Apache2 configuration for SOGo and MediaWiki: Difference between revisions

From WickyWiki
← Older edit
mNo edit summary
 
(13 intermediate revisions by the same user not shown)
Line 4: Line 4:
[[Category:MediaWiki]]
[[Category:MediaWiki]]
[[Category:Raspberry Pi]]
[[Category:Raspberry Pi]]
=See also=
* [[Raspberry Pi SOGo Groupware]]
* [[Get HTTPS for free]]
* [[SOGo]]
* [[MediaWiki]]
* [[Apache2 webserver]]
* [[Create certificates for Apache2]]
* [[Configure local DNS file]]
* [[Dynamic DNS service]]
* [[DNS server]]
* [[Raspberry Pi - Pi-Hole Network-wide ad blocking]]


= Info =
= Info =


Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.  
Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.  
* MediaWiki on http (80) and https (443). Force secure SSL login.
* An entry for Raspberry Pi monitor pages local http (80)
* An entry for thw Pi-hole pages local http (80)
* MediaWiki on https (443). Force secure SSL login.
* SOGo only on https (443) redirect http (80) to https (443)
* SOGo only on https (443) redirect http (80) to https (443)


An entry for a Raspberry Pi has been added.
=Configuration (Raspberry Pi)=
 
=Configuration (Ubuntu)=


Disable default SOGo configuration of Apache:
Disable default SOGo configuration of Apache:
Line 24: Line 37:


<syntaxhighlight lang=bash>
<syntaxhighlight lang=bash>
sudo gedit /etc/apache2/sites-available/wilbertvolkers.linkpc.net.conf
sudo nano /etc/apache2/sites-available/raspberrypi.conf
</syntaxhighlight>
</syntaxhighlight>


<blockquote>
<blockquote>
<syntaxhighlight lang=apache>
<syntaxhighlight lang=apache>
SSLRandomSeed startup file:/dev/urandom 1024  
SSLRandomSeed startup file:/dev/urandom 1024  
SSLRandomSeed connect file:/dev/urandom 1024  
SSLRandomSeed connect file:/dev/urandom 1024  
#Apache2.2:
##SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm


<VirtualHost *:80>
ServerName wjv.duckdns.org
Servername wilbertvolkers.linkpc.net
ServerAdmin admin@wjv.duckdns.org
SSLEngine Off
ServerSignature Off
SSLSessionCacheTimeout 600
 
SSLVerifyClient none
# ACME challenge ###################
SSLProxyEngine off
 
ServerSignature Off
Listen 8080
RewriteEngine On
<VirtualHost _default_:8080>
Alias "/.well-known/acme-challenge" "/var/www/acme-challenge"
<Directory /var/www/acme-challenge>
AllowOverride None
Require all granted
</Directory>
 
# forward 80 >(router)> 8080 > https
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/.well-known/(.*)  -  [L]
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
</VirtualHost>
 
# Local port 80 ####################
 
<VirtualHost _default_:80>
 
#pi-hole admin via http
Alias /admin/ /var/www/html/admin/
<Directory /var/www/html/admin/>
AllowOverride None
Require all granted
</Directory>
 
Alias /pihole/ /var/www/html/pihole/
<Directory /var/www/html/pihole/>
AllowOverride None
Require all granted
</Directory>
 
#RPi-monitor
Alias /rpimonitor/ /usr/share/rpimonitor/web/
<Directory /usr/share/rpimonitor/web/>
AllowOverride None
Require all granted
</Directory>
 
</VirtualHost>
 
# HTTPS/SSL port 443 ################
 
SSLProtocol            all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder    off
SSLSessionTickets      off
 
<VirtualHost _default_:443>
#Mediawiki / SOGo
 
DocumentRoot /var/www/docroot/


#mediawiki on port 80
SSLEngine Off
#redirect UserLogin page to https
SSLEngine On
RewriteCond %{REQUEST_URI} ^/mediawiki/index.php$
SSLSessionCacheTimeout 600
RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
SSLVerifyClient none
RewriteCond %{REQUEST_METHOD} ^GET$
SSLProxyEngine off
RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R]
   
   
DocumentRoot /var/www/
SSLCertificateFile /etc/apache2/ssl/server.cer
Alias /mediawiki/ /var/www/mediawiki/
SSLCertificateKeyFile /etc/apache2/ssl/server.key
<Directory /var/www/mediawiki/>
 
AllowOverride None
ErrorLog ${APACHE_LOG_DIR}/error.log
#Apache2.2:
CustomLog ${APACHE_LOG_DIR}/access.log combined
##Order allow,deny
##allow from all
#Apache2.4:
Require all granted
</Directory>
   
   
ErrorLog ${APACHE_LOG_DIR}/error.log
#enable debug info to solve problems
CustomLog ${APACHE_LOG_DIR}/access.log combined
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
#LogLevel debug
 
# MediaWiki ###################
   
   
#SOGo redirect http://../SOGo to https://../SOGo
Alias "/mediawiki" "/var/www/mediawiki"
#Note: leave this out to make it a bit more difficult to find things on your server
<Directory /var/www/mediawiki>
#RewriteCond %{REQUEST_URI} ^/SOGo(.*)$
SSLRequireSSL
#RewriteCond %{REQUEST_METHOD} ^GET$
AllowOverride None
#RewriteRule ^(.*)$ https://wilbertvolkers.linkpc.net/SOGo$1 [R]
Require all granted
</virtualhost>
</Directory>


