The Man and Self-Host Your Own Web Server

Too Long; Didn't Read

George Papadakis

STORY’S CREDIBILITY

DYOR

Code License

About Author

TOPICS

Languages

THIS ARTICLE WAS FEATURED IN...

Stick It to The Man and Self-Host Your Own Web Server

Too Long; Didn't Read

George Papadakis

STORY’S CREDIBILITY

DYOR

Code License

About Author

TOPICS

Languages

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES