Installation
aptitude install apache2
Suppression de l’ancienne configuration
rm -f /etc/apache2/conf.d/charset
rm -f /etc/apache2/conf.d/security
(squeeze) rm -f /etc/apache2/conf.d/localized-error-pages
(squeeze) rm -f /etc/apache2/conf.d/other-vhosts-access-log
Déplacement des journaux
Modification de « /etc/apache2/envvars »
(squeeze) export APACHE_LOG_DIR=/home/log/apache$SUFFIX
Ajoût des nouveaux fichiers de configuration
Modification de « /etc/apache2/conf.d/LogFormat »
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xfor_combined
Création de « /etc/apache2/conf.d/ModDir »
<IfModule mod_dir.c>
DirectoryIndex index.php index.html
</IfModule>
Création de « /etc/apache2/conf.d/ModExpires »
ExpiresActive On
ExpiresByType image/gif A2592000
ExpiresByType image/png A2592000
ExpiresByType image/jpeg A2592000
ExpiresByType image/x-icon A2592000
ExpiresByType text/css A2592000
ExpiresByType text/javascript A2592000
ExpiresByType application/x-javascript A2592000
Création de « /etc/apache2/conf.d/ModDeflate »
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript
</IfModule>
Création de « /etc/apache2/conf.d/DefaultLog »
(lenny) ErrorLog /home/log/apache/default/error.log
(squeeze)
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog ${APACHE_LOG_DIR}/default/other_vhosts_access.log vhost_combined
# Define a general error log
ErrorLog /home/log/apache/default/error.log
Création de « /etc/apache2/conf.d/ErrorDocuments »
#ErrorDocument 403 http://error.gwiki.fr/403.php
#ErrorDocument 404 http://error.gwiki.fr/404.php
#ErrorDocument 500 http://error.gwiki.fr/500.php
Création de « /etc/apache2/conf.d/ServerStatus »
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
Création de « /etc/apache2/conf.d/Security »
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages. It will be made the default for the release after lenny.
#
#<Directory />
# AllowOverride None
# Order Deny,Allow
# Deny from all
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
#ServerTokens Minimal
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
#ServerSignature Off
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
#
#TraceEnable Off
TraceEnable Off
Création de « /etc/apache2/conf.d/AddDefaultCharset »
# Read the documentation before enabling AddDefaultCharset.
# In general, it is only a good idea if you know that all your files
# have this encoding. It will override any encoding given in the files
# in meta http-equiv or xml encoding tags.
AddDefaultCharset UTF-8
Création de « /etc/apache2/conf.d/ETag »
FileETag MTime
Modification de « /etc/apache2/apache2.conf » (Debian Lenny seulement)
CustomLog /home/log/apache/default/other_vhosts_access.log vhost_combined
Modification de « /etc/apache2/httpd.conf »
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 10
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 15000
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers 10
MinSpareServers 15
MaxSpareServers 30
# Default : No directive
ServerLimit 640
# Default : 150
MaxClients 640
# Default : 0
MaxRequestsPerChild 0
</IfModule>
Gestion des modules
Activation des modules utiles et désactivation des autres
a2enmod expires
a2enmod rewrite
a2dismod autoindex
Optionnellement :
a2enmod deflate
a2dismod include
a2dismod userdir
Gestion des sites
Désactivation du virtual host par défaut
a2dissite default
Configuration des ports
Modification de « /etc/apache2/ports.conf » (si reverse-proxy)
NameVirtualHost *:3128
Listen 3128
Arrêt
service apache2 stop
Déplacement des journaux
mkdir -m 750 -p /home/log/apache/default
chown -R root:adm /home/log/apache
rm -Rf /var/log/apache2
Rotation des journaux
Modification de « /etc/logrotate.d/apache2 »
/home/log/apache/*/*.log {
daily
rotate 31
Création du dossier contenant les sites
mkdir -m 750 -p /home/site
chown -R www-data:www-data /home/site
rm -Rf /var/www
Démarrage
service apache2 start
Ajoût d’un site/host
Remplacer « gwiki_site » par le nom du host (ne pas oublier de mettre la configuration dans le fichier du vhost « gwiki_site »)
touch /etc/apache2/sites-available/gwiki_site
mkdir -m 750 -p /home/log/apache/gwiki_site
chown -R root:adm /home/log/apache/gwiki_site
mkdir -m 755 -p /home/site/gwiki_site/www
chown -R www-data:www-data /home/site/gwiki_site
a2ensite gwiki_site
service apache2 reload
Activation du support SSL
a2enmod ssl
Création du dossier de certificats et chaînes
mkdir /etc/apache2/ssl
Ajouter un certificat SSL signé
Changement de répertoire
cd /etc/apache2/ssl
Génération de la clé privée (entrez une passphrase, à conserver)
openssl genrsa -des3 -out gwiki_connect.key 2048
Créer une version déprotégée de la clé (entrez la passphrase précédente)
openssl rsa -in gwiki_connect.key > gwiki_connect.key-deprotect
Créer la clé publique (CSR)
openssl req -new -days 365 -sha256 -batch -key gwiki_connect.key -out gwiki_connect.csr -subj \
/countryName="FR"\
/commonName="connect.gwiki.fr"\
/localityName="."\
/organizationName="GWiki"\
/organizationalUnitName="GWiki Connect"\
/stateOrProvinceName="."
Copier la CSR dans le Manager (Accueil > Certificat SSL > Refabriquer le certificat). Le manager va émettre le certificat correspondant : vous devez le copier sur le serveur (« /etc/apache2/ssl/gwiki_connect.crt« ). Si il y a une chaîne de certification à télécharger, vous devez la copier aussi (« /etc/apache2/ssl/gwiki_connect.chain« ).
Changer les droits des fichiers générés/récupérés
chmod 400 gwiki_connect.*
Ajouter une IP SSL
Ajouter l’interface correspondant à l’IP SSL dans « /etc/network/interfaces » (eth0:X doit être incrémenté)
# IP SSL gwiki_connect
auto eth0:0
iface eth0:0 inet static
address 188.165.45.105
netmask 255.255.255.255
Redémarrer l’interface de réseau
(lenny) /etc/init.d/networking restart
(squeeze) ifdown eth0:0 && ifup eth0:0
?? OR ifdown eth0 && ifup eth0
Modifier le virtual host pour qu’il réponde à l’IP SSL
<VirtualHost 188.165.45.105:443>