How to: Enable/Disable Apache2 modules and configuration files on Ubuntu (a2enconf, a2disconf, a2enmod, a2dismod)

(If the module is not installed yet use apt to install first or compile from source. Then follow the guide)

Sometimes before enabling apache2 modules, we might need to enable configuration file for the module first, use following command

This can be used to switch php version as well

1 Enable configuration file

#e.g. enable php7.4-fpm configuration file for apache2
sudo a2enconf php7.4-fpm

To disable configuration file for apache2 we can use

#e.g. disable php7.4-fpm configuration file for apache2
sudo a2disconf php7.4-fpm

2 Enable apache2 module

#e.g. enable php7.4-fpm module for apache2
sudo a2enmod php7.4-fpm

To disable module for apache2 we can use

#e.g. disable php7.4-fpm module for apache2
sudo a2dismod php7.4-fpm

Following by a reload or restart for apache2, we should be good to go.

3 Reload or Restart apache2 to make the changes take effect (Ubuntu 15.04+ or above)

#e.g. To reload apache2
sudo systemctl reload apache2
OR
sudo systemctl reload apache2.service
#e.g. To restart apache2
sudo systemctl restart apache2
OR
sudo systemctl reload apache2.service

(For Ubuntu 14.10 or older without systemd use following command to reload/restart apache2)

#e.g. To reload apache2
sudo service apache2 reload
OR
sudo /etc/init.d/apache2 reload
#e.g. To restart apache2
sudo service apache2 restart
OR
sudo /etc/init.d/apache2 restart

Extended reading

a2enconf, a2disconf

a2enconf is a script that enables the specified configuration file within the apache2 configuration. It does this by creating symlinks within /etc/apache2/conf-enabled. Likewise, a2disconf disables a specific configuration part by removing those symlinks. It is not an error to enable a configuration which is already enabled, or to disable one which is already disabled. Note that many configuration file may have a dependency to specific modules. Unlike module dependencies, these are not resolved automatically. Configuration fragments stored in the conf-available directory are considered non-essential or being installed and manged by reverse dependencies (e.g. web scripts). — Ubuntu Manual

a2enmod, a2dismod

a2enmod is a script that enables the specified module within the apache2 configuration. It does this by creating symlinks within /etc/apache2/mods-enabled. Likewise, a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled. Note that many modules have, in addition to a .load file, an associated .conf file. Enabling the module puts the configuration directives in the .conf file as directives into the main server context of apache2. — Ubuntu Manual

systemctl

systemctl may be used to introspect and control the state of the “systemd” system and service manager. Please refer to systemd(1) for an introduction into the basic concepts and functionality this tool manages. — Ubuntu Manual

How to Add “X-Forwarded-For” information to Apache Web Server access log and error log

Keywords: Apache 2.4, Apache show client IP Address behind proxy, access log, error log, access.log, error.log, X-Forwarded-For

(For Apache 2.4 and newer versions)

By default, the apache access log and error log will not log “X-Forwarded-For” information, so that if the client is connecting via a proxy, the log might only contain the proxy server’s IP address.

By adding X-Forwarded-For information to log files, we will be able to tell the possible real IP address of the client.

Access Log Format

The default access log format in configuration file is

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

To add “X-Forwarded-For” information to the access log we just need to change it to:

LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Apache 2.4 logformat documentation: https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat

Error Log Format

The default error log format is:

Example (default format for threaded MPMs)
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"

To add ” X-Forwarded-For ” information to the error log we need to change it to:

ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] [%{X-Forwarded-For}i] %M% ,\ referer\ %{Referer}i"

Apache 2.4 logformat documentation: https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat

How to use Apache .htaccess .htpasswd to protect files, folders and paths and to protect multiple files, multiple folders and paths

Keywords: Apache, .htaccess, .htpasswd, block access, protect file, protect folder, protect directory, protect path

