« Apache et ubuntu » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
(19 versions intermédiaires par le même utilisateur non affichées) | |||
Ligne 6 : | Ligne 6 : | ||
a2ensite [server] | a2ensite [server] | ||
a2dissite [server] | a2dissite [server] | ||
# list enabled sites | |||
a2query -s | |||
# list virtualhosts | |||
sudo apache2ctl -S | |||
sc-reload apache2 | sc-reload apache2 | ||
sudo systemctl daemon-reload | |||
</kode> | </kode> | ||
Ligne 30 : | Ligne 36 : | ||
Require not ip 192.168.1.1 | Require not ip 192.168.1.1 | ||
# authoriser seulement les IPs 192.168.0.0/24 | # authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24 | ||
Require ip 192.168.0.0/24 | Require ip 127.0.0.1 192.168.0.0/24 | ||
# all hosts in the example.org domain are allowed access; all other hosts are denied access | # all hosts in the example.org domain are allowed access; all other hosts are denied access | ||
Ligne 151 : | Ligne 157 : | ||
# disable a conf | # disable a conf | ||
a2disconf [conf] | a2disconf [conf] | ||
# list enabled config | |||
a2query -c | |||
# list all enables conf files | # list all enables conf files | ||
apachectl -t -D DUMP_INCLUDES | sudo apachectl -t -D DUMP_INCLUDES | ||
</kode> | </kode> | ||
Ligne 182 : | Ligne 191 : | ||
# lister les modules chargés | # lister les modules chargés | ||
apache2ctl -M | |||
</kode> | </kode> | ||
{{info | Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.}} | {{info | Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.}} | ||
Ligne 203 : | Ligne 212 : | ||
Par defaut apache utilise {{boxx|mod_php}}, moins performant que {{boxx|php-fpm}} et ne permettant pas d'utiliser {{boxx|HTTP/2}}. | Par defaut apache utilise {{boxx|mod_php}}, moins performant que {{boxx|php-fpm}} et ne permettant pas d'utiliser {{boxx|HTTP/2}}. | ||
<kode lang='bash'> | <kode lang='bash'> | ||
apt install php-fpm | sudo apt install php-fpm | ||
sc-status php7. | sc-status php7.4-fpm | ||
# désactiver les modules php et mpm_prefork | # désactiver les modules php et mpm_prefork | ||
a2dismod php7. | sudo a2dismod php7.4 | ||
a2dismod mpm_prefork | sudo a2dismod mpm_prefork | ||
# activer la configuration php-fpm et le module mpm_event | # activer la configuration php-fpm et le module mpm_event | ||
a2enmod proxy_fcgi setenvif | # sudo a2enmod proxy_fcgi setenvif | ||
a2enconf php7. | sudo a2enconf php7.4-fpm | ||
a2enmod mpm_event | sudo a2enmod mpm_event | ||
</kode> | </kode> | ||
{{info | Configuration: {{boxx|/etc/apache2/conf-available/php7. | {{info | Configuration: {{boxx|/etc/apache2/conf-available/php7.4-fpm.conf}}}} | ||
== create a new pool == | == create a new pool == | ||
Permet d'avoir une configuration différente par site. | Permet d'avoir une configuration différente par site. | ||
<filebox fn='/etc/php/7. | <filebox fn='/etc/php/7.4/fpm/pool.d/new.conf' lang='ini'> | ||
[new] | [new] | ||
listen = /run/php/php7. | listen = /run/php/php7.4-fpm-new.sock | ||
</filebox> | </filebox> | ||
<filebox fn='/etc/apache2/sites-available/mysite.conf' lang='apache'> | <filebox fn='/etc/apache2/sites-available/mysite.conf' lang='apache'> | ||
<FilesMatch ".+\.ph(ar|p|tml)$"> | <FilesMatch ".+\.ph(ar|p|tml)$"> | ||
SetHandler "proxy:unix:/run/php/php7. | SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost" | ||
</FilesMatch> | |||
</filebox> | |||
== force a specific PHP version for a site == | |||
<filebox fn='/etc/apache2/sites-available/mysite.conf' lang='apache'> | |||
<FilesMatch "\.php$"> | |||
# force PHP 7.4 | |||
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" | |||
</FilesMatch> | </FilesMatch> | ||
</filebox> | </filebox> | ||
== monitoring == | == monitoring == | ||
<filebox fn='/etc/php/7. | <filebox fn='/etc/php/7.4/fpm/pool.d/www.conf' lang='ini'> | ||
pm.status_path = /status | pm.status_path = /status | ||
</filebox> | </filebox> | ||
<filebox fn='/etc/apache2/sites-available/000-default.conf' lang='apache'> | <filebox fn='/etc/apache2/sites-available/000-default.conf' lang='apache'> | ||
< | <LocationMatch "/status"> | ||
SetHandler "proxy:unix:/run/php/php7. | SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" | ||
</ | </LocationMatch> | ||
