Rozdíly

Zde můžete vidět rozdíly mezi vybranou verzí a aktuální verzí dané stránky.

--- en_installation:apache [2022/05/24 12:22] – kozak
+++ en_installation:apache [2024/04/17 11:32] (aktuální) – [Apache configuration] kozak
@@ Řádek 1: / Řádek 1: @@
-Konfigurace Apache\\
+====== Apache configuration ======
-Výchozí konfigurace Apache, kterou vytvoří instalace nodu se nachází v /etc/apache2/sites-available/blockchain.vaseDomena.conf a obsahuje následující parametry:
-<IfModule mod_ssl.c>\\
+The default Apache configuration created by the node installation is located in **/etc/apache2/sites-available/blockchain.yourDomain.conf** and contains the following parameters:
-ServerAdmin mail pro Let's encrypt autoritu\\
+<code><IfModule mod_ssl.c>
-MDCertificateAgreement accepted\\
+ServerAdmin **mail for Let's encrypt authority**
-MDomain blockchain.vaseDomena\\
+MDCertificateAgreement accepted
-MDPrivateKeys RSA 4096\\
+MDomain **blockchain.yourDomain**
+MDPrivateKeys RSA 4096
 SSLStaplingCache shmcb:/var/run/ocsp(128000)
-<VirtualHost *:443>\\
+<VirtualHost *:443>
-  ServerName blockchain.vaseDomena\\
+    ServerName **blockchain.yourDomain**
-  <FilesMatch "\.(cgi|shtml|phtml|php)$">\\
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
- SSLOptions +StdEnvVars\\
+    SSLOptions +StdEnvVars
-  </FilesMatch>\\
+    </FilesMatch>
-  <Directory /usr/lib/cgi-bin>\\
+    <Directory /usr/lib/cgi-bin>
-      SSLOptions +StdEnvVars\\
+    SSLOptions +StdEnvVars
-  </Directory>\\
+    </Directory>
-  ErrorLog ${APACHE_LOG_DIR}/error.log\\
+    ErrorLog ${APACHE_LOG_DIR}/error.log
-  CustomLog ${APACHE_LOG_DIR}/access.log combined\\
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
-  DocumentRoot /var/www/html\\
+    DocumentRoot /var/www/html
-  ProxyPreserveHost On\\
+    ProxyPreserveHost On
-  ProxyRequests Off\\
+    ProxyRequests Off
-  ProxyPass /admin http://localhost:8081\\
+    ProxyPass /admin http://localhost:8081
-  ProxyPass / http://localhost:8080/\\
+    ProxyPass / http://localhost:8080/
-  ProxyPassReverse /admin http://localhost:8081\\
+    ProxyPassReverse /admin http://localhost:8081
-  ProxyPassReverse / http://localhost:8080\\
+    ProxyPassReverse / http://localhost:8080
-  SSLEngine on\\
+    SSLEngine on
-  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1\\
+    SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>\\
+    SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
-  SSLHonorCipherOrder     on\\
+    SSLHonorCipherOrder     on
-  SSLCompression          off\\
+    SSLCompression          off
-  SSLUseStapling          on\\
+    SSLUseStapling          on
-  SSLStaplingResponderTimeout 5\\
+    SSLStaplingResponderTimeout 5
-  SSLStaplingReturnResponderErrors off\\
+    SSLStaplingReturnResponderErrors off
-  Protocols h2 http/1.1\\
+    Protocols h2 http/1.1
-  Header always set Strict-Transport-Security "max-age=15768000"\\
+    Header always set Strict-Transport-Security "max-age=15768000"
-  Header always append X-Frame-Options SAMEORIGIN\\
+    Header always append X-Frame-Options SAMEORIGIN
-  Header always append X-Content-Type-Options nosniff\\
+    Header always append X-Content-Type-Options nosniff
-  Header always set X-Xss-Protection "1; mode=block"\\
+    Header always set X-Xss-Protection "1; mode=block"
-  Header always set Referrer-Policy "same-origin"\\
+    Header always set Referrer-Policy "same-origin"
-  Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"\\
+    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
-  Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'"\\
 </VirtualHost>
-<VirtualHost _default_:3000>\\
+<VirtualHost _default_:3000>
-  ServerName blockchain.vaseDomena\\
+    ServerName **blockchain.yourDomain**
-  <FilesMatch "\.(cgi|shtml|phtml|php)$">\\
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
-      SSLOptions +StdEnvVars\\
+    SSLOptions +StdEnvVars
-  </FilesMatch>\\
+    </FilesMatch>
