Installation
aptitude install libapache2-mod-proxy-html
Activation des modules
a2enmod proxy a2enmod proxy_html a2enmod proxy_http
Redémarrage d’Apache
systemctl restart apache2
Installation
aptitude install libapache2-mod-proxy-html
Activation des modules
a2enmod proxy a2enmod proxy_html a2enmod proxy_http
Redémarrage d’Apache
systemctl restart apache2
aptitude install apache2
rm -f /etc/apache2/conf.d/charset rm -f /etc/apache2/conf.d/security (squeeze) rm -f /etc/apache2/conf.d/localized-error-pages (squeeze) rm -f /etc/apache2/conf.d/other-vhosts-access-log
Modification de « /etc/apache2/envvars »
(squeeze) export APACHE_LOG_DIR=/home/log/apache$SUFFIX
Modification de « /etc/apache2/conf.d/LogFormat »
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xfor_combined
Création de « /etc/apache2/conf.d/ModDir »
<IfModule mod_dir.c> DirectoryIndex index.php index.html </IfModule>
Création de « /etc/apache2/conf.d/ModExpires »
ExpiresActive On ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType image/x-icon A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/x-javascript A2592000
Création de « /etc/apache2/conf.d/ModDeflate »
<IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript </IfModule>
Création de « /etc/apache2/conf.d/DefaultLog »
(lenny) ErrorLog /home/log/apache/default/error.log (squeeze) # Define an access log for VirtualHosts that don't define their own logfile CustomLog ${APACHE_LOG_DIR}/default/other_vhosts_access.log vhost_combined # Define a general error log ErrorLog /home/log/apache/default/error.log
Création de « /etc/apache2/conf.d/ErrorDocuments »
#ErrorDocument 403 http://error.gwiki.fr/403.php #ErrorDocument 404 http://error.gwiki.fr/404.php #ErrorDocument 500 http://error.gwiki.fr/500.php
Création de « /etc/apache2/conf.d/ServerStatus »
# # ExtendedStatus controls whether Apache will generate "full" status # information (ExtendedStatus On) or just basic information (ExtendedStatus # Off) when the "server-status" handler is called. The default is Off. # ExtendedStatus On <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from 127.0.0.1 </Location>
Création de « /etc/apache2/conf.d/Security »
# # Disable access to the entire file system except for the directories that # are explicitly allowed later. # # This currently breaks the configurations that come with some web application # Debian packages. It will be made the default for the release after lenny. # #<Directory /> # AllowOverride None # Order Deny,Allow # Deny from all #</Directory> # Changing the following options will not really affect the security of the # server, but might make attacks slightly more difficult in some cases. # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minimal | Minor | Major | Prod # where Full conveys the most information, and Prod the least. # #ServerTokens Minimal ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # #ServerSignature Off ServerSignature Off # # Allow TRACE method # # Set to "extended" to also reflect the request body (only for testing and # diagnostic purposes). # # Set to one of: On | Off | extended # #TraceEnable Off TraceEnable Off
Création de « /etc/apache2/conf.d/AddDefaultCharset »
# Read the documentation before enabling AddDefaultCharset. # In general, it is only a good idea if you know that all your files # have this encoding. It will override any encoding given in the files # in meta http-equiv or xml encoding tags. AddDefaultCharset UTF-8
Création de « /etc/apache2/conf.d/ETag »
FileETag MTime
Modification de « /etc/apache2/apache2.conf » (Debian Lenny seulement)
CustomLog /home/log/apache/default/other_vhosts_access.log vhost_combined
Modification de « /etc/apache2/httpd.conf »
# # Timeout: The number of seconds before receives and sends time out. # Timeout 10 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 15000 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 5 ## ## Server-Pool Size Regulation (MPM specific) ## # prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # MaxClients: maximum number of server processes allowed to start # MaxRequestsPerChild: maximum number of requests a server process serves <IfModule mpm_prefork_module> StartServers 10 MinSpareServers 15 MaxSpareServers 30 # Default : No directive ServerLimit 640 # Default : 150 MaxClients 640 # Default : 0 MaxRequestsPerChild 0 </IfModule>
Activation des modules utiles et désactivation des autres
a2enmod expires a2enmod rewrite a2dismod autoindex
Optionnellement :
a2enmod deflate a2dismod include a2dismod userdir
Désactivation du virtual host par défaut
a2dissite default
Modification de « /etc/apache2/ports.conf » (si reverse-proxy)
NameVirtualHost *:3128 Listen 3128
service apache2 stop
mkdir -m 750 -p /home/log/apache/default chown -R root:adm /home/log/apache rm -Rf /var/log/apache2
Modification de « /etc/logrotate.d/apache2 »
/home/log/apache/*/*.log { daily rotate 31
mkdir -m 750 -p /home/site chown -R www-data:www-data /home/site rm -Rf /var/www
service apache2 start
Remplacer « gwiki_site » par le nom du host (ne pas oublier de mettre la configuration dans le fichier du vhost « gwiki_site »)
touch /etc/apache2/sites-available/gwiki_site mkdir -m 750 -p /home/log/apache/gwiki_site chown -R root:adm /home/log/apache/gwiki_site mkdir -m 755 -p /home/site/gwiki_site/www chown -R www-data:www-data /home/site/gwiki_site a2ensite gwiki_site service apache2 reload
a2enmod ssl
Création du dossier de certificats et chaînes
mkdir /etc/apache2/ssl
Changement de répertoire
cd /etc/apache2/ssl
Génération de la clé privée (entrez une passphrase, à conserver)
openssl genrsa -des3 -out gwiki_connect.key 2048
Créer une version déprotégée de la clé (entrez la passphrase précédente)
openssl rsa -in gwiki_connect.key > gwiki_connect.key-deprotect
Créer la clé publique (CSR)
openssl req -new -days 365 -sha256 -batch -key gwiki_connect.key -out gwiki_connect.csr -subj \ /countryName="FR"\ /commonName="connect.gwiki.fr"\ /localityName="."\ /organizationName="GWiki"\ /organizationalUnitName="GWiki Connect"\ /stateOrProvinceName="."
Copier la CSR dans le Manager (Accueil > Certificat SSL > Refabriquer le certificat). Le manager va émettre le certificat correspondant : vous devez le copier sur le serveur (« /etc/apache2/ssl/gwiki_connect.crt« ). Si il y a une chaîne de certification à télécharger, vous devez la copier aussi (« /etc/apache2/ssl/gwiki_connect.chain« ).
Changer les droits des fichiers générés/récupérés
chmod 400 gwiki_connect.*
Ajouter l’interface correspondant à l’IP SSL dans « /etc/network/interfaces » (eth0:X doit être incrémenté)
# IP SSL gwiki_connect auto eth0:0 iface eth0:0 inet static address 188.165.45.105 netmask 255.255.255.255
Redémarrer l’interface de réseau
(lenny) /etc/init.d/networking restart (squeeze) ifdown eth0:0 && ifup eth0:0 ?? OR ifdown eth0 && ifup eth0
Modifier le virtual host pour qu’il réponde à l’IP SSL
<VirtualHost 188.165.45.105:443>