Apache et ubuntu

De Banane Atomic
Aller à la navigationAller à la recherche

Configuration

Bash.svg
# activer/désactiver un site
a2ensite [server]
a2dissite [server]

# list enabled sites
a2query -s
# list virtualhosts
sudo apache2ctl -S

sc-reload apache2
sudo systemctl daemon-reload

VirtualHost

/etc/apache2/sites-available/myserver.conf
<VirtualHost *:80>
    ServerName www.domain.fr
    ServerAlias myserver
</VirtualHost>

Require

/etc/apache2/sites-available/000-default.config
<Directory /var/www/html>
    AllowOverride None

    # all requests are denied
    Require all denied

    # all requests are allowed except 192.168.1.1
    Require all granted
    Require not ip 192.168.1.1

    # authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24
    Require ip 127.0.0.1 192.168.0.0/24

    # all hosts in the example.org domain are allowed access; all other hosts are denied access
    Require host example.org
</Directory>

Rewrite url

Bash.svg
sudo a2enmod rewrite
sc-restart apache2
/etc/apache2/sites-available/myserver.conf
<Directory "/var/www/myserver">
    RewriteEngine       On
    RewriteRule         ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>

HTTPS / SSL

Bash.svg
sudo a2enmod rewrite
sudo a2enmod ssl

sc-restart apache2
sudo systemctl daemon-reload
/etc/apache2/sites-available/myserver.conf
<VirtualHost *:80>
    ServerName www.domain.fr
    Redirect   permanent / https://www.domain.fr
</VirtualHost>

<VirtualHost *:443>
    ServerName   www.domain.fr
    DocumentRoot /var/www/myserver

    # Enable SSL for this virtual host
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

    # Exports the standard SSL/TLS related `SSL_*' environment variables for php files
    <FilesMatch "\.php$">
        SSLOptions +StdEnvVars
    </FilesMatch>
</VirtualHost>

SSLOptions

Let's encrypt

Bash.svg
# install certbot and the apache plugin
apt install python3-certbot-apache

# dry run, certonly: obtain or renew a certificate, but do not install it
certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr

# run: obtain & install a certificate in your current webserver
certbot run --apache --domain www.domain.fr --email admin@domain.fr
/etc/apache2/sites-available/www-le-ssl.conf
# configuration créée par certbot
<IfModule mod_ssl.c>
<VirtualHost *:443>
    # reprend la config du site

    # ajout des certificats
    SSLCertificateFile    /etc/letsencrypt/live/www.domain.fr/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem

    # inclut la config let's encrypt
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

proxy

Bash.svg
# activer les modules
# pour http
sudo a2enmode proxy_http
# pour https
sudo a2enmode proxy_connect
# activé si l'un des 2 autres est activé
sudo a2enmode proxy
/etc/apache2/site-available/myserver.conf
<VirtualHost *:80>
    # everything under the root URL (/) should be mapped to the backend server at the given address
    ProxyPass        / http://backend_server:8080/
    # modify the response headers from backend server
    # same configuration as ProxyPass.
    ProxyPassReverse / http://backend_server:8080/

    # pass the original Host header to the backend server
    ProxyPreserveHost On
    # for reverse proxy
    ProxyRequests     Off
</VirtualHost>

<VirtualHost *:443>
    SSLProxyEngine          On
    SSLProxyCheckPeerCN     Off
    SSLProxyCheckPeerName   Off
    SSLProxyVerify          none
</VirtualHost>

Conf files

Bash.svg
# enable a conf
a2enconf [conf]

# disable a conf
a2disconf [conf]

# list enabled config
a2query -c

# list all enables conf files
sudo apachectl -t -D DUMP_INCLUDES

Security

/etc/apache2/conf-available/security.conf
# Hide server information like Apache and PHP versions
ServerTokens Prod

# Turn off your server's signature
ServerSignature Off

# Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Content-Type-Options: "nosniff"

# Setting this header will prevent other sites from embedding pages from this site as frames.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Frame-Options: "sameorigin"

Modules

Bash.svg
# activer un module
a2enmod [module]

# désactiver un module
a2dismod [module]

# lister les modules chargés
apache2ctl -M
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation.

PHP

Bash.svg
# vérifier qu'un module a bien été chargé
php -m | grep <module-name>

# activer un module
phpenmod <module-name>
# redémarrer le serveur apache après ça
/etc/php/7.2/apache2/php.ini
memory_limit = 512M

PHP-FPM

Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.

Bash.svg
sudo apt install php-fpm
sc-status php7.4-fpm

# désactiver les modules php et mpm_prefork
sudo a2dismod php7.4
sudo a2dismod mpm_prefork

# activer la configuration php-fpm et le module mpm_event
# sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.4-fpm
sudo a2enmod mpm_event
Configuration: /etc/apache2/conf-available/php7.4-fpm.conf

create a new pool

Permet d'avoir une configuration différente par site.

/etc/php/7.4/fpm/pool.d/new.conf
[new]
listen = /run/php/php7.4-fpm-new.sock
/etc/apache2/sites-available/mysite.conf
<FilesMatch ".+\.ph(ar|p|tml)$">
    SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost"
</FilesMatch>

force a specific PHP version for a site

/etc/apache2/sites-available/mysite.conf
<FilesMatch "\.php$">
    # force PHP 7.4
    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>

monitoring

/etc/php/7.4/fpm/pool.d/www.conf
pm.status_path = /status
/etc/apache2/sites-available/000-default.conf
<LocationMatch "/status">
    SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</LocationMatch>

# enable access to the realtime status web page
Alias /realtime-status "/usr/share/php/7.4/fpm/status.html"
  • Raw status info: http://<server>/status
  • HTML status info: http://<server>/realtime-status
No / at the end of the url

HTTP/2

Utiliser php-fpm car incompatible avec mod_php.

Bash.svg
a2enmod http2

Dotnet core

/etc/apache2/sites-available/dotnetcore.conf
<VirtualHost *:*>
    RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>

<VirtualHost *:80>
    ServerName dotnetcore.myserver

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:5000/
    ProxyPassReverse / http://127.0.0.1:5000/

    ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log
    CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common

    <!-- restrict access to 192.168.0.0/24 only -->
    <Location />
        Require ip 192.168.0.0/24
        
        ProxyPreserveHost On
        ProxyPass http://127.0.0.1:5020/
        ProxyPassReverse http://127.0.0.1:5020/
    </Location>
</VirtualHost>

Droits d'accès des dossiers et fichiers

Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.

Mediawiki

/etc/apache2/sites-available/mediawiki.conf
<VirtualHost *:80>
    ServerName mediawiki.host
    DocumentRoot /var/www/mediawiki

    ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log
    CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined

    <Directory "/var/www/mediawiki">
        AllowOverride	    All
        Options             -Indexes
        ErrorDocument 403   /index.php
        RewriteEngine       On
        RewriteRule         ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
    </Directory>
</VirtualHost>

Erreurs

SSL_ERROR_RX_RECORD_TOO_LONG

Bash.svg
# activer le site default-ssl
sudo a2ensite default-ssl.conf