-  <Directory /usr/lib/cgi-bin>\\
+    <Directory /usr/lib/cgi-bin>
-      SSLOptions +StdEnvVars\\
+    SSLOptions +StdEnvVars
-  </Directory>\\
+    </Directory>
-  ErrorLog ${APACHE_LOG_DIR}/error.log\\
+    ErrorLog ${APACHE_LOG_DIR}/error.log
-  CustomLog ${APACHE_LOG_DIR}/access.log combined\\
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
-  ProxyPreserveHost On\\
+    ProxyPreserveHost On
-  ProxyRequests Off\\
+    ProxyRequests Off
-  ProxyPass / http://localhost:3001/\\
+    ProxyPass / http://localhost:3001/
-  ProxyPassReverse / http://localhost:3001/\\
+    ProxyPassReverse / http://localhost:3001/
-  SSLEngine on\\
+    SSLEngine on
-  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1\\
+    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>\\
+    SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
-  SSLHonorCipherOrder     on\\
+    SSLHonorCipherOrder     on
-  SSLCompression          off\\
+    SSLCompression          off
-  SSLUseStapling          on\\
+    SSLUseStapling          on
-  SSLStaplingResponderTimeout 5\\
+    SSLStaplingResponderTimeout 5
-  SSLStaplingReturnResponderErrors off\\
+    SSLStaplingReturnResponderErrors off
-  Protocols h2 http/1.1\\
+    Protocols h2 http/1.1
-  Header always set Strict-Transport-Security "max-age=15768000"\\
+    Header always set Strict-Transport-Security "max-age=15768000"
-  Header always append X-Frame-Options SAMEORIGIN\\
+    Header always append X-Frame-Options SAMEORIGIN
-  Header always append X-Content-Type-Options nosniff\\
+    Header always append X-Content-Type-Options nosniff
-  Header always set X-Xss-Protection "1; mode=block"\\
+    Header always set X-Xss-Protection "1; mode=block"
-  Header always set Referrer-Policy "same-origin"\\
+    Header always set Referrer-Policy "same-origin"
-  Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"\\
+    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
-  Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'"\\
+</VirtualHost>
-</VirtualHost>\\
+</IfModule>
-</IfModule>\\
-Dále se také do /etc/apache2/ports.conf doplní pod ssl_module Listen 3000 pro funkci gatewaye\\
-A do /etc/apache2/sites-available/000-default.conf je vhodné do virtual hosta doplnit automatický redirect na https\\
-Redirect permanent / https://blockchain.vaseDomena\\
-Nezapomeňte, že je potřeba mít povolené moduly SSL a MD\\
-sudo a2enmod md\\
-sudo a2enmod ssl\\
-SSL certifikáty se automaticky generují přes mod_md modul zabudovaný v Apachi. Pokud chcete přidat další doménu, pro kterou je potřeba generovat certifikáty (například Vaše aplikace bežící na nodu pod jinou doménou), doporučujeme vytvořit nový config například aplikace.vaseDomena.conf v /etc/apache2/sites-available/ a zařadit ho mezi configy, které si Apache načítá při spuštění příkazem sudo a2ensite aplikace.vaseDomena. Potom stačí Apache restartovat sudo systemctl restart apache2 a certifikáty by se měly pravidelně začít generovat i pro tuto doménu. Výše zmíněný config by pro aplikaci běžící na portu 8083 mohl vypadat například takto:
-<IfModule mod_ssl.c>\\
+</code>
-ServerAdmin mail pro Let's encrypt autoritu\\
+  * The **blockchain.yourDomain.conf**  configuration file needs to be included among the Apache configs
-MDCertificateAgreement accepted\\
+      * ''sudo a2ensite blockchain.yourDomain''
-MDomain aplikace.vaseDomena\\
+  * To **/etc/apache2/ports.conf**  under **ssl_module**  needs to be added ''Listen 3000''  for the gateway functionality
-MDPrivateKeys RSA 4096\\
+  * In **/etc/apache2/sites-available/000-default.conf**  it is advisable to add automatic redirect to https to the virtual host
+      * ''Redirect permanent / [[https://blockchain.vaseDomena|https://blockchain.yourDomain]]''
+  * The following modules need to be enabled:
+      * ''sudo a2enmod rewrite''
+      * ''sudo a2enmod ssl''
+      * ''sudo a2enmod md''
+      * ''sudo a2enmod proxy''
+      * ''sudo a2enmod proxy_http''
