How to Fix: Nextcloud “This version of Nextcloud is not compatible with > PHP 7.3. You are currently running 7.4.0”

Temporary workaround to get you going:

1 Find “/lib/versioncheck.php” under Nextcloud’s folder on the server.

2 Change the number after second “if (PHP_VERSION_ID >= ” to smaller than the current one but greater than the first number at the top of the image.

versioncheck.php
versioncheck.php

Warning: This workaround may get Nextcloud back online again, but it will probably cause lots of php warnings. Also it’s not recommended to leave the Nextcloud running in this state. You should upgrade the Nextcloud to latest version or downgrade your php version on the server.


Tips for Let’s Encrypt (certbot etc.)

Ubuntu 18.04 LTS (bionic), Install, Configure “certbot”

https://certbot.eff.org/lets-encrypt/ubuntubionic-apache

Other systems, use following website to find out installation and configuration process

https://certbot.eff.org/

Let Certbot edit your Apache configuration automatically to serve it, turning on HTTPS access in a single step.

sudo certbot --apache
sudo certbot certonly --apache 

Just get a certificate, make the changes to Apache configuration manually

sudo certbot certonly --apache -d contoso.com

With sub-domains

sudo certbot certonly --apache -d contoso.com -d www.contoso.com -d ftp.contoso.com

With multiple domains

sudo certbot certonly --apache -d contoso.com -d www.contoso.com -d ftp.contoso.com -d anotherfakedomain.com -d fakedomain2.com

Test with –dry-run (“–dry-run” switch can be used to Test “renew” or “certonly” without saving any certificates to disk)

sudo certbot certonly --apache -d contoso.com -d www.contoso.com -d ftp.contoso.com -d anotherfakedomain.com -d fakedomain2.com --dry-run

With multiple domains, multiple virtual hosts in different document folders

sudo certbot certonly --apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com -d ftp.contoso.com -w /var/htdocs/anotherfakedomain.com/ -d anotherfakedomain.com -w /var/htdocs/fakedomain2.com/ -d fakedomain2.com --dry-run

Test with Staging server/Environment (higher Rate Limits) (without –dry-run)

Warning: Certificates from Staging server should not be used for production

sudo certbot certonly --server https://acme-staging-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com

Test with Staging server and with –dry-run

sudo certbot certonly --server https://acme-staging-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com --dry-run

Test with real server with –dry-run

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com --dry-run

Download certificate from real server

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory -i apache --webroot -w /var/htdocs/contoso.com/ -d contoso.com -d www.contoso.com

Use dns as preferred challenge with wild card domain

sudo certbot certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns -d 'contoso.com' -d '*.contoso.com'

For Ubuntu, all certificates, certificate configuration files, renal configuration files, archive, keys etc. are stored in following folder

/etc/letsencrypt

Note

If the certbot complaining about connection issue, it might be that the connection is being blocked by firewall, system firewall or Web Application Firewall (WAF) etc.

Extended Reading

  • Root Certificate for Staging Server/Environment ( https://acme-staging-v02.api.letsencrypt.org/directory )
    • The staging environment intermediate certificate (“Fake LE Intermediate X1”) is issued by a root certificate not present in browser/client trust stores. If you wish to modify a test-only client to trust the staging environment for testing purposes you can do so by adding the “Fake LE Root X1” certificate to your testing trust store. Important: Do not add the staging root or intermediate to a trust store that you use for ordinary browsing or other activities, since they are not audited or held to the same standards as our production roots, and so are not safe to use for anything other than testing.

How to: Enable/Disable Apache2 modules and configuration files on Ubuntu (a2enconf, a2disconf, a2enmod, a2dismod)

(If the module is not installed yet use apt to install first or compile from source. Then follow the guide)

Sometimes before enabling apache2 modules, we might need to enable configuration file for the module first, use following command

This can be used to switch php version as well

1 Enable configuration file

#e.g. enable php7.4-fpm configuration file for apache2
sudo a2enconf php7.4-fpm

To disable configuration file for apache2 we can use

#e.g. disable php7.4-fpm configuration file for apache2
sudo a2disconf php7.4-fpm

2 Enable apache2 module

#e.g. enable php7.4-fpm module for apache2
sudo a2enmod php7.4-fpm

To disable module for apache2 we can use

#e.g. disable php7.4-fpm module for apache2
sudo a2dismod php7.4-fpm

Following by a reload or restart for apache2, we should be good to go.

