« Apache et ubuntu » : différence entre les versions
De Banane Atomic
Aller à la navigationAller à la recherche
| Ligne 237 : | Ligne 237 : | ||
== monitoring == | == monitoring == | ||
<filebox fn='/etc/php/7. | <filebox fn='/etc/php/7.4/fpm/pool.d/www.conf' lang='ini'> | ||
pm.status_path = /status | pm.status_path = /status | ||
ping.path = /ping | ping.path = /ping | ||
| Ligne 244 : | Ligne 244 : | ||
<filebox fn='/etc/apache2/sites-available/000-default.conf' lang='apache'> | <filebox fn='/etc/apache2/sites-available/000-default.conf' lang='apache'> | ||
<FilesMatch "^ping|status$"> | <FilesMatch "^ping|status$"> | ||
SetHandler "proxy:unix:/run/php/php7. | SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" | ||
</FilesMatch> | </FilesMatch> | ||
# enable access to the web page | # enable access to the web page | ||
Alias /fpm /usr/share/php/7. | Alias /fpm /usr/share/php/7.4/fpm | ||
<Directory /usr/share/php/7. | <Directory /usr/share/php/7.4/fpm> | ||
DirectoryIndex status.html | DirectoryIndex status.html | ||
</Directory> | </Directory> | ||
Version du 17 janvier 2021 à 14:01
Configuration
|
# activer/désactiver un site a2ensite [server] a2dissite [server] # list enabled sites a2query -s # list virtualhosts sudo apache2ctl -S sc-reload apache2 sudo systemctl daemon-reload |
VirtualHost
| /etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80>
ServerName www.domain.fr
ServerAlias myserver
</VirtualHost>
|
Require
| /etc/apache2/sites-available/000-default.config |
<Directory /var/www/html>
AllowOverride None
# all requests are denied
Require all denied
# all requests are allowed except 192.168.1.1
Require all granted
Require not ip 192.168.1.1
# authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24
Require ip 127.0.0.1 192.168.0.0/24
# all hosts in the example.org domain are allowed access; all other hosts are denied access
Require host example.org
</Directory>
|
Rewrite url
|
|
sudo a2enmod rewrite sc-restart apache2 |
| /etc/apache2/sites-available/myserver.conf |
<Directory "/var/www/myserver">
RewriteEngine On
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>
|
HTTPS / SSL
|
|
sudo a2enmod rewrite sudo a2enmod ssl sc-restart apache2 sudo systemctl daemon-reload |
| /etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80>
ServerName www.domain.fr
Redirect permanent / https://www.domain.fr
</VirtualHost>
<VirtualHost *:443>
ServerName www.domain.fr
DocumentRoot /var/www/myserver
# Enable SSL for this virtual host
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Exports the standard SSL/TLS related `SSL_*' environment variables for php files
<FilesMatch "\.php$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
|
Let's encrypt
|
|
# install certbot and the apache plugin apt install python3-certbot-apache # dry run, certonly: obtain or renew a certificate, but do not install it certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr # run: obtain & install a certificate in your current webserver certbot run --apache --domain www.domain.fr --email admin@domain.fr |
| /etc/apache2/sites-available/www-le-ssl.conf |
# configuration créée par certbot
<IfModule mod_ssl.c>
<VirtualHost *:443>
# reprend la config du site
# ajout des certificats
SSLCertificateFile /etc/letsencrypt/live/www.domain.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem
# inclut la config let's encrypt
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
|
proxy
|
|
# activer les modules # pour http sudo a2enmode proxy_http # pour https sudo a2enmode proxy_connect # activé si l'un des 2 autres est activé sudo a2enmode proxy |
| /etc/apache2/site-available/myserver.conf |
<VirtualHost *:80>
# everything under the root URL (/) should be mapped to the backend server at the given address
ProxyPass / http://backend_server:8080/
# modify the response headers from backend server
# same configuration as ProxyPass.
ProxyPassReverse / http://backend_server:8080/
# pass the original Host header to the backend server
ProxyPreserveHost On
# for reverse proxy
ProxyRequests Off
</VirtualHost>
<VirtualHost *:443>
SSLProxyEngine On
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyVerify none
</VirtualHost>
|
Conf files
|
|
# enable a conf a2enconf [conf] # disable a conf a2disconf [conf] # list all enables conf files sudo apachectl -t -D DUMP_INCLUDES |
Security
| /etc/apache2/conf-available/security.conf |
# Hide server information like Apache and PHP versions ServerTokens Prod # Turn off your server's signature ServerSignature Off # Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled (a2enmod headers). Header set X-Content-Type-Options: "nosniff" # Setting this header will prevent other sites from embedding pages from this site as frames. # Requires mod_headers to be enabled (a2enmod headers). Header set X-Frame-Options: "sameorigin" |
Modules
|
|
# activer un module a2enmod [module] # désactiver un module a2dismod [module] # lister les modules chargés sudo apachectl -M |
 |
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation. |
PHP
|
|
# vérifier qu'un module a bien été chargé php -m | grep <module-name> # activer un module phpenmod <module-name> # redémarrer le serveur apache après ça |
| /etc/php/7.2/apache2/php.ini |
memory_limit = 512M |
PHP-FPM
Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.
|
|
sudo apt install php-fpm sc-status php7.4-fpm # désactiver les modules php et mpm_prefork sudo a2dismod php7.4 sudo a2dismod mpm_prefork # activer la configuration php-fpm et le module mpm_event # sudo a2enmod proxy_fcgi setenvif sudo a2enconf php7.4-fpm sudo a2enmod mpm_event |
|
Configuration: /etc/apache2/conf-available/php7.4-fpm.conf |
create a new pool
Permet d'avoir une configuration différente par site.
| /etc/php/7.4/fpm/pool.d/new.conf |
[new] listen = /run/php/php7.4-fpm-new.sock |
| /etc/apache2/sites-available/mysite.conf |
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost"
</FilesMatch>
|
monitoring
| /etc/php/7.4/fpm/pool.d/www.conf |
pm.status_path = /status ping.path = /ping |
| /etc/apache2/sites-available/000-default.conf |
<FilesMatch "^ping|status$">
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
# enable access to the web page
Alias /fpm /usr/share/php/7.4/fpm
<Directory /usr/share/php/7.4/fpm>
DirectoryIndex status.html
</Directory>
|
HTTP/2
Utiliser php-fpm car incompatible avec mod_php.
|
|
a2enmod http2 |
| /etc/apache2/mods-available/http2.conf |
# fichier à créer
<IfModule mod_http2.c>
Protocols h2 http/1.1
</IfModule>
|
Dotnet core
| /etc/apache2/sites-available/dotnetcore.conf |
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName dotnetcore.myserver
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log
CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common
</VirtualHost>
|
Droits d'accès des dossiers et fichiers
Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.
Mediawiki
| /etc/apache2/sites-available/mediawiki.conf |
<VirtualHost *:80>
ServerName mediawiki.host
DocumentRoot /var/www/mediawiki
ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log
CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined
<Directory "/var/www/mediawiki">
AllowOverride All
Options -Indexes
ErrorDocument 403 /index.php
RewriteEngine On
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>
</VirtualHost>
|
Erreurs
SSL_ERROR_RX_RECORD_TOO_LONG
|
|
# activer le site default-ssl sudo a2ensite default-ssl.conf |