If we have following folders

/web/resource1/file1.htm
/web/resource1/A/
/web/resource2/file2.php
/web/resource2/B/C/D/
/web/resource3/E/F/

and Following url path

https://www.example.com/
https://www.example.com resource1/file1.htm
https://www.example.com/ resource1/A/
https://www.example.com/ resource2/file2.php
https://www.example.com/ resource2/B/C/D/
https://www.example.com resource3/E/F/ https://www.example.com/secret

The document root for “https://www.example.com/” is “/web/”

Path secret is a virtual path which does not reflect to a real directory with name “secret” (e.g. an existing rewrite rule in .htaccess)

Now we want to protect file “file1.htm” directory “D” and directory “E”, “F” and virtual path “secret”

1.1 We need to create a .htaccess file under “web” directory

1.2 Open the .htaccess file, we need to add following contents for protecting files

#Protected file
<Files file1.htm>
#Password file path
AuthUserFile /web/.htpasswd
#Message for user to see
AuthName "Password protected"
AuthType Basic
#(If only allow specific user, use "require user username" if allow all valid users use "Require valid-user")
require user username
</Files>

Note: if dealing with multiple files, filesmatch should be used.

<FilesMatch "file1\.htm|file2\.php">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username
</FilesMatch>

Tip: Targeting files start with abc or def and end in .php

<FilesMatch "^(abc|def).php$">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username
</FilesMatch>

1.3 We add following content to protect directories and the virtual path (We can use this method to protect multiple sub-directories/sub-folders/paths)

#Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/ resource2\/B\/C\/D require_auth=true
SetEnvIf Request_URI ^/ resource3\/E require_auth=true
#Auth stuff
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
#Setup a deny/allow
Order Deny,Allow
#Deny from everyone
Deny from all
#except if either of these are satisfied
Satisfy any
#1. a valid authenticated user
Require valid-user
#or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

https://stackoverflow.com/questions/14603568/password-protect-a-specific-url

1.4 We create a .htpasswd file under “web” directory

1.5 Open the .htpasswd file we add following contents (File contains username:hashed user password)

user1:$apr1$MknR4YQ8$ls4RTpNIxaJWyedBK5m030
user2:$apr1$FtfabsVg$NoxTA07DDeGhSOYT9NMLF/

These password can be generated using htpasswd with following command:

$  sudo htpasswd -c /web/.htpasswd user1
(You will need to supply and confirm the password for the user)
$ sudo htpasswd /web/.htpasswd user2

Another way to protect current directory:

e.g. If we want to protect directory “A”

2.1 Creat a .htaccess file under in directory “A”, so we have “/web/resource1/A/.htaccess”

2.2 We add following content to the file

<Files ~ "^.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /web/resource1/A/.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user 
order deny,allow

2.3 We create the .htpasswd file under “/web/resource1/A/”, so we have “/web/resource1/A/.htpasswd”

2.4 We generate password as in step 1.5 (We need to change path from “/web/.htpasswd” to “/web/resource1/A/.htpasswd”)

Now the directory “A” is protected


Tips:

1 We can use online .htpasswd generator to create password for convenience

https://www.web2generators.com/apache-tools/htpasswd-generator

https://www.askapache.com/online-tools/htpasswd-generator/

https://htmlstrip.com/htpasswd-generator

https://www.mobilefish.com/services/htpasswd_generator/htpasswd_generator.php

2 We can use online tools to generate .htaccess for convenience

https://www.htaccessredirect.net/

https://hostingfacts.com/htaccess-generator/

https://makeawebsitehub.com/htaccess-generator/

How to: Ubuntu switch php-fpm version

Install newer php-fpm version e.g. 7.3

1. sudo apt install php7.3-fpm

2. sudo a2enconf php7.3-fpm

Notes:

a2enconf is a script that enables the specified configuration file within the apache2 configuration. It does this by creating symlinks within /etc/apache2/conf-enabled. Likewise, a2disconf disables a specific configuration part by removing those symlinks. It is not an error to enable a configuration which is already enabled, or to disable one which is already disabled.

Ubuntu Manual

a2enmod is a script that enables the specified module within the apache2 configuration. It does this by creating symlinks within /etc/apache2/mods-enabled. Likewise, a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled.    – Ubuntu Manual