Uživatelské nástroje

Nástroje pro tento web


en_installation:apache

Apache configuration

The default Apache configuration created by the node installation is located in /etc/apache2/sites-available/blockchain.yourDomain.conf and contains the following parameters:

<IfModule mod_ssl.c>
ServerAdmin **mail for Let's encrypt authority**
MDCertificateAgreement accepted
MDomain **blockchain.yourDomain**
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost *:443>
    ServerName **blockchain.yourDomain**
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    DocumentRoot /var/www/html
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass /admin http://localhost:8081
    ProxyPass / http://localhost:8080/
    ProxyPassReverse /admin http://localhost:8081
    ProxyPassReverse / http://localhost:8080
    SSLEngine on
    SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=15768000"
    Header always append X-Frame-Options SAMEORIGIN
    Header always append X-Content-Type-Options nosniff
    Header always set X-Xss-Protection "1; mode=block"
    Header always set Referrer-Policy "same-origin"
    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
</VirtualHost>

<VirtualHost _default_:3000>
    ServerName **blockchain.yourDomain**
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:3001/
    ProxyPassReverse / http://localhost:3001/
    SSLEngine on
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=15768000"
    Header always append X-Frame-Options SAMEORIGIN
    Header always append X-Content-Type-Options nosniff
    Header always set X-Xss-Protection "1; mode=block"
    Header always set Referrer-Policy "same-origin"
    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
</VirtualHost>
</IfModule>

  • The blockchain.yourDomain.conf configuration file needs to be included among the Apache configs
    • sudo a2ensite blockchain.yourDomain
  • To /etc/apache2/ports.conf under ssl_module needs to be added Listen 3000 for the gateway functionality
  • In /etc/apache2/sites-available/000-default.conf it is advisable to add automatic redirect to https to the virtual host
  • The following modules need to be enabled:
    • sudo a2enmod rewrite
    • sudo a2enmod ssl
    • sudo a2enmod md
    • sudo a2enmod proxy
    • sudo a2enmod proxy_http
    • sudo a2enmod http2
    • sudo a2enmod headers

SSL certificates are automatically generated via the mod_md module built into Apache. If you want to add another domain for which certificates need to be generated (for example, your application running on a node under another domain), we recommend creating a new config, for example application.yourDomain.conf in /etc/apache2/sites-available/ and include it to Apache configs running the command sudo a2ensite application.yourDomain. Then restart Apache sudo systemctl restart apache2 and certificates should start to be generated for this domain on a regular basis. Config for an application running on local port 8083 should look like this:

<IfModule mod_ssl.c>
ServerAdmin **mail for Let's encrypt authority**
MDCertificateAgreement accepted
MDomain **application.yourDomain**
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)

<VirtualHost _default_:443>
    ServerName **application.yourDomain**
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:8083/
    ProxyPassReverse / http://localhost:8083/
    SSLEngine on
    SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
    SSLHonorCipherOrder     on
    SSLCompression          off
    SSLUseStapling          on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    Protocols h2 http/1.1
    Header always set Strict-Transport-Security "max-age=15768000"
    Header always append X-Frame-Options SAMEORIGIN
    Header always append X-Content-Type-Options nosniff
    Header always set X-Xss-Protection "1; mode=block"
    Header always set Referrer-Policy "same-origin"
    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
</VirtualHost>
</IfModule>​​

​​

Your own SSL certificates

Just add the path to the certificate to the mentioned config /etc/apache2/sites-available/blockchain.yourDomain.conf

4th line MDomain blockchain.yourDomain rewrite to:

<MDomain **blockchain.yourDomain**>
    MDCertificateFile    /etc/ssl/certs/ssl-cert.pem
    MDCertificateKeyFile /etc/ssl/private/ssl-cert.key
</MDomain>

en_installation/apache.txt · Poslední úprava: 2024/04/17 11:32 autor: kozak