Difference between revisions of "Apache"
Jump to navigation
Jump to search
| Line 2: | Line 2: | ||
===Activate ssl module=== |
===Activate ssl module=== |
||
| − | + | a2enmod ssl |
|
* Generate certificates, cf above or in short: |
* Generate certificates, cf above or in short: |
||
| − | + | openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr |
|
| − | + | openssl rsa -in privkey.pem -out mydomain.key |
|
| − | + | openssl x509 -in mydomain.csr -out mydomain.crt -req -signkey mydomain.key -days 3650 |
|
| − | + | openssl x509 -in mydomain.crt -out mydomain.der.crt -outform DER |
|
| − | + | * Install mydomain.crt and mydomain.key in /etc/apache2/ssl/ |
|
| − | + | cp /usr/share/doc/apache2/examples/ssl.conf.gz /etc/apache2/sites-available |
|
| − | + | gunzip ssl.conf.gz |
|
| − | + | mv ssl.conf mydomain_ssl |
|
| − | + | strip it... TODO |
|
| − | + | SSLCertificateFile /etc/apache2/ssl/mydomain.crt |
|
| − | + | SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key |
|
| − | + | <VirtualHost my_ip:443> |
|
| − | * /etc/apache2/ports.conf: |
+ | * /etc/apache2/ports.conf: |
| + | Listen <my_ip>:443 |
||
| ⚫ | |||
| + | |||
| ⚫ | |||
| + | |||
| + | ===Enable reverse-proxy=== |
||
| + | a2enmod rewrite |
||
| + | a2enmod proxy |
||
| + | a2enmod proxy_http |
||
| + | Personally I created a /etc/apache2/proxy-available and proxy-enabled directories with from the :443 vserver an inclusion rule |
||
| + | Include /etc/apache2/proxy-enabled/ |
||
| + | First file to create is to initialize rewrite and proxy, e.g. /etc/apache2/proxy-enabled/000init -> /etc/apache2/proxy-available/init |
||
| + | RewriteEngine On |
||
| + | RewriteLog /var/log/apache2/rewrite.log |
||
| + | <Proxy *> |
||
| + | Order deny,allow |
||
| + | Allow from all |
||
| + | </Proxy> |
||
| + | Example of rules: |
||
| + | <pre> |
||
| + | # Rules for https://foo.yobi.be |
||
| + | |||
| + | # Here this was a service that had to be called with the index.htm explicitely so we redirect the browser |
||
| + | RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$ |
||
| + | RewriteCond %{REQUEST_URI} ^/?$ |
||
| + | RewriteRule ^/? /index.htm [R] |
||
| + | # Then the real rule: |
||
| + | RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$ |
||
| + | RewriteRule ^/(.*) http://twilight.zone/$1 [P] |
||
| + | ProxyPassReverse / http://twilight.zone/ |
||
| + | </pre> |
||
| + | <pre> |
||
| + | # Rules for https://www.yobi.be/foo |
||
| + | |||
| + | # Here this was a service that had to be called with the index.htm explicitely so we redirect the browser |
||
| + | RewriteCond %{REQUEST_URI} ^/foo/?$ |
||
| + | RewriteRule ^/foo/? /foo/index.htm [R] |
||
| + | # Then the real rule: |
||
| + | RewriteCond %{REQUEST_URI} ^/foo.* |
||
| + | RewriteRule ^/foo/(.*) http://twilight.zone/$1 [P] |
||
| + | ProxyPassReverse / http://twilight.zone/ |
||
| + | </pre> |
||
| + | |||
==Older notes== |
==Older notes== |
||
Revision as of 12:08, 2 February 2007
Apache2
Activate ssl module
a2enmod ssl
- Generate certificates, cf above or in short:
openssl req -config /etc/ssl/openssl.cnf -new -out mydomain.csr openssl rsa -in privkey.pem -out mydomain.key openssl x509 -in mydomain.csr -out mydomain.crt -req -signkey mydomain.key -days 3650 openssl x509 -in mydomain.crt -out mydomain.der.crt -outform DER
- Install mydomain.crt and mydomain.key in /etc/apache2/ssl/
cp /usr/share/doc/apache2/examples/ssl.conf.gz /etc/apache2/sites-available gunzip ssl.conf.gz mv ssl.conf mydomain_ssl strip it... TODO SSLCertificateFile /etc/apache2/ssl/mydomain.crt SSLCertificateKeyFile /etc/apache2/ssl/mydomain.key <VirtualHost my_ip:443>
- /etc/apache2/ports.conf:
