Secure Apache2 HTTPS Websites with Let’s Encrypt Free SSL/TLS Certificates on Ubuntu 16.04 | 18.04
Настройка Apache для 1С
$ sudo dpkg -i 1c-enterprise83-ws_8.3.13-1690_amd64.deb
$ sudo apt-get install apache2 -y
Создаем директорию для vrd-файла:
$ sudo mkdir -p /var/www/ib/demo
А также файл конфигурации Apache:
$ sudo touch /etc/apache2/conf-available/demo.conf
Переходим в каталог со утилитой публикации веб-клиента:
$ cd /opt/1C/v8.3/x86_64/
Запускаем утилиту:
$ sudo ./webinst -apache24 -wsdir demo -dir '/var/www/ib/demo' -connstr 'Srvr="test";Ref="demo";' -confPath /etc/apache2/conf-available/demo.conf
Подключаем конфигурацию:
$ sudo a2enconf demo
Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2
Смотрим:
http://test/demo или https://test/demo
================================================
Стало глючить не делаем!!!:
Может быть так:
$ sudo apachectl -V | grep -i mpm
AH00534: apache2: Configuration error: No MPM loaded.
А может вот так:
$ sudo apachectl -V | grep -i mpm
Server MPM: event
$ sudo a2dismod mpm_event
$ sudo a2enmod mpm_worker
Considering conflict mpm_event for mpm_worker:
Considering conflict mpm_prefork for mpm_worker:
Enabling module mpm_worker.
To activate the new configuration, you need to run:
service apache2 restart
$ sudo service apache2 restart
$ sudo apachectl -V | grep -i mpm
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.0.239. Set the 'ServerName' directive globally to suppress this message
Server MPM: worker
Apache MPM worker
$ sudo nano /etc/apache2/mods-enabled/mpm_worker.conf
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 0
</IfModule>
================================================
$ sudo apt install gnutls-bin
$ sudo mkdir /etc/cert/
$ sudo -i
# cd /etc/cert
$ sudo mkdir /var/www/html/example.com/
$ sudo chown -R www-data:www-data /var/www/html/example.com/
$ sudo chmod -R 755 /var/www/html/example.com/
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
Сохранить.
$ sudo a2ensite example.com.conf
$ sudo a2enmod rewrite
$ sudo systemctl reload apache2
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo systemctl restart apache2
$ sudo openssl dhparam -out /etc/cert/dhparam.pem 2048
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/cert/server-cert.pem
SSLCertificateKeyFile /etc/cert/server-key.pem
SSLOpenSSLConfCmd DHParameters "/etc/cert/dhparam.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo nano /etc/apache2/mods-available/ssl.conf
Добавить после <IfModule mod_ssl.c> :
<IfModule mod_ssl.c>
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Сохранить.
$ sudo systemctl restart apache2
Для windows скачать /etc/cert/ca-sert.pem переименовать в ca-sert.crt
Установка корневого сертификата в браузере Mozilla Firefox
Для IE, Google Chrome и других браузеров ca-sert.crt установить в Доверенные корневые центры сертификации
Настройка Apache для 1С
$ sudo dpkg -i 1c-enterprise83-ws_8.3.13-1690_amd64.deb
$ sudo apt-get install apache2 -y
Создаем директорию для vrd-файла:
$ sudo mkdir -p /var/www/ib/demo
А также файл конфигурации Apache:
$ sudo touch /etc/apache2/conf-available/demo.conf
Переходим в каталог со утилитой публикации веб-клиента:
$ cd /opt/1C/v8.3/x86_64/
Запускаем утилиту:
$ sudo ./webinst -apache24 -wsdir demo -dir '/var/www/ib/demo' -connstr 'Srvr="test";Ref="demo";' -confPath /etc/apache2/conf-available/demo.conf
/var/www/ib/demo - директория где будет создан vrd-файл, demo - имя ИБ, test - адрес сервера 1С:Предпрятие, а /etc/apache2/conf-available/demo.conf - путь до конфигурационного файла Apache.Подключаем конфигурацию:
$ sudo a2enconf demo
Перезагрузка Apache:
$ sudo service apache2 reload
# systemctl restart apache2
Смотрим:
http://test/demo или https://test/demo
================================================
Стало глючить не делаем!!!:
Может быть так:
$ sudo apachectl -V | grep -i mpm
AH00534: apache2: Configuration error: No MPM loaded.