+      * ''sudo a2enmod http2''
+      * ''sudo a2enmod headers''
+SSL certificates are automatically generated via the mod_md module built into Apache. If you want to add another domain for which certificates need to be generated (for example, your application running on a node under another domain), we recommend creating a new config, for example **application.yourDomain.conf**  in /etc/apache2/sites-available/ and include it to Apache configs running the command ''sudo a2ensite application.yourDomain''. Then restart Apache ''sudo systemctl restart apache2''  and certificates should start to be generated for this domain on a regular basis. Config for an application running on local port 8083 should look like this:
+<code>
+<IfModule mod_ssl.c>
+ServerAdmin **mail for Let's encrypt authority**
+MDCertificateAgreement accepted
+MDomain **application.yourDomain**
+MDPrivateKeys RSA 4096
 SSLStaplingCache shmcb:/var/run/ocsp(128000)
-<VirtualHost _default_:443>\\
+<VirtualHost _default_:443>
-  ServerName aplikace.vaseDomena\\
+    ServerName **application.yourDomain**
-  <FilesMatch "\.(cgi|shtml|phtml|php)$">\\
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
- SSLOptions +StdEnvVars\\
+    SSLOptions +StdEnvVars
-  </FilesMatch>\\
+    </FilesMatch>
-  <Directory /usr/lib/cgi-bin>\\
+    <Directory /usr/lib/cgi-bin>
-      SSLOptions +StdEnvVars\\
+    SSLOptions +StdEnvVars
-  </Directory>\\
+    </Directory>
-  ErrorLog ${APACHE_LOG_DIR}/error.log\\
+    ErrorLog ${APACHE_LOG_DIR}/error.log
-  CustomLog ${APACHE_LOG_DIR}/access.log combined\\
+    CustomLog ${APACHE_LOG_DIR}/access.log combined
-  ProxyPreserveHost On\\
+    ProxyPreserveHost On
-  ProxyRequests Off\\
+    ProxyRequests Off
-  ProxyPass / http://localhost:8083/\\
+    ProxyPass / http://localhost:8083/
-  ProxyPassReverse / http://localhost:8083/\\
+    ProxyPassReverse / http://localhost:8083/
-  SSLEngine on\\
+    SSLEngine on
-  SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1\\
+    SSLProtocol   all -SSLv3 -TLSv1 -TLSv1.1
-  SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>\\
+    SSLCipherSuite   ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDH-ECDSA-AES-128-GCM-SHA256:ECDH-RSA-AES-128-GCM-SHA2>
-  SSLHonorCipherOrder     on\\
+    SSLHonorCipherOrder     on
-  SSLCompression          off\\
+    SSLCompression          off
-  SSLUseStapling          on\\
+    SSLUseStapling          on
-  SSLStaplingResponderTimeout 5\\
+    SSLStaplingResponderTimeout 5
-  SSLStaplingReturnResponderErrors off\\
+    SSLStaplingReturnResponderErrors off
-  Protocols h2 http/1.1\\
+    Protocols h2 http/1.1
-  Header always set Strict-Transport-Security "max-age=15768000"\\
+    Header always set Strict-Transport-Security "max-age=15768000"
-  Header always append X-Frame-Options SAMEORIGIN\\
+    Header always append X-Frame-Options SAMEORIGIN
-  Header always append X-Content-Type-Options nosniff\\
+    Header always append X-Content-Type-Options nosniff
-  Header always set X-Xss-Protection "1; mode=block"\\
+    Header always set X-Xss-Protection "1; mode=block"
-  Header always set Referrer-Policy "same-origin"\\
+    Header always set Referrer-Policy "same-origin"
-  Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"\\
+    Header set Content-Security-Policy "script-src 'self' 'unsafe-eval' https:; object-src 'self' 'unsafe-eval' https:"
-  Header set Feature-Policy "vibrate 'self'; geolocation 'self'; notifications 'self'"\\
+</VirtualHost>
-</VirtualHost>\\
+</IfModule>
-</IfModule>\\
+</code>
+==== Your own SSL certificates ====
+Just add the path to the certificate to the mentioned config **/etc/apache2/sites-available/blockchain.****yourDomain.****conf**
+th line ''MDomain **blockchain.yourDomain**'' rewrite to:
+<code>
+<MDomain **blockchain.yourDomain**>
+    MDCertificateFile    /etc/ssl/certs/ssl-cert.pem
+    MDCertificateKeyFile /etc/ssl/private/ssl-cert.key
+</MDomain>
+</code>