Listen <my_ip>:443
ln -s /etc/apache2/sites-available/mydomain_ssl /etc/apache2/sites-enabled
Enable reverse-proxy
a2enmod rewrite a2enmod proxy a2enmod proxy_http
Personally I created a /etc/apache2/proxy-available and proxy-enabled directories with from the :443 vserver an inclusion rule
Include /etc/apache2/proxy-enabled/
First file to create is to initialize rewrite and proxy, e.g. /etc/apache2/proxy-enabled/000init -> /etc/apache2/proxy-available/init
RewriteEngine On RewriteLog /var/log/apache2/rewrite.log <Proxy *> Order deny,allow Allow from all </Proxy>
Example of rules:
# Rules for https://foo.yobi.be
# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteCond %{REQUEST_URI} ^/?$
RewriteRule ^/? /index.htm [R]
# Then the real rule:
RewriteCond %{HTTP_HOST} ^foo.yobi.be:?[0-9]*$
RewriteRule ^/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
# Rules for https://www.yobi.be/foo
# Here this was a service that had to be called with the index.htm explicitely so we redirect the browser
RewriteCond %{REQUEST_URI} ^/foo/?$
RewriteRule ^/foo/? /foo/index.htm [R]
# Then the real rule:
RewriteCond %{REQUEST_URI} ^/foo.*
RewriteRule ^/foo/(.*) http://twilight.zone/$1 [P]
ProxyPassReverse / http://twilight.zone/
Older notes
Activate a module
- Find the module name, try
ls /usr/lib/apache/1.3/*.info|sed 's/^[^_]*_\(.*\)\.info/\1/'
- apache-modconf apache enable module name
E.g. apache-modconf apache enable libproxy
Setup proxy HTTP1.1 with Apache 2
- libapache2-mod-proxy-html
These are very old notes
HTTPS
cf LM53 p68
cd /opt/httpd/httpd/conf # clef RSA: mkdir ssl.key cd ssl.key openssl gensra -des3 -out server.key 1024 openssl rsa -in server.key -out server.key.unsecure mv server.key server.key.encrypted mv server.key.unsecure server.key cd .. # certificat (CSR): mkdir ssl.csr cd ssl.csr openssl req -new -key ../ssl.key/server.key.encrypted -out server.csr # ! CommonName = the exact name server following https:// cd .. # clef RSA de la CA: cd ssl.key openssl gensra -des3 -out ca.key 1024 openssl rsa -in ca.key -out ca.key.unsecure mv ca.key ca.key.encrypted mv ca.key.unsecure ca.key cd .. # certificate x.509 mkdir ssl.crt cd ssl.crt openssl req -new -x509 -days 2002 -key ../ssl.key/ca.key.encrypted -out ca.crt # ! CommonName = another name than yours cd .. # signature of certificate mkdir tmp cd tmp cp ../ssl.key/*key . cp ../ssl.crt/ca.crt . cp ../ssl.csr/server.csr . sh sign.sh server.csr mv server.crt ../ssl.crt/ rm -rf tmp cd ssl.crt chmod 600 *
sign.sh: cf sources de mod_ssl, rep pkg.contrib
/usr/share/doc/libapache-mod-ssl/examples/sign.sh
#!/bin/sh
##
## sign.sh -- Sign a SSL Certificate Request (CSR)
## Copyright (c) Ralf S. Engelschall, All Rights Reserved.
##
# argument line handling
CSR=$1
if [ $# -ne 1 ]; then
echo "Usage: sign.sign <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
*.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;
esac
# make sure environment exists
if [ ! -d ca.db.certs ]; then
mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
cp /dev/null ca.db.index
fi
# create an own SSLeay config
cat >ca.config <<EOT
[ ca ]
default_ca = CA_own
[ CA_own ]
dir = .
certs = \$dir
new_certs_dir = \$dir/ca.db.certs
database = \$dir/ca.db.index
serial = \$dir/ca.db.serial
RANDFILE = \$dir/ca.db.rand
certificate = \$dir/ca.crt
private_key = \$dir/ca.key
default_days = 365
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_anything
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
EOT
# sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile ca.crt $CERT
# cleanup after SSLeay
rm -f ca.config
rm -f ca.db.serial.old
rm -f ca.db.index.old
# die gracefully
exit 0