Apache to najpopularniejszy obecnie serwer WWW.
Instalacja i konfiguracja Apache2
Wydajemy polecenie:
apt-get install apache2
Po zainstalowaniu możemy przejść do konfiguracji, która jest trochę inna od tej w apache.
Znajdziemy ją w katalogu:
/etc/apache2
składają się na nią:
- apache2.conf – główny plik konfiguracyjny apache2.
- httpd.conf – konfiguracja modułów apache2.
- ports.conf – konfiguracja portu na którym ma nasłuchiwać apache2.
W pliku apache2.conf zmieniamy:
- ServerRoot – ustawienie scieżki do plikow konfiguracyjnych apache2. Standardowo „/etc/apache2”.
- User i Group – ustawienia usera i grupy z ktorego bedzie uruchamiany apache2.
- ErrorLog – scieżka do logów błędów.
- UserDir public_html – wpis ten powoduje, że strony użytkowników będa widoczne jako domena.pl/~user/
Konfiguracja serwera (modułu SSL)
<IfModule mod_ssl.c> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the SSL library. # The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache none #SSLSessionCache shmht:/var/run/apache2/ssl_scache(512000) #SSLSessionCache shmcb:/var/run/apache2/ssl_scache(512000) SSLSessionCache dbm:/var/run/apache2/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/var/run/apache2/ssl_mutex SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 </IfModule>
Przykładowy serwer wirtualny:
NameVirtualHost *:443 <VirtualHost *:443> ServerName ssl.linuxexpert.pl ServerAlias www.ssl.linuxexpert.pl SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem SSLOptions +StrictRequire ServerAdmin krzysztof.jozwiak@k2studio.eu DocumentRoot /data1/www/k2studio.eu/www/htdocs/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /> SSLRequireSSL </Directory> SSLProtocol -all +TLSv1 +SSLv3 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM SSLVerifyClient none SSLProxyEngine off <Directory /data1/www/k2studio.eu/www/htdocs> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel info ErrorLog /var/log/apache2/ssl-k2studio.eu-error.log CustomLog /var/log/apache2/ssl-k2studio.eu-access.log combined ServerSignature Off </VirtualHost>