| Následující verze | Předchozí verze |
| en_installation:apache [2022/05/24 12:22] – vytvořeno kozak | en_installation:apache [2024/04/17 11:32] (aktuální) – [Apache configuration] kozak |
|---|
| ====== Konfigurace Apache ====== | ====== Apache configuration ====== |
| |
| Výchozí konfigurace Apache, kterou vytvoří instalace nodu se nachází v **/etc/apache2/sites-available/blockchain.vaseDomena.conf** a obsahuje následující parametry: | The default Apache configuration created by the node installation is located in **/etc/apache2/sites-available/blockchain.yourDomain.conf** and contains the following parameters: |
| <code><IfModule mod_ssl.c> | <code><IfModule mod_ssl.c> |
| ServerAdmin **mail pro Let's encrypt autoritu** MDCertificateAgreement accepted | ServerAdmin **mail for Let's encrypt authority** |
| MDomain **blockchain.vaseDomena** MDPrivateKeys RSA 4096 | MDCertificateAgreement accepted |
| | MDomain **blockchain.yourDomain** |
| | MDPrivateKeys RSA 4096 |
| SSLStaplingCache shmcb:/var/run/ocsp(128000) | SSLStaplingCache shmcb:/var/run/ocsp(128000) |
| |
| <VirtualHost *:443> | <VirtualHost *:443> |
| ServerName **blockchain.vaseDomena** <FilesMatch "\.(cgi|shtml|phtml|php)$"> | ServerName **blockchain.yourDomain** |
| SSLOptions +StdEnvVars | <FilesMatch "\.(cgi|shtml|phtml|php)$"> |
| | SSLOptions +StdEnvVars |
| </FilesMatch> | </FilesMatch> |
| <Directory /usr/lib/cgi-bin> | <Directory /usr/lib/cgi-bin> |
| SSLOptions +StdEnvVars | SSLOptions +StdEnvVars |
| </Directory> | </Directory> |
| ErrorLog ${APACHE_LOG_DIR}/error.log | ErrorLog ${APACHE_LOG_DIR}/error.log |
| ProxyPassReverse / http://localhost:8080 | ProxyPassReverse / http://localhost:8080 |
| SSLEngine on | SSLEngine on |
| SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 |
| SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2> | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2> |
| SSLHonorCipherOrder on | SSLHonorCipherOrder on |
| SSLCompression off | SSLCompression off |
| Header always set Referrer-Policy "same-origin" | Header always set Referrer-Policy "same-origin" |
| Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:" | Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:" |
| Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'" | |
| </VirtualHost> | </VirtualHost> |
| |
| <VirtualHost _default_:3000> | <VirtualHost _default_:3000> |
| ServerName **blockchain.vaseDomena** <FilesMatch "\.(cgi|shtml|phtml|php)$"> | ServerName **blockchain.yourDomain** |
| SSLOptions +StdEnvVars | <FilesMatch "\.(cgi|shtml|phtml|php)$"> |
| | SSLOptions +StdEnvVars |
| </FilesMatch> | </FilesMatch> |
| <Directory /usr/lib/cgi-bin> | <Directory /usr/lib/cgi-bin> |
| SSLOptions +StdEnvVars | SSLOptions +StdEnvVars |
| </Directory> | </Directory> |
| ErrorLog ${APACHE_LOG_DIR}/error.log | ErrorLog ${APACHE_LOG_DIR}/error.log |
| Header always set Referrer-Policy "same-origin" | Header always set Referrer-Policy "same-origin" |
| Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:" | Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:" |
| Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'" | |
| </VirtualHost> | </VirtualHost> |
| </IfModule> | </IfModule> |
| |
| |
| </code> | </code> |
| | * The **blockchain.yourDomain.conf** configuration file needs to be included among the Apache configs |
| * Dále se také do **/etc/apache2/ports.conf** doplní pod **ssl_module** ''Listen 3000'' pro funkci gatewaye | * ''sudo a2ensite blockchain.yourDomain'' |
| * A do **/etc/apache2/sites-available/000-default.conf** je vhodné do virtual hosta doplnit automatický redirect na https | * To **/etc/apache2/ports.conf** under **ssl_module** needs to be added ''Listen 3000'' for the gateway functionality |
| * ''Redirect permanent / [[https://blockchain.vaseDomena|https://blockchain.vaseDomena]]'' | * In **/etc/apache2/sites-available/000-default.conf** it is advisable to add automatic redirect to https to the virtual host |
