Toto je starší verze dokumentu!
Konfigurace Apache
Výchozí konfigurace Apache, kterou vytvoří instalace nodu se nachází v /etc/apache2/sites-available/blockchain.vaseDomena.conf a obsahuje následující parametry:
<IfModule mod_ssl.c>
ServerAdmin mail pro Let's encrypt autoritu
MDCertificateAgreement accepted
MDomain blockchain.vaseDomena
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost *:443>
ServerName blockchain.vaseDomena\\ <FilesMatch "\.(cgi|shtml|phtml|php)$">\\
SSLOptions +StdEnvVars
</FilesMatch>\\
<Directory /usr/lib/cgi-bin>\\
SSLOptions +StdEnvVars\\
</Directory>\\
ErrorLog ${APACHE_LOG_DIR}/error.log\\
CustomLog ${APACHE_LOG_DIR}/access.log combined\\
DocumentRoot /var/www/html\\
ProxyPreserveHost On\\
ProxyRequests Off\\
ProxyPass /admin http://localhost:8081\\
ProxyPass / http://localhost:8080/\\
ProxyPassReverse /admin http://localhost:8081\\
ProxyPassReverse / http://localhost:8080\\
SSLEngine on\\
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1\\
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>\\
SSLHonorCipherOrder on\\
SSLCompression off\\
SSLUseStapling on\\
SSLStaplingResponderTimeout 5\\
SSLStaplingReturnResponderErrors off\\
Protocols h2 http/1.1\\
Header always set Strict-Transport-Security "max-age=15768000"\\
Header always append X-Frame-Options SAMEORIGIN\\
Header always append X-Content-Type-Options nosniff\\
Header always set X-Xss-Protection "1; mode=block"\\
Header always set Referrer-Policy "same-origin"\\
Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"\\
Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'"\\
</VirtualHost>
<VirtualHost _default_:3000>
ServerName blockchain.vaseDomena\\
<FilesMatch "\.(cgi|shtml|phtml|php)$">\\
SSLOptions +StdEnvVars\\
</FilesMatch>\\
<Directory /usr/lib/cgi-bin>\\
SSLOptions +StdEnvVars\\
</Directory>\\
ErrorLog ${APACHE_LOG_DIR}/error.log\\
CustomLog ${APACHE_LOG_DIR}/access.log combined\\
ProxyPreserveHost On\\
ProxyRequests Off\\
ProxyPass / http://localhost:3001/\\
ProxyPassReverse / http://localhost:3001/\\
SSLEngine on\\
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1\\
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>\\
SSLHonorCipherOrder on\\
SSLCompression off\\
SSLUseStapling on\\
SSLStaplingResponderTimeout 5\\
SSLStaplingReturnResponderErrors off\\
Protocols h2 http/1.1\\
Header always set Strict-Transport-Security "max-age=15768000"\\
Header always append X-Frame-Options SAMEORIGIN\\
Header always append X-Content-Type-Options nosniff\\
Header always set X-Xss-Protection "1; mode=block"\\
Header always set Referrer-Policy "same-origin"\\
Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"\\
Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'"\\
</VirtualHost>
</IfModule>
Dále se také do /etc/apache2/ports.conf doplní pod ssl_module Listen 3000 pro funkci gatewaye
A do /etc/apache2/sites-available/000-default.conf je vhodné do virtual hosta doplnit automatický redirect na https
Redirect permanent / https://blockchain.vaseDomena
Nezapomeňte, že je potřeba mít povolené moduly SSL a MD
sudo a2enmod md
sudo a2enmod ssl
SSL certifikáty se automaticky generují přes mod_md modul zabudovaný v Apachi. Pokud chcete přidat další doménu, pro kterou je potřeba generovat certifikáty (například Vaše aplikace bežící na nodu pod jinou doménou), doporučujeme vytvořit nový config například aplikace.vaseDomena.conf v /etc/apache2/sites-available/ a zařadit ho mezi configy, které si Apache načítá při spuštění příkazem sudo a2ensite aplikace.vaseDomena. Potom stačí Apache restartovat sudo systemctl restart apache2 a certifikáty by se měly pravidelně začít generovat i pro tuto doménu. Výše zmíněný config by pro aplikaci běžící na portu 8083 mohl vypadat například takto:
<IfModule mod_ssl.c>
ServerAdmin mail pro Let's encrypt autoritu
MDCertificateAgreement accepted
MDomain aplikace.vaseDomena
MDPrivateKeys RSA 4096
SSLStaplingCache shmcb:/var/run/ocsp(128000)
<VirtualHost _default_:443>
ServerName aplikace.vaseDomena\\ <FilesMatch "\.(cgi|shtml|phtml|php)$">\\
SSLOptions +StdEnvVars
</FilesMatch>\\
<Directory /usr/lib/cgi-bin>\\
SSLOptions +StdEnvVars\\
</Directory>\\
ErrorLog ${APACHE_LOG_DIR}/error.log\\
CustomLog ${APACHE_LOG_DIR}/access.log combined\\
ProxyPreserveHost On\\
ProxyRequests Off\\
ProxyPass / http://localhost:8083/\\
ProxyPassReverse / http://localhost:8083/\\
SSLEngine on\\
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1\\
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>\\
SSLHonorCipherOrder on\\
SSLCompression off\\
SSLUseStapling on\\
SSLStaplingResponderTimeout 5\\
SSLStaplingReturnResponderErrors off\\
Protocols h2 http/1.1\\
Header always set Strict-Transport-Security "max-age=15768000"\\
Header always append X-Frame-Options SAMEORIGIN\\
Header always append X-Content-Type-Options nosniff\\
Header always set X-Xss-Protection "1; mode=block"\\
Header always set Referrer-Policy "same-origin"\\
Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"\\
Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'"\\
</VirtualHost>
</IfModule>