« Apache et ubuntu » : différence entre les versions

De Banane Atomic
Aller à la navigationAller à la recherche
 
(23 versions intermédiaires par le même utilisateur non affichées)
Ligne 6 : Ligne 6 :
a2ensite [server]
a2ensite [server]
a2dissite [server]
a2dissite [server]
# list enabled sites
a2query -s
# list virtualhosts
sudo apache2ctl -S


sc-reload apache2
sc-reload apache2
sudo systemctl daemon-reload
</kode>
</kode>


Ligne 30 : Ligne 36 :
     Require not ip 192.168.1.1
     Require not ip 192.168.1.1


     # authoriser seulement les IPs 192.168.0.0/24
     # authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24
     Require ip 192.168.0.0/24
     Require ip 127.0.0.1 192.168.0.0/24


     # all hosts in the example.org domain are allowed access; all other hosts are denied access
     # all hosts in the example.org domain are allowed access; all other hosts are denied access
Ligne 151 : Ligne 157 :
# disable a conf
# disable a conf
a2disconf [conf]
a2disconf [conf]
# list enabled config
a2query -c


# list all enables conf files
# list all enables conf files
apachectl -t -D DUMP_INCLUDES
sudo apachectl -t -D DUMP_INCLUDES
</kode>
</kode>


Ligne 182 : Ligne 191 :


# lister les modules chargés
# lister les modules chargés
apachectl -M
apache2ctl -M
</kode>
</kode>
{{info | Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.}}
{{info | Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.}}
Ligne 203 : Ligne 212 :
Par defaut apache utilise {{boxx|mod_php}}, moins performant que {{boxx|php-fpm}} et ne permettant pas d'utiliser {{boxx|HTTP/2}}.
Par defaut apache utilise {{boxx|mod_php}}, moins performant que {{boxx|php-fpm}} et ne permettant pas d'utiliser {{boxx|HTTP/2}}.
<kode lang='bash'>
<kode lang='bash'>
apt install php-fpm
sudo apt install php-fpm
sc-status php7.2-fpm
sc-status php7.4-fpm


# désactiver les modules php et mpm_prefork
# désactiver les modules php et mpm_prefork
a2dismod php7.2
sudo a2dismod php7.4
a2dismod mpm_prefork
sudo a2dismod mpm_prefork


# activer la configuration php-fpm et le module mpm_event
# activer la configuration php-fpm et le module mpm_event
a2enmod proxy_fcgi setenvif
# sudo a2enmod proxy_fcgi setenvif
a2enconf php7.2-fpm
sudo a2enconf php7.4-fpm
a2enmod mpm_event
sudo a2enmod mpm_event
</kode>
</kode>
{{info | Configuration: {{boxx|/etc/apache2/conf-available/php7.2-fpm.conf}}}}
{{info | Configuration: {{boxx|/etc/apache2/conf-available/php7.4-fpm.conf}}}}


== create a new pool ==
== create a new pool ==
Permet d'avoir une configuration différente par site.
Permet d'avoir une configuration différente par site.
<filebox fn='/etc/php/7.2/fpm/pool.d/new.conf' lang='ini'>
<filebox fn='/etc/php/7.4/fpm/pool.d/new.conf' lang='ini'>
[new]
[new]
listen = /run/php/php7.2-fpm-new.sock
listen = /run/php/php7.4-fpm-new.sock
</filebox>
</filebox>


<filebox fn='/etc/apache2/sites-available/mysite.conf' lang='apache'>
<filebox fn='/etc/apache2/sites-available/mysite.conf' lang='apache'>
<FilesMatch ".+\.ph(ar|p|tml)$">
<FilesMatch ".+\.ph(ar|p|tml)$">
     SetHandler "proxy:unix:/run/php/php7.2-fpm-new.sock|fcgi://localhost"
     SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost"
</FilesMatch>
</filebox>
 
== force a specific PHP version for a site ==
<filebox fn='/etc/apache2/sites-available/mysite.conf' lang='apache'>
<FilesMatch "\.php$">
    # force PHP 7.4
    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
</FilesMatch>
</filebox>
</filebox>


== monitoring ==
== monitoring ==
<filebox fn='/etc/php/7.2/fpm/pool.d/www.conf' lang='ini'>
<filebox fn='/etc/php/7.4/fpm/pool.d/www.conf' lang='ini'>
pm.status_path = /status
pm.status_path = /status
ping.path = /ping
</filebox>
</filebox>


