Apache et ubuntu
Apparence
Configuration
# activer/désactiver un site
a2ensite [server]
a2dissite [server]
# list enabled sites
a2query -s
# list virtualhosts
sudo apache2ctl -S
sc-reload apache2
sudo systemctl daemon-reload
|
VirtualHost
/etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80>
ServerName www.domain.fr
ServerAlias myserver
</VirtualHost>
|
Require
/etc/apache2/sites-available/000-default.config |
<Directory /var/www/html>
AllowOverride None
# all requests are denied
Require all denied
# all requests are allowed except 192.168.1.1
Require all granted
Require not ip 192.168.1.1
# authoriser seulement les IPs 127.0.0.1 et 192.168.0.0/24
Require ip 127.0.0.1 192.168.0.0/24
# all hosts in the example.org domain are allowed access; all other hosts are denied access
Require host example.org
</Directory>
|
Rewrite url
sudo a2enmod rewrite sc-restart apache2 |
/etc/apache2/sites-available/myserver.conf |
<Directory "/var/www/myserver">
RewriteEngine On
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>
|
HTTPS / SSL
sudo a2enmod rewrite sudo a2enmod ssl sc-restart apache2 sudo systemctl daemon-reload |
/etc/apache2/sites-available/myserver.conf |
<VirtualHost *:80>
ServerName www.domain.fr
Redirect permanent / https://www.domain.fr
</VirtualHost>
<VirtualHost *:443>
ServerName www.domain.fr
DocumentRoot /var/www/myserver
# Enable SSL for this virtual host
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
# Exports the standard SSL/TLS related `SSL_*' environment variables for php files
<FilesMatch "\.php$">
SSLOptions +StdEnvVars
</FilesMatch>
</VirtualHost>
|
Let's encrypt
# install certbot and the apache plugin
apt install python3-certbot-apache
# dry run, certonly: obtain or renew a certificate, but do not install it
certbot certonly --dry-run --apache --domain www.domain.fr --email admin@domain.fr
# run: obtain & install a certificate in your current webserver
certbot run --apache --domain www.domain.fr --email admin@domain.fr
|
/etc/apache2/sites-available/www-le-ssl.conf |
# configuration créée par certbot
<IfModule mod_ssl.c>
<VirtualHost *:443>
# reprend la config du site
# ajout des certificats
SSLCertificateFile /etc/letsencrypt/live/www.domain.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.domain.fr/privkey.pem
# inclut la config let's encrypt
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
|
proxy
# activer les modules
# pour http
sudo a2enmode proxy_http
# pour https
sudo a2enmode proxy_connect
# activé si l'un des 2 autres est activé
sudo a2enmode proxy
|
/etc/apache2/site-available/myserver.conf |
<VirtualHost *:80>
# everything under the root URL (/) should be mapped to the backend server at the given address
ProxyPass / http://backend_server:8080/
# modify the response headers from backend server
# same configuration as ProxyPass.
ProxyPassReverse / http://backend_server:8080/
# pass the original Host header to the backend server
ProxyPreserveHost On
# for reverse proxy
ProxyRequests Off
</VirtualHost>
<VirtualHost *:443>
SSLProxyEngine On
SSLProxyCheckPeerCN Off
SSLProxyCheckPeerName Off
SSLProxyVerify none
</VirtualHost>
|
Conf files
# enable a conf
a2enconf [conf]
# disable a conf
a2disconf [conf]
# list enabled config
a2query -c
# list all enables conf files
sudo apachectl -t -D DUMP_INCLUDES
|
Security
/etc/apache2/conf-available/security.conf |
# Hide server information like Apache and PHP versions
ServerTokens Prod
# Turn off your server's signature
ServerSignature Off
# Setting this header will prevent MSIE from interpreting files as something else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Content-Type-Options: "nosniff"