# enable access to the web page | # enable access to the realtime status web page | ||
Alias / | Alias /realtime-status "/usr/share/php/7.4/fpm/status.html" | ||
</filebox> | </filebox> | ||
* Raw status info: {{boxx|http://<server>/status}} | |||
* HTML status info: {{boxx|http://<server>/realtime-status}} | |||
{{warn | No {{boxx|/}} at the end of the url}} | |||
= [https://helgeklein.com/blog/2018/11/enabling-http-2-in-apache-on-ubuntu-18-04/ HTTP/2] = | = [https://helgeklein.com/blog/2018/11/enabling-http-2-in-apache-on-ubuntu-18-04/ HTTP/2] = | ||
Utiliser {{boxx|php-fpm}} car incompatible avec {{boxx|mod_php}}. | Utiliser {{boxx|php-fpm}} car incompatible avec {{boxx|mod_php}}. | ||
<kode lang='bash'> | <kode lang='bash'> | ||
a2enmod http2 | a2enmod http2 | ||
</kode> | </kode> | ||
= [https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-3.1 Dotnet core] = | = [https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-3.1 Dotnet core] = | ||
Ligne 273 : | Ligne 285 : | ||
ProxyPassReverse / http://127.0.0.1:5000/ | ProxyPassReverse / http://127.0.0.1:5000/ | ||
ErrorLog ${APACHE_LOG_DIR}dotnetcore-error.log | ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log | ||
CustomLog ${APACHE_LOG_DIR}dotnetcore-access.log common | CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common | ||
<!-- restrict access to 192.168.0.0/24 only --> | |||
<Location /> | |||
Require ip 192.168.0.0/24 | |||
ProxyPreserveHost On | |||
ProxyPass http://127.0.0.1:5020/ | |||
ProxyPassReverse http://127.0.0.1:5020/ | |||
</Location> | |||
</VirtualHost> | </VirtualHost> | ||
</filebox> | </filebox> |
Dernière version du 26 juillet 2023 à 22:44
Configuration
# activer/désactiver un site a2ensite [server] a2dissite [server] # list enabled sites a2query -s # list virtualhosts sudo apache2ctl -S sc-reload apache2 sudo systemctl daemon-reload |
VirtualHost
/etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80> ServerName www.domain.fr ServerAlias myserver </VirtualHost> |
Require
/etc/apache2/sites-available/000-default.config |
<Directory /var/www/html> AllowOverride None # all requests are denied Require all denied # all requests are allowed except 192.168.1.1 Require all granted Require not ip 192.168.1.1 # authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24 Require ip 127.0.0.1 192.168.0.0/24 # all hosts in the example.org domain are allowed access; all other hosts are denied access Require host example.org </Directory> |
Rewrite url
sudo a2enmod rewrite sc-restart apache2 |
/etc/apache2/sites-available/myserver.conf |
<Directory "/var/www/myserver"> RewriteEngine On RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L] </Directory> |
HTTPS / SSL
sudo a2enmod rewrite sudo a2enmod ssl sc-restart apache2 sudo systemctl daemon-reload |
/etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80> ServerName www.domain.fr Redirect permanent / https://www.domain.fr </VirtualHost> <VirtualHost *:443> ServerName www.domain.fr DocumentRoot /var/www/myserver # Enable SSL for this virtual host SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Exports the standard SSL/TLS related `SSL_*' environment variables for php files <FilesMatch "\.php$"> SSLOptions +StdEnvVars </FilesMatch> </VirtualHost> |
Let's encrypt
# install certbot and the apache plugin apt install python3-certbot-apache # dry run, certonly: obtain or renew a certificate, but do not install it certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr # run: obtain & install a certificate in your current webserver certbot run --apache --domain www.domain.fr --email admin@domain.fr |
/etc/apache2/sites-available/www-le-ssl.conf |
# configuration créée par certbot <IfModule mod_ssl.c> <VirtualHost *:443> # reprend la config du site # ajout des certificats SSLCertificateFile /etc/letsencrypt/live/www.domain.fr/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem # inclut la config let's encrypt Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> |
proxy
# activer les modules # pour http sudo a2enmode proxy_http # pour https sudo a2enmode proxy_connect # activé si l'un des 2 autres est activé sudo a2enmode proxy |
/etc/apache2/site-available/myserver.conf |