<filebox fn='/etc/apache2/sites-available/000-default.conf' lang='apache'>
<filebox fn='/etc/apache2/sites-available/000-default.conf' lang='apache'>
<FilesMatch "^ping|status$">
<LocationMatch "/status">
     SetHandler "proxy:unix:/run/php/php7.2-fpm.sock|fcgi://localhost"
     SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
</LocationMatch>


# enable access to the web page
# enable access to the realtime status web page
Alias /fpm /usr/share/php/7.2/fpm
Alias /realtime-status "/usr/share/php/7.4/fpm/status.html"
<Directory /usr/share/php/7.2/fpm>
    DirectoryIndex status.html
</Directory>
</filebox>
</filebox>
* Raw status info: {{boxx|http://<server>/status}}
* HTML status info: {{boxx|http://<server>/realtime-status}}
{{warn | No {{boxx|/}} at the end of the url}}


= [https://helgeklein.com/blog/2018/11/enabling-http-2-in-apache-on-ubuntu-18-04/ HTTP/2] =
= [https://helgeklein.com/blog/2018/11/enabling-http-2-in-apache-on-ubuntu-18-04/ HTTP/2] =
Utiliser {{boxx|php-fpm}} car incompatible avec {{boxx|mod_php}}.
Utiliser {{boxx|php-fpm}} car incompatible avec {{boxx|mod_php}}.
<kode lang='bash'>
<kode lang='bash'>
a2enmod http2
a2enmod http2
</kode>
</kode>
<filebox fn='/etc/apache2/mods-available/http2.conf' lang='apache'>
 
# fichier à créer
= [https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-apache?view=aspnetcore-3.1 Dotnet core] =
<IfModule mod_http2.c>
<filebox fn='/etc/apache2/sites-available/dotnetcore.conf' lang='apache'>
     Protocols h2 http/1.1
<VirtualHost *:*>
</IfModule>
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
 
<VirtualHost *:80>
    ServerName dotnetcore.myserver
 
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/
 
    ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log
    CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common
 
    <!-- restrict access to 192.168.0.0/24 only -->
     <Location />
        Require ip 192.168.0.0/24
       
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:5020/
        ProxyPassReverse http://127.0.0.1:5020/
    </Location>
</VirtualHost>
</filebox>
</filebox>
* [[Asp.net_core#Define_the_port_on_deployed_application|Define the port on deployed application]]


= Droits d'accès des dossiers et fichiers =
= Droits d'accès des dossiers et fichiers =

Dernière version du 26 juillet 2023 à 22:44

Configuration

Bash.svg
# activer/désactiver un site
a2ensite [server]
a2dissite [server]

# list enabled sites
a2query -s
# list virtualhosts
sudo apache2ctl -S

sc-reload apache2
sudo systemctl daemon-reload

VirtualHost

/etc/apache2/sites-available/myserver.conf
<VirtualHost *:80>
    ServerName www.domain.fr
    ServerAlias myserver
</VirtualHost>

Require

/etc/apache2/sites-available/000-default.config
<Directory /var/www/html>
    AllowOverride None

    # all requests are denied
    Require all denied

    # all requests are allowed except 192.168.1.1
    Require all granted
    Require not ip 192.168.1.1

    # authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24
    Require ip 127.0.0.1 192.168.0.0/24

    # all hosts in the example.org domain are allowed access; all other hosts are denied access
    Require host example.org
</Directory>

Rewrite url

Bash.svg
sudo a2enmod rewrite
sc-restart apache2
/etc/apache2/sites-available/myserver.conf
<Directory "/var/www/myserver">
    RewriteEngine       On
    RewriteRule         ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>

HTTPS / SSL

Bash.svg
sudo a2enmod rewrite
sudo a2enmod ssl

sc-restart apache2
sudo systemctl daemon-reload
/etc/apache2/sites-available/myserver.conf
<VirtualHost *:80>
    ServerName www.domain.fr
    Redirect   permanent / https://www.domain.fr
</VirtualHost>

<VirtualHost *:443>
    ServerName   www.domain.fr
    DocumentRoot /var/www/myserver

    # Enable SSL for this virtual host
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # Exports the standard SSL/TLS related `SSL_*' environment variables for php files
    <FilesMatch "\.php$">
        SSLOptions +StdEnvVars
    </FilesMatch>
</VirtualHost>

SSLOptions

Let's encrypt

Bash.svg
# install certbot and the apache plugin
apt install python3-certbot-apache

# dry run, certonly: obtain or renew a certificate, but do not install it
certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr

# run: obtain & install a certificate in your current webserver
certbot run --apache --domain www.domain.fr --email admin@domain.fr
/etc/apache2/sites-available/www-le-ssl.conf
# configuration créée par certbot
<IfModule mod_ssl.c>
<VirtualHost *:443>
    # reprend la config du site

