HTTP/2 SSL PHP7 MariaDB on Debian 9

Requirements to enable HTTP/2 in Apache2;

  • Apache 2.4.17 or above, HTTP/2 is supported from this version and upwards
  • Prefer Debian 9 because uprade the Apache 2.4.10 on Deb 8 very complicated
  • Enable HTTPS, HTTP/2 only work over HTTPS. Also, TLS protocol version>= 1.2 with modern cipher suites is required
  • PHP7 or above
#cat /etc/*release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"

Update and upgrade the System then Install Apache2

#apt-get update -y && apt-get upgrade -y
#apt-get install apache2 -y
#apache2ctl -v
Server version: Apache/2.4.25 (Debian)

Enable and load mod_rewrite Apache2

#nano /etc/apache2/apache2.conf and replace “AllowOverride None” to “AllowOverride all”

#a2enmod rewrite
#a2enmod headers
#a2enmod expires

Install PHP7.0-FPM and other required components

#apt-get install php7.0-fpm -y && apt-get install php7.0-mysql -y && apt-get install php7.0-gd -y && apt-get install php-pear php7.0 -y

Disable the mod_php module to PHP-FPM mode

#a2dismod php7.0
ERROR: Module php7.0 does not exist!
#a2dismod mpm_prefork
Module mpm_prefork already disabled

Tell Apache to use PHP FastCGI, set the Apache use a compatible PHP implementation by changing mod_php to php-fpm (PHP FastCGI).

#a2enconf php7.0-fpm
#a2enmod proxy_fcgi
#a2enmod mpm_event
#systemctl restart apache2

Next Install SSL Certificate Apache Debian https://vpshelpdesk.com/2017/11/18/install-ssl-certificate-apache-debian

SSL test on Qualys SSL Labs Rating A Configuration https://vpshelpdesk.com/2020/03/30/ssl-test-qualys-ssl-labs-rating-configuration/

Activate HTTP/2 protocol on default-ssl.conf

Insert Protocols h2 h2c http/1.1 after <VirtualHost _default_:443> on /etc/apache2/sites-available/default-ssl.conf

#nano /etc/apache2/sites-available/default-ssl.conf

Then follow the command below

#a2enmod ssl
#a2enmod http2
#a2ensite default-ssl
#systemctl restart apache2

Check HTTP/2 at https://http2.pro https://tools.keycdn.com/http2-test 

Then install MariaDB

#apt-get -y install mariadb-server mariadb-client
#mysql_secure_installation

Set Up OpenVPN Server with sh script

Update and Upgrade the system

#apt-get update -y && apt-get upgrade -y

Find and note down your IP address, use the ip command as follows;

#ip addr
#ip a show eth0

If the public IP address not showed, use the dig command/host command

#dig +short myip.opendns.com @resolver1.opendns.com

OR

#dig TXT +short o-o.myaddr.l.google.com @ns1.google.com | awk -F'"' '{ print $2}'

Download and run openvpn-install.sh script

#wget https://git.io/vpn -O openvpn-install.sh
#wget https://vpshelpdesk.com/files/openvpn-install.sh

OR

#wget https://git.io/vpn -O openvpn-install.sh
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.76.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 23079 (23K) [text/plain]
Saving to: ‘openvpn-install.sh’

openvpn-install.sh                      100%[============================================================================>]  22.54K  --.-KB/s    in 0.001s

2020-10-26 14:33:15 (25.0 MB/s) - ‘openvpn-install.sh’ saved [23079/23079]

root@iZj6cij2s4ft9b2k2h81nmZ:/home#

Setup permissions using the chmod command:

#chmod +x openvpn-install.sh

One can view the script using a text editor such as nano/vim:

#nano openvpn-install.sh

Run openvpn-install.sh to install OpenVPN server

#./openvpn-install.sh

Follow the instruction

Welcome to this OpenVPN road warrior installer!
This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [222.222.222.1]:

Which protocol should OpenVPN use?
   1) UDP (recommended)
   2) TCP
Protocol [1]:

What port should OpenVPN listen to?
Port [1194]:

Select a DNS server for the clients:
   1) Current system resolvers
   2) Google
   3) 1.1.1.1
   4) OpenDNS
   5) Quad9
   6) AdGuard
DNS server [1]:

Enter a name for the first client:
Name [client]: client1

OpenVPN installation is ready to begin.
Press any key to continue...
..................
..................
Finished!

The client configuration is available in: /root/client1.ovpn
New clients can be added by running this script again.
root@iZj6cij2s4ft9b2k2h81nmZ:~#

Check if the OpenVPN server has been installed successfully, the tun0 available with #ip addr or #ifconfig

root@iZj6cij2s4ft9b2k2h81nmZ:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:16:3e:06:54:02 brd ff:ff:ff:ff:ff:ff
inet 172.01.1.12/20 brd 172.01.143.255 scope global dynamic eth0
valid_lft 315358011sec preferred_lft 315358011sec
inet6 fe80::216:3eff:fe06:5402/64 scope link
valid_lft forever preferred_lft forever
3: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.8.0.1/24 brd 10.8.0.255 scope global tun0
valid_lft forever preferred_lft forever

Start/stop/restart OpenVPN server with systemctl command:

#systemctl stop openvpn-server@server.service 
#systemctl start openvpn-server@server.service 
#systemctl restart openvpn-server@server.service
#systemctl status openvpn-server@server.service

To add more client run the openvpn-install.sh again

root@iZj6cij2s4ft9b2k2h81nmZ:~# ./openvpn-install.sh
OpenVPN is already installed.

Select an option:
 1) Add a new client
 2) Revoke an existing client
 3) Remove OpenVPN
 4) Exit
Option: 1

Provide a name for the client:
Name: client2
Using SSL: openssl OpenSSL 1.1.1 11 Sep 2018
Generating a RSA private key
.........................................................................................................................................................................+++++
.............................................+++++
writing new private key to '/etc/openvpn/server/easy-rsa/pki/easy-rsa-1952.6girut/tmp.4cIY4C'
-----
Using configuration from /etc/openvpn/server/easy-rsa/pki/easy-rsa-1952.6girut/tmp.07hFfF
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'client2'
Certificate is to be certified until Oct 24 06:48:16 2030 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

client2 added. Configuration available in: /root/client2.ovpn
root@iZj6cij2s4ft9b2k2h81nmZ:~#

To connect the OpenVPN server with OpenVPN Client download the client configuration (client.ovpn, client2.ovpn, etc), use WinSPC to download