Installation
aptitude install apache2
Suppression de l’ancienne configuration
rm -f /etc/apache2/conf.d/charset rm -f /etc/apache2/conf.d/security (squeeze) rm -f /etc/apache2/conf.d/localized-error-pages (squeeze) rm -f /etc/apache2/conf.d/other-vhosts-access-log
Déplacement des journaux
Modification de « /etc/apache2/envvars »
(squeeze) export APACHE_LOG_DIR=/home/log/apache$SUFFIX
Ajoût des nouveaux fichiers de configuration
Modification de « /etc/apache2/conf.d/LogFormat »
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xfor_combined
Création de « /etc/apache2/conf.d/ModDir »
<IfModule mod_dir.c> DirectoryIndex index.php index.html </IfModule>
Création de « /etc/apache2/conf.d/ModExpires »
ExpiresActive On ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/x-icon A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/x-javascript A2592000
Création de « /etc/apache2/conf.d/ModDeflate »
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript
</IfModule>
Création de « /etc/apache2/conf.d/DefaultLog »
(lenny) ErrorLog /home/log/apache/default/error.log
(squeeze)
# Define an access log for VirtualHosts that don't define their own logfile
CustomLog ${APACHE_LOG_DIR}/default/other_vhosts_access.log vhost_combined
# Define a general error log
ErrorLog /home/log/apache/default/error.log
Création de « /etc/apache2/conf.d/ErrorDocuments »
#ErrorDocument 403 http://error.gwiki.fr/403.php #ErrorDocument 404 http://error.gwiki.fr/404.php #ErrorDocument 500 http://error.gwiki.fr/500.php
Création de « /etc/apache2/conf.d/ServerStatus »
#
# ExtendedStatus controls whether Apache will generate "full" status
# information (ExtendedStatus On) or just basic information (ExtendedStatus
# Off) when the "server-status" handler is called. The default is Off.
#
ExtendedStatus On
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Location>
Création de « /etc/apache2/conf.d/Security »
# # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. It will be made the default for the release after lenny. # #<Directory /> # AllowOverride None # Order Deny,Allow # Deny from all #</Directory> # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. # #ServerTokens Minimal ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # #ServerSignature Off ServerSignature Off # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended # #TraceEnable Off TraceEnable Off
Création de « /etc/apache2/conf.d/AddDefaultCharset »
# Read the documentation before enabling AddDefaultCharset. # In general, it is only a good idea if you know that all your files # have this encoding. It will override any encoding given in the files # in meta http-equiv or xml encoding tags. AddDefaultCharset UTF-8
Création de « /etc/apache2/conf.d/ETag »
FileETag MTime
Modification de « /etc/apache2/apache2.conf » (Debian Lenny seulement)
CustomLog /home/log/apache/default/other_vhosts_access.log vhost_combined
Modification de « /etc/apache2/httpd.conf »
#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 10
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 15000
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5
##
## Server-Pool Size Regulation (MPM specific)
##
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule mpm_prefork_module>
StartServers 10
MinSpareServers 15
MaxSpareServers 30
# Default : No directive
ServerLimit 640
# Default : 150
MaxClients 640
# Default : 0
MaxRequestsPerChild 0
</IfModule>
Gestion des modules
Activation des modules utiles et désactivation des autres
a2enmod expires a2enmod rewrite a2dismod autoindex
Optionnellement :
a2enmod deflate a2dismod include a2dismod userdir
Gestion des sites
Désactivation du virtual host par défaut
a2dissite default
Configuration des ports
Modification de « /etc/apache2/ports.conf » (si reverse-proxy)
NameVirtualHost *:3128 Listen 3128
Arrêt
service apache2 stop
Déplacement des journaux
mkdir -m 750 -p /home/log/apache/default chown -R root:adm /home/log/apache rm -Rf /var/log/apache2
Rotation des journaux
Modification de « /etc/logrotate.d/apache2 »
/home/log/apache/*/*.log {
daily
rotate 31
Création du dossier contenant les sites
mkdir -m 750 -p /home/site chown -R www-data:www-data /home/site rm -Rf /var/www
Démarrage
service apache2 start
Ajoût d’un site/host
Remplacer « gwiki_site » par le nom du host (ne pas oublier de mettre la configuration dans le fichier du vhost « gwiki_site »)
touch /etc/apache2/sites-available/gwiki_site mkdir -m 750 -p /home/log/apache/gwiki_site chown -R root:adm /home/log/apache/gwiki_site mkdir -m 755 -p /home/site/gwiki_site/www chown -R www-data:www-data /home/site/gwiki_site a2ensite gwiki_site service apache2 reload
Activation du support SSL
a2enmod ssl
Création du dossier de certificats et chaînes
mkdir /etc/apache2/ssl
Ajouter un certificat SSL signé
Changement de répertoire
cd /etc/apache2/ssl
Génération de la clé privée (entrez une passphrase, à conserver)
openssl genrsa -des3 -out gwiki_connect.key 2048
Créer une version déprotégée de la clé (entrez la passphrase précédente)
openssl rsa -in gwiki_connect.key > gwiki_connect.key-deprotect
Créer la clé publique (CSR)
openssl req -new -days 365 -sha256 -batch -key gwiki_connect.key -out gwiki_connect.csr -subj \ /countryName="FR"\ /commonName="connect.gwiki.fr"\ /localityName="."\ /organizationName="GWiki"\ /organizationalUnitName="GWiki Connect"\ /stateOrProvinceName="."
Copier la CSR dans le Manager (Accueil > Certificat SSL > Refabriquer le certificat). Le manager va émettre le certificat correspondant : vous devez le copier sur le serveur (« /etc/apache2/ssl/gwiki_connect.crt« ). Si il y a une chaîne de certification à télécharger, vous devez la copier aussi (« /etc/apache2/ssl/gwiki_connect.chain« ).
Changer les droits des fichiers générés/récupérés
chmod 400 gwiki_connect.*
Ajouter une IP SSL
Ajouter l’interface correspondant à l’IP SSL dans « /etc/network/interfaces » (eth0:X doit être incrémenté)
# IP SSL gwiki_connect auto eth0:0 iface eth0:0 inet static address 188.165.45.105 netmask 255.255.255.255
Redémarrer l’interface de réseau
(lenny) /etc/init.d/networking restart (squeeze) ifdown eth0:0 && ifup eth0:0 ?? OR ifdown eth0 && ifup eth0
Modifier le virtual host pour qu’il réponde à l’IP SSL
<VirtualHost 188.165.45.105:443>