| * Nezapomeňte, že je potřeba mít povolené moduly SSL a MD | * ''Redirect permanent / [[https://blockchain.vaseDomena|https://blockchain.yourDomain]]'' |
| * ''sudo a2enmod md'' | * The following modules need to be enabled: |
| | * ''sudo a2enmod rewrite'' |
| * ''sudo a2enmod ssl'' | * ''sudo a2enmod ssl'' |
| SSL certifikáty se automaticky generují přes mod_md modul zabudovaný v Apachi. Pokud chcete přidat další doménu, pro kterou je potřeba generovat certifikáty (například Vaše aplikace bežící na nodu pod jinou doménou), doporučujeme vytvořit nový config například **aplikace.vaseDomena.conf** v /etc/apache2/sites-available/ a zařadit ho mezi configy, které si Apache načítá při spuštění příkazem ''sudo a2ensite **aplikace.vaseDomena**''.** **Potom stačí Apache restartovat ''sudo systemctl restart apache2'' a certifikáty by se měly pravidelně začít generovat i pro tuto doménu. Výše zmíněný config by pro aplikaci běžící na portu 8083 mohl vypadat například takto: | * ''sudo a2enmod md'' |
| | * ''sudo a2enmod proxy'' |
| | * ''sudo a2enmod proxy_http'' |
| | * ''sudo a2enmod http2'' |
| | * ''sudo a2enmod headers'' |
| | SSL certificates are automatically generated via the mod_md module built into Apache. If you want to add another domain for which certificates need to be generated (for example, your application running on a node under another domain), we recommend creating a new config, for example **application.yourDomain.conf** in /etc/apache2/sites-available/ and include it to Apache configs running the command ''sudo a2ensite application.yourDomain''. Then restart Apache ''sudo systemctl restart apache2'' and certificates should start to be generated for this domain on a regular basis. Config for an application running on local port 8083 should look like this: |
| <code> | <code> |
| <IfModule mod_ssl.c> | <IfModule mod_ssl.c> |
| ServerAdmin **mail pro Let's encrypt autoritu** | ServerAdmin **mail for Let's encrypt authority** |
| MDCertificateAgreement accepted | MDCertificateAgreement accepted |
| MDomain **aplikace.vaseDomena** | MDomain **application.yourDomain** |
| MDPrivateKeys RSA 4096 | MDPrivateKeys RSA 4096 |
| SSLStaplingCache shmcb:/var/run/ocsp(128000) | SSLStaplingCache shmcb:/var/run/ocsp(128000) |
| |
| <VirtualHost _default_:443> | <VirtualHost _default_:443> |
| ServerName **aplikace.vaseDomena** | ServerName **application.yourDomain** |
| <FilesMatch "\.(cgi|shtml|phtml|php)$"> | <FilesMatch "\.(cgi|shtml|phtml|php)$"> |
| SSLOptions +StdEnvVars | SSLOptions +StdEnvVars |
| </FilesMatch> | </FilesMatch> |
| <Directory /usr/lib/cgi-bin> | <Directory /usr/lib/cgi-bin> |
| SSLOptions +StdEnvVars | SSLOptions +StdEnvVars |
| </Directory> | </Directory> |
| ErrorLog ${APACHE_LOG_DIR}/error.log | ErrorLog ${APACHE_LOG_DIR}/error.log |
| ProxyPassReverse / http://localhost:8083/ | ProxyPassReverse / http://localhost:8083/ |
| SSLEngine on | SSLEngine on |
| SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 |
| SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2> | SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2> |
| SSLHonorCipherOrder on | SSLHonorCipherOrder on |
| SSLCompression off | SSLCompression off |
| Header always set Referrer-Policy "same-origin" | Header always set Referrer-Policy "same-origin" |
| Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:" | Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:" |
| Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'" | |
| </VirtualHost> | </VirtualHost> |
| </IfModule> | </IfModule> |
| |
| </code> | </code> |
| |
| | |
| |
| | ==== Your own SSL certificates ==== |
| | |
| | Just add the path to the certificate to the mentioned config **/etc/apache2/sites-available/blockchain.****yourDomain.****conf** |
| | |
| | 4th line ''MDomain **blockchain.yourDomain**'' rewrite to: |
| | <code> |
| | <MDomain **blockchain.yourDomain**> |
| | MDCertificateFile /etc/ssl/certs/ssl-cert.pem |
| | MDCertificateKeyFile /etc/ssl/private/ssl-cert.key |
| | </MDomain> |
| | |
| | </code> |
| |