<VirtualHost *:80> # everything under the root URL (/) should be mapped to the backend server at the given address ProxyPass / http://backend_server:8080/ # modify the response headers from backend server # same configuration as ProxyPass. ProxyPassReverse / http://backend_server:8080/ # pass the original Host header to the backend server ProxyPreserveHost On # for reverse proxy ProxyRequests Off </VirtualHost> <VirtualHost *:443> SSLProxyEngine On SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off SSLProxyVerify none </VirtualHost> |
Conf files
# enable a conf a2enconf [conf] # disable a conf a2disconf [conf] # list enabled config a2query -c # list all enables conf files sudo apachectl -t -D DUMP_INCLUDES |
Security
/etc/apache2/conf-available/security.conf |
# Hide server information like Apache and PHP versions ServerTokens Prod # Turn off your server's signature ServerSignature Off # Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled (a2enmod headers). Header set X-Content-Type-Options: "nosniff" # Setting this header will prevent other sites from embedding pages from this site as frames. # Requires mod_headers to be enabled (a2enmod headers). Header set X-Frame-Options: "sameorigin" |
Modules
# activer un module a2enmod [module] # désactiver un module a2dismod [module] # lister les modules chargés apache2ctl -M |
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation. |
PHP
# vérifier qu'un module a bien été chargé php -m | grep <module-name> # activer un module phpenmod <module-name> # redémarrer le serveur apache après ça |
/etc/php/7.2/apache2/php.ini |
memory_limit = 512M |
PHP-FPM
Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.
sudo apt install php-fpm sc-status php7.4-fpm # désactiver les modules php et mpm_prefork sudo a2dismod php7.4 sudo a2dismod mpm_prefork # activer la configuration php-fpm et le module mpm_event # sudo a2enmod proxy_fcgi setenvif sudo a2enconf php7.4-fpm sudo a2enmod mpm_event |
Configuration: /etc/apache2/conf-available/php7.4-fpm.conf |
create a new pool
Permet d'avoir une configuration différente par site.
/etc/php/7.4/fpm/pool.d/new.conf |
[new] listen = /run/php/php7.4-fpm-new.sock |
/etc/apache2/sites-available/mysite.conf |
<FilesMatch ".+\.ph(ar|p|tml)$"> SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost" </FilesMatch> |
force a specific PHP version for a site
/etc/apache2/sites-available/mysite.conf |
<FilesMatch "\.php$"> # force PHP 7.4 SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" </FilesMatch> |
monitoring
/etc/php/7.4/fpm/pool.d/www.conf |
pm.status_path = /status |
/etc/apache2/sites-available/000-default.conf |
<LocationMatch "/status"> SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" </LocationMatch> # enable access to the realtime status web page Alias /realtime-status "/usr/share/php/7.4/fpm/status.html" |
- Raw status info: http://<server>/status
- HTML status info: http://<server>/realtime-status
No / at the end of the url |
HTTP/2
Utiliser php-fpm car incompatible avec mod_php.
a2enmod http2 |
Dotnet core
/etc/apache2/sites-available/dotnetcore.conf |
<VirtualHost *:*> RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} </VirtualHost> <VirtualHost *:80> ServerName dotnetcore.myserver ProxyPreserveHost On ProxyPass / http://127.0.0.1:5000/ ProxyPassReverse / http://127.0.0.1:5000/ ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common <!-- restrict access to 192.168.0.0/24 only --> <Location /> Require ip 192.168.0.0/24 ProxyPreserveHost On ProxyPass http://127.0.0.1:5020/ ProxyPassReverse http://127.0.0.1:5020/ </Location> </VirtualHost> |
Droits d'accès des dossiers et fichiers
Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.
Mediawiki
/etc/apache2/sites-available/mediawiki.conf |
<VirtualHost *:80> ServerName mediawiki.host DocumentRoot /var/www/mediawiki ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined <Directory "/var/www/mediawiki"> AllowOverride All Options -Indexes ErrorDocument 403 /index.php RewriteEngine On RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L] </Directory> </VirtualHost> |
Erreurs
SSL_ERROR_RX_RECORD_TOO_LONG
# activer le site default-ssl sudo a2ensite default-ssl.conf |