Scripting Tcl 大小事: Apache 2, Apache Rivet and openSUSE

這篇假設你已經在 openSUSE 安裝了 Tcl，如果沒有，那需要先安裝才行。測試的環境為 openSUSE Leap 42.3。

Apache HTTP Server 2 在 openSUSE 安裝的方式：

sudo zypper in apache2

如果要啟動 Apache 2：

sudo systemctl start apache2

如果要停止 Apache 2：

sudo systemctl stop apache2

如果要開機的時候就啟動服務，使用：

sudo chkconfig apache2 on

如果不要，使用：

sudo chkconfig apache2 off

如果需要公開在網路上，還需要設定防火牆，否則只能在 localhost 使用。

再來安裝 Apache Rivet，如果要在 openSUSE 安裝，先設定軟體庫：

sudo zypper addrepo https://download.opensuse.org/repositories/Apache:/Modules/openSUSE_Leap_42.3/ Apache-Modules

更新軟體庫：

sudo zypper refresh

更新以後，使用下列的指令安裝：

sudo zypper install apache2-mod_rivet

加入 Apache Rivet module 到 Apache 2：

sudo a2enmod rivet

(* 如果要移除，使用 sudo a2dismod rivet 來移除)

接下來重新啟動 Apache 2：

sudo systemctl restart apache2

到 /srv/www/htdocs/ 目錄下，建立 hello.rvt，內容如下：

<? set hello_message "Hello world" ?>
<html>
  <head>
    <title><?= $hello_message ?></title>
  </head>
  <body><?= [::rivet::html $hello_message pre b] ?></body>
</html>

瀏覽 http://localhost/hello.rvt，如果有看到訊息表示成功安裝。

再來設定 Apache2 HTTPS 的部份。一開始先確定 mod_ssl 有開啟：

sudo a2enmod ssl

再來是設定 Self-Signed Certificates 的部份，在 Linux 上使用 OpenSSL 建立。Create a config file for your certificate :

 [req]
default_bits       = 2048
default_keyfile    = localhost.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = US
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName                = Locality Name (eg, city)
localityName_default        = Rochester
organizationName            = Organization Name (eg, company)
organizationName_default    = localhost
organizationalUnitName      = organizationalunit
organizationalUnitName_default = Development
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = localhost
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1   = localhost
DNS.2   = 127.0.0.1

Run the following 2 commands using OpenSSL to create a self-signed certificate in openSUSE with OpenSSL :

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout localhost.key -out localhost.crt -config localhost.conf -passin pass:YourSecurePassword

sudo openssl pkcs12 -export -out localhost.pfx -inkey localhost.key -in localhost.crt

然後將我們製造的檔案複製到 Apache 的目錄下：

sudo cp localhost.crt /etc/apache2/ssl.crt/server.crt
sudo cp localhost.key /etc/apache2/ssl.key/server.key

如果是 Officially Signed Certificate，可以參考 OpenSUSE: Setting Up a Secure Web Server with SSL。

再來修改 /etc/sysconfig/apache2 的設定，

APACHE_START_TIMEOUT="10" 
APACHE_SERVER_FLAGS="SSL"

複製 /etc/apache2/vhost.d/vhost-ssl.template 到 /etc/apache2/vhost.d/vhost-ssl.conf，主要的設定如下：

<IfDefine SSL>
<IfDefine !NOSSL>

##
## SSL Virtual Host Context
##

<VirtualHost *:443>

    #  General setup for the virtual host
    DocumentRoot "/srv/www/htdocs"
    #ServerName www.example.com:443
    #ServerAdmin webmaster@example.com
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   You can use per vhost certificates if SNI is supported.
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    #SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

</VirtualHost>

</IfDefine>
</IfDefine>

接下來讓 main site 使用 HTTPS，編輯 /etc/apache2/default-server.conf，加入下面的設定：

IncludeOptional /etc/apache2/conf.d/*.conf
IncludeOptional /etc/apache2/vhosts.d/*.conf

接下來重新開啟 Apache 2，

sudo systemctl restart apache2

瀏覽 https://localhost/hello.rvt，如果有看到訊息表示成功安裝（PS. 因為是 Self-Signed Certificates，所以 Firefox 會看到警告訊息）。

若要強制使用 SSL，需要開啟 mod_rewrite 才行。

sudo a2enmod rewrite

再來修改 /etc/apache2/vhost.d/vhost-ssl.conf

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{HTTPS} !=on
    RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L] 
</VirtualHost>

<VirtualHost *:443>

    #  General setup for the virtual host
    DocumentRoot "/srv/www/htdocs"
    #ServerName www.example.com:443
    #ServerAdmin webmaster@example.com
    ErrorLog /var/log/apache2/error_log
    TransferLog /var/log/apache2/access_log

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    #   You can use per vhost certificates if SNI is supported.
    SSLCertificateFile /etc/apache2/ssl.crt/server.crt
    SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
    #SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt

    #   Per-Server Logging:
    #   The home of a custom SSL log file. Use this when you want a
    #   compact non-error SSL logfile on a virtual host basis.
    CustomLog /var/log/apache2/ssl_request_log   ssl_combined

</VirtualHost>

* 2017/11/18 更新：更新 rewrite 的規則

接下來重新開啟 Apache 2，

sudo systemctl restart apache2

這樣就會強制都使用 HTTPS 瀏覽。

Scripting Tcl 大小事

2017-11-14

Apache 2, Apache Rivet and openSUSE

沒有留言: