Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04
$ sudo dpkg -i 1c-enterprise83-ws_8.3.13-1690_amd64.deb
$ sudo apt-get install apache2 -y
Создаем директорию для vrd-файла:
$ sudo mkdir -p /var/www/ib/demo
А также файл конфигурации Apache:
$ sudo touch /etc/apache2/conf-available/demo.conf
Переходим в каталог со утилитой публикации веб-клиента:
$ cd /opt/1C/v8.3/x86_64/
Запускаем утилиту:
$ sudo ./webinst -apache24 -wsdir demo -dir '/var/www/ib/demo' -connstr
'Srvr="test";Ref="demo";' -confPath
/etc/apache2/conf-available/demo.conf
Где
/var/www/ib/demo
- директория где будет создан vrd-файл,
demo
- имя ИБ, test - адрес сервера 1С:Предпрятие, а
/etc/apache2/conf-available/demo.conf
- путь до конфигурационного файла Apache.
Подключаем конфигурацию:
$ sudo a2enconf demo
Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2
Смотрим:
http://test/demo или https://test/demo
================================================
Стало глючить:
Может быть так:
$ sudo apachectl -V | grep -i mpm
AH00534: apache2: Configuration error: No MPM loaded.
А может вот так:
$ sudo apachectl -V | grep -i mpm
Server MPM: event
$ sudo a2dismod mpm_event
$ sudo a2enmod mpm_worker
Considering conflict mpm_event for mpm_worker:
Considering conflict mpm_prefork for mpm_worker:
Enabling module mpm_worker.
To activate the new configuration, you need to run:
service apache2 restart
$ sudo service apache2 restart
$ sudo apachectl -V | grep -i mpm
AH00558:
apache2: Could not reliably determine the server's fully qualified
domain name, using 192.168.0.239. Set the 'ServerName' directive
globally to suppress this message
Server MPM: worker
Apache MPM worker
$ sudo nano /etc/apache2/mods-enabled/mpm_worker.conf
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 0
</IfModule>
================================================
$ sudo mkdir /var/www/html/example.com/
$ sudo chown -R www-data:www-data /var/www/html/example.com/
$ sudo chmod -R 755 /var/www/html/example.com/
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin admin@example.com
DocumentRoot /var/www/html/example.com
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo a2ensite example.com.conf
$ sudo a2enmod rewrite
$ sudo systemctl reload apache2
$ sudo apt install certbot
$ sudo mkdir -p /var/lib/letsencrypt/.well-known
$ sudo chgrp www-data /var/lib/letsencrypt
$ sudo chmod g+s /var/lib/letsencrypt
$ sudo nano /etc/apache2/conf-available/well-known.conf
Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
Сохранить.
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo add-apt-repository ppa:ondrej/apache2
$ sudo apt update
$ sudo apt upgrade
$ sudo a2enmod http2
$ sudo a2enconf well-known
$ sudo systemctl restart apache2
$ sudo certbot certonly --agree-tos --email admin@example.com
--webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2019-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo nano /etc/apache2/mods-available/ssl.conf
Добавить после <IfModule mod_ssl.c> :
<IfModule mod_ssl.c>
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Сохранить.
$ sudo systemctl restart apache2
$ sudo crontab -e
Добавить:
0 1 * * * /usr/bin/certbot renew & > /dev/null
Сохранить.
https://example.com/