А может вот так:
$ sudo apachectl -V | grep -i mpm
Server MPM: event
$ sudo a2dismod mpm_event
$ sudo a2enmod mpm_worker
Considering conflict mpm_event for mpm_worker:
Considering conflict mpm_prefork for mpm_worker:
Enabling module mpm_worker.
To activate the new configuration, you need to run:
service apache2 restart
$ sudo service apache2 restart
$ sudo apachectl -V | grep -i mpm
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.0.239. Set the 'ServerName' directive globally to suppress this message
Server MPM: worker
Apache MPM worker
$ sudo nano /etc/apache2/mods-enabled/mpm_worker.conf
# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadLimit: ThreadsPerChild can be changed to this maximum value during a
# graceful restart. ThreadLimit can only be changed by stopping
# and starting Apache.
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of threads
# MaxConnectionsPerChild: maximum number of requests a server process serves
<IfModule mpm_worker_module>
StartServers 2
MinSpareThreads 25
MaxSpareThreads 75
ThreadLimit 64
ThreadsPerChild 25
MaxRequestWorkers 150
MaxConnectionsPerChild 0
</IfModule>
================================================
$ sudo apt install gnutls-bin
$ sudo mkdir /etc/cert/
$ sudo -i
# cd /etc/cert
Генерация CA
# certtool --generate-privkey --outfile ca-key.pem
# cat << _EOF_ >ca.tmpl
cn = "VPN CA"
organization = "Big Corp"
serial = 1
expiration_days = -1
ca
signing_key
cert_signing_key
crl_signing_key
_EOF_
# certtool --generate-self-signed --load-privkey ca-key.pem \
--template ca.tmpl --outfile ca-cert.pem Генерация сертификата локального сервера
В следующем примере создается ключ сервера и пара сертификатов.
# certtool --generate-privkey --outfile server-key.pem
# cat << _EOF_ >server.tmpl
cn = "VPN server"
dns_name = "http"
dns_name = "example.com"
dns_name = "www.example.com"
ip_address = "192.168.0.111"
ip_address = "10.10.10.2"
ip_address = "XXX.XXX.XXX.XXX"
organization = "MyCompany"
expiration_days = -1
signing_key
encryption_key #only if the generated key is an RSA one
tls_www_server # certtool --generate-certificate --load-privkey server-key.pem \
--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
--template server.tmpl --outfile server-cert.pem $ sudo mkdir /var/www/html/example.com/
$ sudo chown -R www-data:www-data /var/www/html/example.com/
$ sudo chmod -R 755 /var/www/html/example.com/
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
Сохранить.
$ sudo a2ensite example.com.conf
$ sudo a2enmod rewrite
$ sudo systemctl reload apache2
$ sudo a2enmod ssl
$ sudo a2enmod headers
$ sudo systemctl restart apache2
$ sudo openssl dhparam -out /etc/cert/dhparam.pem 2048
$ sudo nano /etc/apache2/sites-available/example.com.conf
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
Redirect permanent / https://example.com/
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com
Protocols h2 http:/1.1
<If "%{HTTP_HOST} == 'www.example.com'">
Redirect permanent / https://example.com/
</If>
ErrorLog ${APACHE_LOG_DIR}/example.com-error.log
CustomLog ${APACHE_LOG_DIR}/example.com-access.log combined
SSLEngine On
SSLCertificateFile /etc/cert/server-cert.pem
SSLCertificateKeyFile /etc/cert/server-key.pem
SSLOpenSSLConfCmd DHParameters "/etc/cert/dhparam.pem"
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCompression off
SSLUseStapling on
<Directory /var/www/html/example.com/>
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
<Directory /var/www/html/example.com/>
RewriteEngine on
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*) index.php [PT,L]
</Directory>
</VirtualHost>
Сохранить.
$ sudo nano /etc/apache2/mods-available/ssl.conf
Добавить после <IfModule mod_ssl.c> :
<IfModule mod_ssl.c>
# Set the location of the SSL OCSP Stapling Cache
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
Сохранить.
$ sudo systemctl restart apache2
Для windows скачать /etc/cert/ca-sert.pem переименовать в ca-sert.crt
Установка корневого сертификата в браузере Mozilla Firefox
Для IE, Google Chrome и других браузеров ca-sert.crt установить в Доверенные корневые центры сертификации
Комментариев нет:
Отправить комментарий