3 Reload or Restart apache2 to make the changes take effect (Ubuntu 15.04+ or above)

#e.g. To reload apache2
sudo systemctl reload apache2
OR
sudo systemctl reload apache2.service
#e.g. To restart apache2
sudo systemctl restart apache2
OR
sudo systemctl reload apache2.service

(For Ubuntu 14.10 or older without systemd use following command to reload/restart apache2)

#e.g. To reload apache2
sudo service apache2 reload
OR
sudo /etc/init.d/apache2 reload
#e.g. To restart apache2
sudo service apache2 restart
OR
sudo /etc/init.d/apache2 restart

Extended reading

a2enconf, a2disconf

a2enconf is a script that enables the specified configuration file within the apache2 configuration. It does this by creating symlinks within /etc/apache2/conf-enabled. Likewise, a2disconf disables a specific configuration part by removing those symlinks. It is not an error to enable a configuration which is already enabled, or to disable one which is already disabled. Note that many configuration file may have a dependency to specific modules. Unlike module dependencies, these are not resolved automatically. Configuration fragments stored in the conf-available directory are considered non-essential or being installed and manged by reverse dependencies (e.g. web scripts). — Ubuntu Manual

a2enmod, a2dismod

a2enmod is a script that enables the specified module within the apache2 configuration. It does this by creating symlinks within /etc/apache2/mods-enabled. Likewise, a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled. Note that many modules have, in addition to a .load file, an associated .conf file. Enabling the module puts the configuration directives in the .conf file as directives into the main server context of apache2. — Ubuntu Manual

systemctl

systemctl may be used to introspect and control the state of the “systemd” system and service manager. Please refer to systemd(1) for an introduction into the basic concepts and functionality this tool manages. — Ubuntu Manual

List of open source/free proxy/forward proxy/reverse proxy/cache/ server software

Keywords:

Squid

A caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages. Squid has extensive access controls and makes a great server accelerator. It runs on most available operating systems, including Windows and is licensed under the GNU GPL.

  • Open source and Free
  • Forward proxy
  • Reverse proxy
  • Cache function
  • Log function
  • Very feature rich
  • Needs some time to configure (file based configuration)

Great for long term setup

-> Official website

FreeProxy Internet Suite

Services roughly divide into Proxy related services and Internet Server related services. Proxy services include HTTP, SMTP, POP3, SOCKS, FTP and a generalized TCP tunnel. The server services include a Web server (HTTP and HTTPS), SMTP with extensions and POP3. ISAPI plugins are accepted allowing for server side scripting such as PHP to be processed by the web server.

FreeProxy offers NTLM, Basic and Digest authentication for HTTP. Ban lists or Whitelists can be imported, URL filtering can be defined, Caching and logging can be configured.

  • Free
  • Forward proxy
  • Cache function
  • Log function
  • Feature rich
  • Very Easy to configure (Configure through GUI)

Great for quick setup and long term setup

-> Official website

Privoxy

Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.

  • Open source and Free
  • Forward proxy
  • No cache function
  • Log function
  • Needs some time to configure (file based configuration)

Good for filtering purpose

-> Official website

Other Noteworthy projects which can be used as proxy or proxy projects

How to Add “X-Forwarded-For” information to Apache Web Server access log and error log

Keywords: Apache 2.4, Apache show client IP Address behind proxy, access log, error log, access.log, error.log, X-Forwarded-For

(For Apache 2.4 and newer versions)

By default, the apache access log and error log will not log “X-Forwarded-For” information, so that if the client is connecting via a proxy, the log might only contain the proxy server’s IP address.

By adding X-Forwarded-For information to log files, we will be able to tell the possible real IP address of the client.

Access Log Format

The default access log format in configuration file is

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

To add “X-Forwarded-For” information to the access log we just need to change it to:

LogFormat "%h %{X-Forwarded-For}i %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Apache 2.4 logformat documentation: https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#logformat

Error Log Format

The default error log format is:

Example (default format for threaded MPMs)
ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"

To add ” X-Forwarded-For ” information to the error log we need to change it to:

ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] [%{X-Forwarded-For}i] %M% ,\ referer\ %{Referer}i"

Apache 2.4 logformat documentation: https://httpd.apache.org/docs/2.4/mod/core.html#errorlogformat

How to use Apache .htaccess .htpasswd to protect files, folders and paths and to protect multiple files, multiple folders and paths

Keywords: Apache, .htaccess, .htpasswd, block access, protect file, protect folder, protect directory, protect path

If we have following folders

/web/resource1/file1.htm
/web/resource1/A/
/web/resource2/file2.php
/web/resource2/B/C/D/
/web/resource3/E/F/

and Following url path

https://www.example.com/
https://www.example.com resource1/file1.htm
https://www.example.com/ resource1/A/
https://www.example.com/ resource2/file2.php
https://www.example.com/ resource2/B/C/D/
https://www.example.com resource3/E/F/ https://www.example.com/secret

