четверг, 27 июня 2019 г.

Публикация ИБ на веб-сервере Apache 2.4.

Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04

$ sudo dpkg -i 1c-enterprise83-ws_8.3.13-1690_amd64.deb
$ sudo apt-get install apache2 -y

Создаем директорию для vrd-файла:
$ sudo mkdir -p /var/www/ib/demo

А также файл конфигурации Apache:
$ sudo touch /etc/apache2/conf-available/demo.conf

Переходим в каталог со утилитой публикации веб-клиента:
$ cd /opt/1C/v8.3/x86_64/

Запускаем утилиту:
$ sudo ./webinst -apache24 -wsdir demo -dir '/var/www/ib/demo' -connstr 'Srvr="test";Ref="demo";' -confPath /etc/apache2/conf-available/demo.conf


Где /var/www/ib/demo - директория где будет создан vrd-файл, demo - имя ИБ, test - адрес сервера 1С:Предпрятие, а /etc/apache2/conf-available/demo.conf - путь до конфигурационного файла Apache.

 Подключаем конфигурацию:
$ sudo a2enconf demo

 Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2

Смотрим:
http://test/demo или https://test/demo

================================================
Стало глючить:
 
Может быть так:
$ sudo apachectl -V | grep -i mpm
AH00534: apache2: Configuration error: No MPM loaded.

А может вот так:
$ sudo apachectl -V | grep -i mpm
Server MPM:     event
$ sudo a2dismod mpm_event

$ sudo a2enmod mpm_worker

Considering conflict mpm_event for mpm_worker:
Considering conflict mpm_prefork for mpm_worker:
Enabling module mpm_worker.
To activate the new configuration, you need to run:
  service apache2 restart

$ sudo service apache2 restart


$ sudo apachectl -V | grep -i mpm
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.0.239. Set the 'ServerName' directive globally to suppress this message
Server MPM:     worker

Apache MPM worker

$ sudo nano /etc/apache2/mods-enabled/mpm_worker.conf

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
#                         graceful restart. ThreadLimit can only be changed by stopping
#                         and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves

<IfModule mpm_worker_module>
        StartServers                     2
        MinSpareThreads          25
        MaxSpareThreads          75
        ThreadLimit                      64
        ThreadsPerChild          25
        MaxRequestWorkers         150
        MaxConnectionsPerChild   0
</IfModule>
================================================
$ sudo mkdir  /var/www/html/example.com/

$ sudo chown -R www-data:www-data /var/www/html/example.com/

$ sudo chmod -R 755 /var/www/html/example.com/

$ sudo nano /etc/apache2/sites-available/example.com.conf

<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com
  ServerAdmin admin@example.com
  DocumentRoot /var/www/html/example.com

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.


$ sudo a2ensite example.com.conf

$ sudo a2enmod rewrite

$ sudo systemctl reload apache2

$ sudo apt install certbot

$ sudo mkdir -p /var/lib/letsencrypt/.well-known

$ sudo chgrp www-data /var/lib/letsencrypt

$ sudo chmod g+s /var/lib/letsencrypt

$ sudo nano /etc/apache2/conf-available/well-known.conf

Alias /.well-known/acme-challenge/ "/var/lib/letsencrypt/.well-known/acme-challenge/"
<Directory "/var/lib/letsencrypt/">
    AllowOverride None
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS
</Directory>

Сохранить.

$ sudo a2enmod ssl

$ sudo a2enmod headers


$ sudo add-apt-repository ppa:ondrej/apache2
$ sudo apt update
$ sudo apt upgrade 
$ sudo a2enmod http2


$ sudo a2enconf well-known

$ sudo systemctl restart apache2

$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /var/lib/letsencrypt/ -d example.com -d www.example.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2019-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le


$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

$ sudo nano /etc/apache2/sites-available/example.com.conf


<VirtualHost *:80>
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot /var/www/html/example.com

  Protocols h2 http:/1.1

  <If "%{HTTP_HOST} == 'www.example.com'">
    Redirect permanent / https://example.com/
  </If>

  ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
  CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
  SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCompression off
  SSLUseStapling on

  <Directory /var/www/html/example.com/>
       Options FollowSymlinks
       AllowOverride All
       Require all granted
  </Directory>

  <Directory /var/www/html/example.com/>
       RewriteEngine on
       RewriteBase /
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*) index.php [PT,L]
  </Directory>
</VirtualHost>

Сохранить.

$ sudo nano /etc/apache2/mods-available/ssl.conf
 Добавить после <IfModule mod_ssl.c> :

<IfModule mod_ssl.c>
        # Set the location of the SSL OCSP Stapling Cache
         SSLStaplingCache shmcb:/tmp/stapling_cache(128000)

Сохранить.


$ sudo systemctl restart apache2




$ sudo crontab -e


Добавить:

0 1 * * * /usr/bin/certbot renew & > /dev/null

Сохранить.
 
https://example.com/

Комментариев нет:

Отправить комментарий