Apache
https
You can start apache2 as secure server (HTTPS) using a self signing certificate, in fact that is the default in /etc/apache2/sites-available/default-ssl. However note that you have to specify the port 443 in /etc/apache2/ports.conf :
| /etc/apache2/ports.con |
|---|
| NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to <VirtualHost *:443>
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
NameVirtualHost *:443
Listen 443
</IfModule>
</embed>
|
Also if you have more than 1 section for port 443, for instance a second or third virtual host on that site. This will not work :
| virtualhost |
|---|
| <VirtualHost *:443>
ServerName doc.klopt.org
WSGIScriptAlias /doc /var/www/klopt.web/doc/doc.wsgi
<Directory /var/www/klopt.web/doc>
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
|
You will get an error on startup like this :
| error |
|---|
| [....] Starting web server: apache2[Sun Nov 02 18:38:53 2014] [warn] _default_ VirtualHost overlap on port 443, the first has precedence
Action 'start' failed.
The Apache error log may have more information.
failed!
|
You will have to include the SSL directives again in every section :
| ssl directives |
|---|
| <VirtualHost *:443>
ServerName doc.klopt.org
WSGIScriptAlias /doc /var/www/klopt.web/doc/doc.wsgi
<Directory /var/www/klopt.web/doc>
Order deny,allow
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>
|
server name error
| error |
|---|
| [Sun Nov 02 18:56:19 2014] [warn] RSA server certificate CommonName (CN) `power.lan' does NOT match server name!?
|
This means the default certificate in /etc/ssl/private/certs was generated with the name of your workstation (power.lan) , and it does not match the name of your webserver (klopt.org). Only thing to get rid of this message is generating the key. It could be as simple as :
| generate keys |
|---|
| cd /etc/apache2
mkdir keys
cd keys
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout klopt.key -out klopt.crt
|
The question about the FQDN should be answered with the correct servername. And of course alter the SSLCertificateFile, and SSLCertificateKeyFile directives. But.... that will lead to the next warning, so read on and generate it in separate steps.
BasicConstraints warning
Next warning :
| warning |
|---|
| [Sun Nov 02 19:11:46 2014] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
|
This is what you get at apache startup if you generate the key like in the previous section, you can get rid of the warning by doing it like this:
| solve |
|---|
| openssl genrsa -des3 -passout pass:x -out klopt.pass.key 2048
openssl rsa -passin pass:x -in klopt.pass.key -out klopt.key
rm klopt.pass.key
openssl req -new -key klopt.key -out klopt.csr
openssl x509 -req -days 365 -in klopt.csr -signkey klopt.key -out klopt.crt
|
The warning will be gone, to reveal the next :
Name-based SSL warning
| warning |
|---|
| [Sun Nov 02 19:17:00 2014] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
|
This seems to occur when you use wildcards for the Virtualhosts twice :
| two wildcards |
|---|
| <VirtualHost *:443>
ServerName www.klopt.org
ServerAdmin webmaster@localhost
</VirtualHost>
<VirtualHost *:443>
ServerName www.klopt.org
WSGIScriptAlias /doc /var/www/klopt.web/doc/doc.wsgi
</VirtualHost>
|
While this will 'work' :
| works |
|---|
| <VirtualHost www.klopt.org:443>
ServerName www.klopt.org
ServerAdmin webmaster@localhost
</VirtualHost>
<VirtualHost *:443>
ServerName www.klopt.org
WSGIScriptAlias /doc /var/www/klopt.web/doc/doc.wsgi
</VirtualHost>
|
Work is between quote' because this will cause yet another problem : see next chapter
WSGIScriptAlias failing
When browsing to www.klopt.org/doc (see configuration above) you would expect it to run /var/www/klopt.web/doc/doc.wsgi, but instead apache tries to open it :
| error |
|---|
| File does not exist: /var/www/doc
|
To go short this happens to one of the sections if you split them. Since this problem 3 regarding having two separate sections for VirtualHost:443 i would just advise :
** JUST USE ONE SECTION for all https ** :
My final example with support for musicindex and wsgi became :
| final |
|---|
| <IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.klopt.org
