Apache2 + SSL

Fra SemarkIT
Skift til: Navigation, Søgning

Indholdsfortegnelse

Apache2 + SSL

Lenny

Pakker

apt-get install apache2

aktiver SSL

a2enmod ssl

Opsætning af SSL

cd /etc/apache2/
mkdir ssl
cd ssl
wget -c http://www.semarkit.dk/linux/apache2-ssl.tar.gz
tar -zxf apache2-ssl.tar.gz
./apache2-ssl-certificate -days 3650
nano ../sites-available/default-ssl

Denne skal nu rettes til, så den passer til dit system.

#   SSL Engine Switch:
       #   Enable/Disable SSL for this virtual host.
       SSLEngine on
       #   A self-signed (snakeoil) certificate can be created by installing
       #   the ssl-cert package. See
       #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
       #   If both key and certificate are stored in the same file, only the
       #   SSLCertificateFile directive is needed.
       SSLCertificateFile    /etc/apache2/ssl/apache.pem
       SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:!eNULL

Det vil muligvis også være en ide at rette vi ssleay.cnf

fra
# commonName                      = @HostName@
til
commonName                      = server.domæne.dk
a2ensite default-ssl

tjek nu om apache lytter på den rigtige port.

cat /etc/apache2/ports.conf
[ ... ]
Listen 80
Listen 443
[ ... ]

Genstart nu apache2

/etc/init.d/apache2 restart

Installer de moduler som ønskes

apt-get -t lenny-backports install libapache2-mod-auth-openid libapache2-mod-bw libapache2-mod-evasive libapache2-mod-fastcgi \
libapache2-mod-ldap-userdir libapache2-mod-perl2 libapache2-mod-php5 libapache2-mod-python libapache2-mod-vhost-ldap \
libapache2-mod-wsgi libapache2-svn php5-cgi php5-cli php5-common php5-gd php5-geoip php5-gmp php5-gpib php5-ldap \
php5-mysql php5-pgsql php5-suhosin libapache-mod-security libapache2-mod-passenger curl libcurl3 libcurl3-dev php5-curl php5-mcrypt

Aktiver modulerne

a2enmod proxy_ajp proxy_balancer proxy_connect proxy_http userdir dav_fs dav_lock openid bw mod-evasive fastcgi ldap_userdir \
perl php5 python vhost_ldap wsgi headers info proxy rewrite ssl setenvif ldap mod-security authnz_ldap

Masker din apache

Hvorfor skal jeg maskere min apache?

Det simple svar er at man for så hvidt muligt ikke vil have at andre ondsindede personer ved hvad man har af serviceses, da disse måske kan misbruges.

Tilføjes i bunden af apache2.conf

vi /etc/apache2/apache2.conf
<IfModule mod_security2.c>
   # Basic configuration options
   SecRuleEngine On
   SecRequestBodyAccess On
   SecResponseBodyAccess Off

   # Handling of file uploads
   # TODO Choose a folder private to Apache.
   # SecUploadDir /opt/apache-frontend/tmp/
   SecUploadKeepFiles Off

   # Debug log
   SecDebugLog /var/log/apache2/modsec_debug.log
   SecDebugLogLevel 0

   # Serial audit log
   SecAuditEngine RelevantOnly
   SecAuditLogRelevantStatus ^5
   SecAuditLogParts ABIFHZ
   SecAuditLogType Serial
   SecAuditLog /var/log/apache2/modsec_audit.log

   # Maximum request body size we will
   # accept for buffering
   SecRequestBodyLimit 131072

   # Store up to 128 KB in memory
   SecRequestBodyInMemoryLimit 131072

   # Buffer response bodies of up to
   # 512 KB in length
   SecResponseBodyLimit 524288

</IfModule>

# INFOMERTIONER
ServerName <server-navnet>
ServerAdmin <Administrator navnet / Email>
ServerTokens Os
ServerSignature Email

Forklaring

ServerName - dette er hvis man proxyer mellem flere maskiner; det er praktisk når man skal bestemmer hvor en forbindelse går galt
ServerAdmin - En general information om administratoren, denne kan udelades
ServerSignature On|Off|EMail - Så brugere af siden kan sende information til administratoren om evt. problemer
ServerTokens Major|Minor|Min[imal]|Prod[uctOnly]|OS|Full - Informationer til omverdenen om apache serveren

ServerTokens Prod[uctOnly]
   Server sends (e.g.): Server: Apache
ServerTokens Major
   Server sends (e.g.): Server: Apache/2
ServerTokens Minor
   Server sends (e.g.): Server: Apache/2.0
ServerTokens Min[imal]
   Server sends (e.g.): Server: Apache/2.0.41
ServerTokens OS
   Server sends (e.g.): Server: Apache/2.0.41 (Unix)
ServerTokens Full (or not specified)
   Server sends (e.g.): Server: Apache/2.0.41 (Unix) PHP/4.2.2 MyMod/1.2

Genstart nu apache2

/etc/init.d/apache2 restart

Proxy

a2enmod proxy proxy_connect proxy_http

vi mods-available/proxy.conf
               Allow from all
               # Deny from all


Upload grænse for filer

  # Maximum request body size we will
  # accept for buffering
  # SecRequestBodyLimit 131072
  SecRequestBodyLimit 10000000  // 10MB
Personlige værktøjer
Navnerum

Varianter
Handlinger
Navigation
Værktøjer