Debian i Ubuntu: Apache2, SSL i wirtualne domeny

Apache to najpopularniejszy obecnie serwer WWW.

Instalacja i konfiguracja Apache2

Wydajemy polecenie:

apt-get install apache2

Po zainstalowaniu możemy przejść do konfiguracji, która jest trochę inna od tej w apache.

Znajdziemy ją w katalogu:

/etc/apache2

składają się na nią:

  • apache2.conf – główny plik konfiguracyjny apache2.
  • httpd.conf – konfiguracja modułów apache2.
  • ports.conf – konfiguracja portu na którym ma nasłuchiwać apache2.

 

W pliku apache2.conf zmieniamy:

  • ServerRoot – ustawienie scieżki do plikow konfiguracyjnych apache2. Standardowo „/etc/apache2”.
  • User i Group – ustawienia usera i grupy z ktorego bedzie uruchamiany apache2.
  • ErrorLog – scieżka do logów błędów.
  • UserDir public_html – wpis ten powoduje, że strony użytkowników będa widoczne jako domena.pl/~user/

 

Konfiguracja serwera (modułu SSL)

<IfModule mod_ssl.c>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shmht:/var/run/apache2/ssl_scache(512000)
#SSLSessionCache        shmcb:/var/run/apache2/ssl_scache(512000)
SSLSessionCache         dbm:/var/run/apache2/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization.
SSLMutex  file:/var/run/apache2/ssl_mutex
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
</IfModule>

Przykładowy serwer wirtualny:

NameVirtualHost *:443
<VirtualHost *:443>

        ServerName ssl.linuxexpert.pl
        ServerAlias www.ssl.linuxexpert.pl

        SSLEngine On
        SSLCertificateFile /etc/apache2/ssl/apache.pem
        SSLOptions +StrictRequire

        ServerAdmin krzysztof.jozwiak@k2studio.eu

        DocumentRoot /data1/www/k2studio.eu/www/htdocs/
        <Directory />
                Options FollowSymLinks
                AllowOverride None
       </Directory>

        <Directory />
            SSLRequireSSL
        </Directory>

        SSLProtocol -all +TLSv1 +SSLv3
        SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

        SSLVerifyClient none
        SSLProxyEngine off

        <Directory /data1/www/k2studio.eu/www/htdocs>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel info

        ErrorLog /var/log/apache2/ssl-k2studio.eu-error.log
        CustomLog /var/log/apache2/ssl-k2studio.eu-access.log combined
        ServerSignature Off

</VirtualHost>

Dodaj komentarz