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
WSGIScriptAlias /doc /var/www/klopt.web/doc/doc.wsgi
<Directory /var/www/klopt.web/doc>
Order deny,allow
Allow from all
</Directory>
Alias /static /var/www/klopt.web
WSGIScriptAlias /ws /var/www/klopt.web/ws.wsgi
<Directory /var/www/klopt.web>
Order deny,allow
Allow from all
</Directory>
Alias /music /var/www/music
<Directory /var/www/music>
Options Indexes MultiViews FollowSymlinks
AllowOverride Indexes
# Can be overriden in .htaccess
MusicIndex On +Stream +Download +Search -Rss -Tarball
MusicSortOrder album disc track artist title length bitrate freq filetype filename uri
MusicFields track title artist length bitrate freq filetype
# MusicPageTitle Myname
MusicDefaultCss musicindex.css
# Can only be set in apache configuration
MusicDefaultDisplay HTML
MusicIndexCache file://tmp/musicindex
# MusicIceServer [ice.domain.my]:8000
# MusicCookieLife 300
MusicDirPerLine 2
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
#SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
#SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/apache2/keys/klopt.crt
SSLCertificateKeyFile /etc/apache2/keys/klopt.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
.. the rest is the default apache file
|
cgi
tip : if you prepend your CGI script with "nph-" (non-parsed-headers) you don't have to add a header every time so you can use either of these scripts for the same output.
hello.pl :
| perl cgi |
|---|
| #!/usr/bin/perl
print "Content-Type: text/html\n\n";
print "Hello");
|
Excuses there for the lack of syntax highlighting, but pygments/codehilite cannot handle the second "Content-Type", line.
or nph-hello.pl
| nph-hello.pl |
|---|
| #!/usr/bin/perl
print "Hello";
print "Hello";
print "Hello";
|
using cgi scripts outside of cgi-bin
This method uses .htaccess files, so read [wiki:htaccess .htaccess] first.
Beware that this will not work if you don't have correct AllowOverride settings!!
Make a files call .htaccess in the directory where you need cgi support looking like this (note this is a perl and python example)
| perl and python |
|---|
| +ExecCGI
AddHandler cgi-script .pl .py
|
If you don't use the AddHandler part, you will get the text content of the script you call.
apache 2
The rest of this chapter mainly concerns apache2, since that is the version we generally use.
modules
At one point,the apache2 server on maakaf tried to download php files instead of executing them, in the old days this was a mime-type setting in the apache conf. Now it is done much like the available-sites principle, go to /etc/apache2/sites-enabled and do :
| php |
|---|
| ln -s ../modules-available/php5.load .
ln -s ../modules-available/php5.ini .
|
or let the apache scripts for enabling and disabling do it :
| enable |
|---|
| a2enmod php5
a2ensite mysite
a2dimod php5
a2dissite mysite
|
They will tell you to reload the config.
mod-musicindex
Though apache can be use to 'stream' files out of the box, there is a better way with the musicindex module. The advantages :
No single files only, you can play whole sub-directory trees # You can generate a playlist on the fly # Better directory layout
Installation
| install mod musicindex |
|---|
| apt-get install libapache2-mod-musicindex
a2enmod musicindex
|
Add a section like this to your apache configuration :
| config |
|---|
| Alias /music /absolute_path_to/my/music/folder
<Directory /absolute_path_to/my/music/folder>
Options Indexes MultiViews FollowSymlinks
AllowOverride Indexes
# Can be overriden in .htaccess
MusicIndex On +Stream +Download +Search -Rss -Tarball
MusicSortOrder album disc track artist title length bitrate freq filetype filename uri
MusicFields track title artist length bitrate freq filetype
MusicPageTitle Sangeet…
MusicDefaultCss musicindex.css
# Can only be set in apache configuration
MusicDefaultDisplay HTML
MusicIndexCache /tmp/musicindex
# MusicIceServer [ice.domain.my]:8000
# MusicCookieLife 300
MusicDirPerLine 3
</Directory>
|
I also had to create the tmp directory for the cache :
| prepare |
|---|
| mkdir /tmp/musicindex
service apache2 restart
|
If you still get a normal directory listing you make sure you put the absolute path !!