# Setting this header will prevent other sites from embedding pages from this site as frames.
# Requires mod_headers to be enabled (a2enmod headers).
Header set X-Frame-Options: "sameorigin"
|
Modules
# activer un module
a2enmod [module]
# désactiver un module
a2dismod [module]
# lister les modules chargés
apache2ctl -M
|
![]() |
Activer un module déjà activé ne pose pas de problème. Même chose pour la désactivation. |
PHP
# vérifier qu'un module a bien été chargé
php -m | grep <module-name>
# activer un module
phpenmod <module-name>
# redémarrer le serveur apache après ça
|
/etc/php/7.2/apache2/php.ini |
memory_limit = 512M
|
PHP-FPM
Par defaut apache utilise mod_php, moins performant que php-fpm et ne permettant pas d'utiliser HTTP/2.
sudo apt install php-fpm
sc-status php7.4-fpm
# désactiver les modules php et mpm_prefork
sudo a2dismod php7.4
sudo a2dismod mpm_prefork
# activer la configuration php-fpm et le module mpm_event
# sudo a2enmod proxy_fcgi setenvif
sudo a2enconf php7.4-fpm
sudo a2enmod mpm_event
|
![]() |
Configuration: /etc/apache2/conf-available/php7.4-fpm.conf |
create a new pool
Permet d'avoir une configuration différente par site.
/etc/php/7.4/fpm/pool.d/new.conf |
[new]
listen = /run/php/php7.4-fpm-new.sock
|
/etc/apache2/sites-available/mysite.conf |
<FilesMatch ".+\.ph(ar|p|tml)$">
SetHandler "proxy:unix:/run/php/php7.4-fpm-new.sock|fcgi://localhost"
</FilesMatch>
|
force a specific PHP version for a site
/etc/apache2/sites-available/mysite.conf |
<FilesMatch "\.php$">
# force PHP 7.4
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</FilesMatch>
|
monitoring
/etc/php/7.4/fpm/pool.d/www.conf |
pm.status_path = /status
|
/etc/apache2/sites-available/000-default.conf |
<LocationMatch "/status">
SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
</LocationMatch>
# enable access to the realtime status web page
Alias /realtime-status "/usr/share/php/7.4/fpm/status.html"
|
- Raw status info: http://<server>/status
- HTML status info: http://<server>/realtime-status
![]() |
No / at the end of the url |
HTTP/2
Utiliser php-fpm car incompatible avec mod_php.
a2enmod http2 |
Dotnet core
/etc/apache2/sites-available/dotnetcore.conf |
<VirtualHost *:*>
RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
</VirtualHost>
<VirtualHost *:80>
ServerName dotnetcore.myserver
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:5000/
ProxyPassReverse / http://127.0.0.1:5000/
ErrorLog ${APACHE_LOG_DIR}\dotnetcore-error.log
CustomLog ${APACHE_LOG_DIR}\dotnetcore-access.log common
<!-- restrict access to 192.168.0.0/24 only -->
<Location />
Require ip 192.168.0.0/24
ProxyPreserveHost On
ProxyPass http://127.0.0.1:5020/
ProxyPassReverse http://127.0.0.1:5020/
</Location>
</VirtualHost>
|
Droits d'accès des dossiers et fichiers
Le serveur Apache accède aux dossiers et fichiers via l'utilisateur www-data.
Mediawiki
/etc/apache2/sites-available/mediawiki.conf |
<VirtualHost *:80>
ServerName mediawiki.host
DocumentRoot /var/www/mediawiki
ErrorLog ${APACHE_LOG_DIR}/mediawiki-error.log
CustomLog ${APACHE_LOG_DIR}/mediawiki-access.log combined
<Directory "/var/www/mediawiki">
AllowOverride All
Options -Indexes
ErrorDocument 403 /index.php
RewriteEngine On
RewriteRule ^/?wiki(/.*)?$ %{DOCUMENT_ROOT}/index.php [L]
</Directory>
</VirtualHost>
|
Erreurs
SSL_ERROR_RX_RECORD_TOO_LONG
# activer le site default-ssl
sudo a2ensite default-ssl.conf
|