    # ajout des certificats
    SSLCertificateFile    /etc/letsencrypt/live/www.domain.fr/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem

    # inclut la config let's encrypt
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

proxy

Bash.svg
# activer les modules
# pour http
sudo a2enmode proxy_http
# pour https
sudo a2enmode proxy_connect
# activé si l'un des 2 autres est activé
sudo a2enmode proxy
/etc/apache2/site-available/myserver.conf
<VirtualHost *:80>
    # everything under the root URL (/) should be mapped to the backend server at the given address
    ProxyPass        / http://backend_server:8080/
    # modify the response headers from backend server
    # same configuration as ProxyPass.
    ProxyPassReverse / http://backend_server:8080/

    # pass the original Host header to the backend server
    ProxyPreserveHost On
    # for reverse proxy
    ProxyRequests     Off
</VirtualHost>

<VirtualHost *:443>
    SSLProxyEngine          On
    SSLProxyCheckPeerCN     Off
    SSLProxyCheckPeerName   Off
    SSLProxyVerify          none
</VirtualHost>

Conf files

Bash.svg
# enable a conf
a2enconf [conf]

# disable a conf
a2disconf [conf]

# list enabled config
a2query -c

# list all enables conf files
sudo apachectl -t -D DUMP_INCLUDES

Security

/etc/apache2/conf-available/security.conf
# Hide server information like Apache and PHP versions
ServerTokens Prod

# Turn off your server's signature
ServerSignature Off

# Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Content-Type-Options: "nosniff"

# Setting this header will prevent other sites from embedding pages from this site as frames.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Frame-Options: "sameorigin"

Modules

Bash.svg
# activer un module
a2enmod [module]

# désactiver un module
a2dismod [module]

# lister les modules chargés
apache2ctl -M
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.

PHP

Bash.svg
# vérifier qu'un module a bien été chargé
php -m | grep <module-name>

# activer un module
phpenmod <module-name>
# redémarrer le serveur apache après ça
/etc/php/7.2/apache2/php.ini
memory_limit = 512M

PHP-FPM

Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.

Bash.svg
sudo apt install php-fpm
sc-status php7.4-fpm

# désactiver les modules php et mpm_prefork
sudo a2dismod php7.4
sudo a2dismod mpm_prefork

# activer la configuration php-fpm et le module mpm_event
# sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.4-fpm
sudo a2enmod mpm_event
Configuration: /etc/apache2/conf-available/php7.4-fpm.conf

create a new pool

Permet d'avoir une configuration différente par site.

/etc/php/7.4/fpm/pool.d/new.conf
[new]
listen = /run/php/php7.4-fpm-new.sock
/etc/apache2/sites-available/mysite.conf
<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost"
</FilesMatch>

force a specific PHP version for a site

/etc/apache2/sites-available/mysite.conf
<FilesMatch "\.php$">
    # force PHP 7.4
    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>

monitoring

/etc/php/7.4/fpm/pool.d/www.conf
pm.status_path = /status
/etc/apache2/sites-available/000-default.conf
<LocationMatch "/status">
    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</LocationMatch>

# enable access to the realtime status web page
Alias /realtime-status "/usr/share/php/7.4/fpm/status.html"
  • Raw status info: http://<server>/status
  • HTML status info: http://<server>/realtime-status
No / at the end of the url

HTTP/2

Utiliser php-fpm car incompatible avec mod_php.

Bash.svg
a2enmod http2

Dotnet core

/etc/apache2/sites-available/dotnetcore.conf
<VirtualHost *:*>
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
    ServerName dotnetcore.myserver

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/

    ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log
    CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common

    <!-- restrict access to 192.168.0.0/24 only -->
    <Location />
        Require ip 192.168.0.0/24
        
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:5020/
        ProxyPassReverse http://127.0.0.1:5020/
    </Location>
</VirtualHost>

Droits d'accès des dossiers et fichiers

Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.

Mediawiki

/etc/apache2/sites-available/mediawiki.conf
<VirtualHost *:80>
    ServerName mediawiki.host
    DocumentRoot /var/www/mediawiki

    ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log
    CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined

    <Directory "/var/www/mediawiki">
        AllowOverride	    All
        Options             -Indexes
        ErrorDocument 403   /index.php
        RewriteEngine       On
        RewriteRule         ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
    </Directory>
</VirtualHost>

Erreurs

SSL_ERROR_RX_RECORD_TOO_LONG

Bash.svg
# activer le site default-ssl
sudo a2ensite default-ssl.conf