Just want to renew the svn key quick ?
| renew svn key |
|---|
| cd /etc/apache2/ssl
/usr/bin/openssl genrsa -rand /var/log/apache2/access.log -out svn.almende.com.key 1024
/usr/bin/openssl req -new -key svn.almende.com.key -out svn.almende.com.csr
openssl x509 -req -days 365 -in svn.almende.com.csr -signkey svn.almende.com.key -out svn.almende.com.crt
mv apache.pem apache.pem.old
cp svn.almende.com.key apache.pem
cat svn.almende.com.crt >> apache.pem
/etc/init.d/apache2 restart
|
Read on for the long description. Most applications allow you to accept an expired key in the same way as an untrusted key, it presents a warning which you can either accept or refuse. At least 1 (eclipse java) does not.
generate the key pair
| key pair |
|---|
| /usr/bin/openssl genrsa -des3 -rand file1:file2:file3 -out svn.almende.com.key 1024
|
The example again is for this site the files you can choose yourself to provide some randomness for the key. Also this example does not generate a protected key because that would mean typing a password every time you startup apache2. If you really want that security add -des3 as an option to openssl.
create a certificate signing request
| signing request |
|---|
| /usr/bin/openssl req -new -key svn.almende.com.key -out svn.almende.com.csr
|
Beware, along the way it asks you for 'Common Name (eg, YOUR Name)'. It means YOUR DNS Name.
The file svn.almende.com (sh)could be sent to a certificate authority to be signed, but that takes time and money, so we will sign it ourselves.
self-signing the certificate
Cheapo's as we are, here is how to sign the request.
| self sign |
|---|
| /usr/bin/openssl x509 -req -days 300 -in svn.almende.com.csr -signkey svn.almende.com.key -out svn.almende.com.cert
|
Also we generate a key for a long time, which is also a safety hazard but we only aim at medium security.
installing the certificate
This part deviates from the source mentioned earlier, since the original key seemed to reside in /etc/apache2/ssl/apache.pem. The source does not mention that. It seems this file contains both the key and the certificate, so what i did is (save your pem file first !)
| combine |
|---|
| cat svn.almende.com.key svn.almende.com.cert >> /etc/apache2/ssl/apache.pem
|
secure only site
Alter the file "/etc/apache2/ports.conf" and comment the Listen 80 line, you need to restart apache2.
direct forwarding
If you want to relay directly to another page from index.html use an index.html like :
| relay |
|---|
| <HTML>
<META HTTP-EQUIV=Refresh CONTENT="1; URL=https://svn.almende.com/cgi-bin/trac.cgi"/>
</HTML>
|
Another solution is to do it in the apache configuration with a line like this:
| redirect |
|---|
| Redirect /index.html /klopt.web/index.html
|
My excuses for that being a different example ;)
apache disable caching
This will kill your performance, but gets rid of the annoying caching of old content while debugging.
Locate the setting(s) in apache2.conf with the name.
It appears multiple times, and since i don't know which one does the trick a altered them all from 0 (unlimited) into 1. And restart apache
Please remember to set it back again for performance !!!
troubleshooting
Some errors encountered :
link not allowed or link target not accessible: /var/www/html/ssc
This was due to the path not being executable along the way. Note that this was a link to : /home/kees/projects/portal/doc/build/html and it's that path that needs to be altered recursively :
| set executable |
|---|
| chmod -R +x /home/kees/projects/portal/doc/build/html
|