The document root for “https://www.example.com/” is “/web/”

Path secret is a virtual path which does not reflect to a real directory with name “secret” (e.g. an existing rewrite rule in .htaccess)

Now we want to protect file “file1.htm” directory “D” and directory “E”, “F” and virtual path “secret”

1.1 We need to create a .htaccess file under “web” directory

1.2 Open the .htaccess file, we need to add following contents for protecting files

#Protected file
<Files file1.htm>
#Password file path
AuthUserFile /web/.htpasswd
#Message for user to see
AuthName "Password protected"
AuthType Basic
#(If only allow specific user, use "require user username" if allow all valid users use "Require valid-user")
require user username
</Files>

Note: if dealing with multiple files, filesmatch should be used.

<FilesMatch "file1\.htm|file2\.php">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username
</FilesMatch>

Tip: Targeting files start with abc or def and end in .php

<FilesMatch "^(abc|def).php$">
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
require user username
</FilesMatch>

1.3 We add following content to protect directories and the virtual path (We can use this method to protect multiple sub-directories/sub-folders/paths)

#Do the regex check against the URI here, if match, set the "require_auth" var
SetEnvIf Request_URI ^/ resource2\/B\/C\/D require_auth=true
SetEnvIf Request_URI ^/ resource3\/E require_auth=true
#Auth stuff
AuthUserFile /web/.htpasswd
AuthName "Password protected"
AuthType Basic
#Setup a deny/allow
Order Deny,Allow
#Deny from everyone
Deny from all
#except if either of these are satisfied
Satisfy any
#1. a valid authenticated user
Require valid-user
#or 2. the "require_auth" var is NOT set
Allow from env=!require_auth

https://stackoverflow.com/questions/14603568/password-protect-a-specific-url

1.4 We create a .htpasswd file under “web” directory

1.5 Open the .htpasswd file we add following contents (File contains username:hashed user password)

user1:$apr1$MknR4YQ8$ls4RTpNIxaJWyedBK5m030
user2:$apr1$FtfabsVg$NoxTA07DDeGhSOYT9NMLF/

These password can be generated using htpasswd with following command:

$  sudo htpasswd -c /web/.htpasswd user1
(You will need to supply and confirm the password for the user)
$ sudo htpasswd /web/.htpasswd user2

Another way to protect current directory:

e.g. If we want to protect directory “A”

2.1 Creat a .htaccess file under in directory “A”, so we have “/web/resource1/A/.htaccess”

2.2 We add following content to the file

<Files ~ "^.(htaccess|htpasswd)$">
deny from all
</Files>
AuthUserFile /web/resource1/A/.htpasswd
AuthGroupFile /dev/null
AuthName "Please enter your ID and password"
AuthType Basic
require valid-user 
order deny,allow

2.3 We create the .htpasswd file under “/web/resource1/A/”, so we have “/web/resource1/A/.htpasswd”

2.4 We generate password as in step 1.5 (We need to change path from “/web/.htpasswd” to “/web/resource1/A/.htpasswd”)

Now the directory “A” is protected


Tips:

1 We can use online .htpasswd generator to create password for convenience

https://www.web2generators.com/apache-tools/htpasswd-generator

https://www.askapache.com/online-tools/htpasswd-generator/

https://htmlstrip.com/htpasswd-generator

https://www.mobilefish.com/services/htpasswd_generator/htpasswd_generator.php

2 We can use online tools to generate .htaccess for convenience

https://www.htaccessredirect.net/

https://hostingfacts.com/htaccess-generator/

https://makeawebsitehub.com/htaccess-generator/

How to: Ubuntu switch php-fpm version

Install newer php-fpm version e.g. 7.3

1. sudo apt install php7.3-fpm

2. sudo a2enconf php7.3-fpm

Notes:

a2enconf is a script that enables the specified configuration file within the apache2 configuration. It does this by creating symlinks within /etc/apache2/conf-enabled. Likewise, a2disconf disables a specific configuration part by removing those symlinks. It is not an error to enable a configuration which is already enabled, or to disable one which is already disabled.

Ubuntu Manual

a2enmod is a script that enables the specified module within the apache2 configuration. It does this by creating symlinks within /etc/apache2/mods-enabled. Likewise, a2dismod disables a module by removing those symlinks. It is not an error to enable a module which is already enabled, or to disable one which is already disabled.    – Ubuntu Manual