Apache et ubuntu
De Banane Atomic
Aller à la navigationAller à la recherche
Configuration
# activer/désactiver un site a2ensite [server] a2dissite [server] # list enabled sites a2query -s # list virtualhosts sudo apache2ctl -S sc-reload apache2 sudo systemctl daemon-reload |
VirtualHost
/etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80> ServerName www.domain.fr ServerAlias myserver </VirtualHost> |
Require
/etc/apache2/sites-available/000-default.config |
<Directory /var/www/html> AllowOverride None # all requests are denied Require all denied # all requests are allowed except 192.168.1.1 Require all granted Require not ip 192.168.1.1 # authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24 Require ip 127.0.0.1 192.168.0.0/24 # all hosts in the example.org domain are allowed access; all other hosts are denied access Require host example.org </Directory> |
Rewrite url
sudo a2enmod rewrite sc-restart apache2 |
/etc/apache2/sites-available/myserver.conf |
<Directory "/var/www/myserver"> RewriteEngine On RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L] </Directory> |
HTTPS / SSL
sudo a2enmod rewrite sudo a2enmod ssl sc-restart apache2 sudo systemctl daemon-reload |
/etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80> ServerName www.domain.fr Redirect permanent / https://www.domain.fr </VirtualHost> <VirtualHost *:443> ServerName www.domain.fr DocumentRoot /var/www/myserver # Enable SSL for this virtual host SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key # Exports the standard SSL/TLS related `SSL_*' environment variables for php files <FilesMatch "\.php$"> SSLOptions +StdEnvVars </FilesMatch> </VirtualHost> |
Let's encrypt
# install certbot and the apache plugin apt install python3-certbot-apache # dry run, certonly: obtain or renew a certificate, but do not install it certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr # run: obtain & install a certificate in your current webserver certbot run --apache --domain www.domain.fr --email admin@domain.fr |
/etc/apache2/sites-available/www-le-ssl.conf |
# configuration créée par certbot <IfModule mod_ssl.c> <VirtualHost *:443> # reprend la config du site # ajout des certificats SSLCertificateFile /etc/letsencrypt/live/www.domain.fr/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem # inclut la config let's encrypt Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> |
proxy
# activer les modules # pour http sudo a2enmode proxy_http # pour https sudo a2enmode proxy_connect # activé si l'un des 2 autres est activé sudo a2enmode proxy |
/etc/apache2/site-available/myserver.conf |
<VirtualHost *:80> # everything under the root URL (/) should be mapped to the backend server at the given address ProxyPass / http://backend_server:8080/ # modify the response headers from backend server # same configuration as ProxyPass. ProxyPassReverse / http://backend_server:8080/ # pass the original Host header to the backend server ProxyPreserveHost On # for reverse proxy ProxyRequests Off </VirtualHost> <VirtualHost *:443> SSLProxyEngine On SSLProxyCheckPeerCN Off SSLProxyCheckPeerName Off SSLProxyVerify none </VirtualHost> |
Conf files
# enable a conf a2enconf [conf] # disable a conf a2disconf [conf] # list enabled config a2query -c # list all enables conf files sudo apachectl -t -D DUMP_INCLUDES |
Security
/etc/apache2/conf-available/security.conf |
# Hide server information like Apache and PHP versions ServerTokens Prod # Turn off your server's signature ServerSignature Off # Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers. # Requires mod_headers to be enabled (a2enmod headers). Header set X-Content-Type-Options: "nosniff" # Setting this header will prevent other sites from embedding pages from this site as frames. # Requires mod_headers to be enabled (a2enmod headers). Header set X-Frame-Options: "sameorigin" |
Modules
# activer un module a2enmod [module] # désactiver un module a2dismod [module] # lister les modules chargés apache2ctl -M |
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation. |
PHP
# vérifier qu'un module a bien été chargé php -m | grep <module-name> # activer un module phpenmod <module-name> # redémarrer le serveur apache après ça |
/etc/php/7.2/apache2/php.ini |
memory_limit = 512M |
PHP-FPM
Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.
sudo apt install php-fpm sc-status php7.4-fpm # désactiver les modules php et mpm_prefork sudo a2dismod php7.4 sudo a2dismod mpm_prefork # activer la configuration php-fpm et le module mpm_event # sudo a2enmod proxy_fcgi setenvif sudo a2enconf php7.4-fpm sudo a2enmod mpm_event |
Configuration: /etc/apache2/conf-available/php7.4-fpm.conf |
create a new pool
Permet d'avoir une configuration différente par site.
/etc/php/7.4/fpm/pool.d/new.conf |
[new] listen = /run/php/php7.4-fpm-new.sock |
/etc/apache2/sites-available/mysite.conf |
<FilesMatch ".+\.ph(ar|p|tml)$"> SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost" </FilesMatch> |
force a specific PHP version for a site
/etc/apache2/sites-available/mysite.conf |
<FilesMatch "\.php$"> # force PHP 7.4 SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" </FilesMatch> |
monitoring
/etc/php/7.4/fpm/pool.d/www.conf |
pm.status_path = /status |
/etc/apache2/sites-available/000-default.conf |
<LocationMatch "/status"> SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost" </LocationMatch> # enable access to the realtime status web page Alias /realtime-status "/usr/share/php/7.4/fpm/status.html" |
- Raw status info: http://<server>/status
- HTML status info: http://<server>/realtime-status
No / at the end of the url |
HTTP/2
Utiliser php-fpm car incompatible avec mod_php.
a2enmod http2 |
Dotnet core
/etc/apache2/sites-available/dotnetcore.conf |
<VirtualHost *:*> RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} </VirtualHost> <VirtualHost *:80> ServerName dotnetcore.myserver ProxyPreserveHost On ProxyPass / http://127.0.0.1:5000/ ProxyPassReverse / http://127.0.0.1:5000/ ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common <!-- restrict access to 192.168.0.0/24 only --> <Location /> Require ip 192.168.0.0/24 ProxyPreserveHost On ProxyPass http://127.0.0.1:5020/ ProxyPassReverse http://127.0.0.1:5020/ </Location> </VirtualHost> |
Droits d'accès des dossiers et fichiers
Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.
Mediawiki
/etc/apache2/sites-available/mediawiki.conf |
<VirtualHost *:80> ServerName mediawiki.host DocumentRoot /var/www/mediawiki ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined <Directory "/var/www/mediawiki"> AllowOverride All Options -Indexes ErrorDocument 403 /index.php RewriteEngine On RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L] </Directory> </VirtualHost> |
Erreurs
SSL_ERROR_RX_RECORD_TOO_LONG
# activer le site default-ssl sudo a2ensite default-ssl.conf |