Konfigurace Apache

Výchozí konfigurace Apache, kterou vytvoří instalace nodu se nachází v /etc/apache2/sites-available/blockchain.vaseDomena.conf a obsahuje následující parametry:

<IfModule mod_ssl.c>
ServerAdmin **mail pro Let's encrypt autoritu**
MDCertificateAgreement accepted
MDomain **blockchain.vaseDomena**
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:443>
    ServerName **blockchain.vaseDomena**
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    DocumentRoot /var/www/html
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass /admin http://localhost:8081
    ProxyPass / http://localhost:8080/
    ProxyPassReverse /admin http://localhost:8081
    ProxyPassReverse / http://localhost:8080
    SSLEngine on
    SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=15768000"
    Header always append X-Frame-Options SAMEORIGIN
    Header always append X-Content-Type-Options nosniff
    Header always set X-Xss-Protection "1; mode=block"
    Header always set Referrer-Policy "same-origin"
    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
</VirtualHost>

<VirtualHost _default_:3000>
    ServerName **blockchain.vaseDomena**
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:3001/
    ProxyPassReverse / http://localhost:3001/
    SSLEngine on
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=15768000"
    Header always append X-Frame-Options SAMEORIGIN
    Header always append X-Content-Type-Options nosniff
    Header always set X-Xss-Protection "1; mode=block"
    Header always set Referrer-Policy "same-origin"
    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
</VirtualHost>
</IfModule>

SSL certifikáty se automaticky generují přes mod_md modul zabudovaný v Apachi. Pokud chcete přidat další doménu, pro kterou je potřeba generovat certifikáty (například Vaše aplikace bežící na nodu pod jinou doménou), doporučujeme vytvořit nový config například aplikace.vaseDomena.conf v /etc/apache2/sites-available/ a zařadit ho mezi configy, které si Apache načítá při spuštění příkazem sudo a2ensite aplikace.vaseDomena.Potom stačí Apache restartovat sudo systemctl restart apache2 a certifikáty by se měly pravidelně začít generovat i pro tuto doménu. Výše zmíněný config by pro aplikaci běžící na portu 8083 mohl vypadat například takto:

<IfModule mod_ssl.c>
ServerAdmin **mail pro Let's encrypt autoritu**
MDCertificateAgreement accepted
MDomain **aplikace.vaseDomena**
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost _default_:443>
    ServerName **aplikace.vaseDomena**
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:8083/
    ProxyPassReverse / http://localhost:8083/
    SSLEngine on
    SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=15768000"
    Header always append X-Frame-Options SAMEORIGIN
    Header always append X-Content-Type-Options nosniff
    Header always set X-Xss-Protection "1; mode=block"
    Header always set Referrer-Policy "same-origin"
    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
</VirtualHost>
</IfModule>​​

​​Vlastní SSL certifikáty

Stačí do zmíněného configu /etc/apache2/sites-available/blockchain.vaseDomena.conf doplnit cesty k certifikátu.

4. řádek MDomain blockchain.vaseDomena přepsat na:

<MDomain **blockchain.vaseDomena**>
    MDCertificateFile    /etc/ssl/certs/ssl-cert.pem
    MDCertificateKeyFile /etc/ssl/private/ssl-cert.key
</MDomain>

​​