<VirtualHost *:443>
# MediaWiki security manual
Servername wilbertvolkers.linkpc.net
php_flag register_globals off
SSLEngine On
SSLOptions +StrictRequire
SSLProtocol -all +TLSv1 +SSLv3
# Support only for strong cryptography:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
ServerSignature Off
   
   
SSLCertificateFile /etc/apache2/ssl/server.cer
<Directory /var/www/mediawiki/images>
SSLCertificateKeyFile /etc/apache2/ssl/server.key
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php .phtml .php5
# Don't run arbitrary PHP code.
php_admin_flag engine off
</Directory>
 
<Directory /var/www/mediawiki/images/deleted>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
   
   
ErrorLog ${APACHE_LOG_DIR}/error.log
<Directory /var/www/mediawiki/cache>
CustomLog ${APACHE_LOG_DIR}/access.log combined
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>


#mediawiki via https
# SOGo ########################
Alias /mediawiki/ /var/www/mediawiki/
# https://wjv.duckdns.org/(null):/SOGo/so/wilbert/Calendar
<Directory /var/www/mediawiki/>
SSLRequireSSL
<IfModule mpm_itk_module>
AllowOverride None
AssignUserId sogo-a sogo-a
#Apache2.2:
</IfModule>
##Order deny,allow
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
##Allow from all
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
#Apache2.4:
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
Require all granted
<Directory /usr/lib/GNUstep/SOGo/>
</Directory>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
SetHandler default-handler
</LocationMatch>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "wjv.duckdns.org"
RequestHeader set "x-webobjects-server-url" "https://wjv.duckdns.org"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Require all granted
</Proxy>


#SOGo
  # use mod_rewrite to pass remote address to the SOGo proxy.
DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
# The remote address will appear in SOGo's log files and in the X-Forward
<IfModule mpm_itk_module>
# header of emails.
AssignUserId sogo-a sogo-a
RewriteEngine On
</IfModule>
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
<Directory /usr/lib/GNUstep/SOGo/>
SSLRequireSSL
AllowOverride None
#Apache2.2:
##Order deny,allow
##Allow from all
#Apache2.4:
Require all granted
</Directory>
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
SetHandler default-handler
</LocationMatch>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
#Apache2.2:
##Order allow,deny
##allow from all
#Apache2.4:
Require all granted
</Proxy>
   
# use mod_rewrite to pass remote address to the SOGo proxy.
# The remote address will appear in SOGo's log files and in the X-Forward
# header of emails.
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
# redirect https://../ to https://../SOGo
#Note: leave this out to make it a bit more difficult to find things on your server
#Redirect temp /index.html https://%{SERVER_NAME}/SOGo
</virtualhost>
</virtualhost>
</syntaxhighlight>
</syntaxhighlight>
</blockquote>
</blockquote>
Line 174: Line 217:
To test if everything is working go to:
To test if everything is working go to:
* https://wilbertvolkers.linkpc.net/SOGo
* https://wilbertvolkers.linkpc.net/SOGo
* http://wilbertvolkers.linkpc.net/SOGo
** You should go to https
* http://wilbertvolkers.linkpc.net/mediawiki
* https://wilbertvolkers.linkpc.net/mediawiki
* https://wilbertvolkers.linkpc.net/mediawiki
* http://wilbertvolkers.linkpc.net/mediawiki/index.php?title=Special:UserLogin
* http://192.168.1.2/admin/
** You should go to https
* http://192.168.1.2/rpimonitor/status.html
 
=Configuration (Raspberry Pi)=
 
Another example of an Apache2 conf file, targeting a Rasberry Pi system but not exclusively. This configuration:
* allows only https access, http is redirected to https
* contains some additional security measures for MediaWiki
* no SSLv3, search for 'poodle attack' is you want to know more
 
<syntaxhighlight lang=bash>
sudo gedit /etc/apache2/sites-available/raspberrypi.conf
</syntaxhighlight>
 
<blockquote>
<syntaxhighlight lang=apache>
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
 
<VirtualHost 192.168.1.2:80>
# forward http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
 
<VirtualHost 192.168.1.2:443>
Servername wilbertvolkers.linkpc.net
ServerAdmin admin@wilbertvolkers.linkpc.net
 
SSLEngine On
SSLOptions +StrictRequire
# Note: +SSLv3 not supported by this version of OpenSSL
SSLProtocol -all +TLSv1
# Support only for strong cryptography:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
ServerSignature Off
 
#enable debug info to find reasons, for axample when you get http 500 internal server error
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
# debug, trace1 - trace8
#LogLevel debug
 
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
# MediaWiki security manual
php_flag register_globals off
 
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
 
# DocumentRoot /var/www/docroot
Alias "/mediawiki" "/var/www/mediawiki"
<Directory /var/www/mediawiki>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
 
# MediaWiki security manual
<Directory /var/www/mediawiki/images>
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php .phtml .php5
# Don't run arbitrary PHP code.
php_admin_flag engine off
# If you've other scripting languages, disable them too.
</Directory>
 
# MediaWiki security manual
<Directory /var/www/mediawiki/images/deleted>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
# SOGo
DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
<IfModule mpm_itk_module>
AssignUserId sogo-a sogo-a
</IfModule>
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
<Directory /usr/lib/GNUstep/SOGo/>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
SetHandler default-handler
</LocationMatch>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Require all granted
</Proxy>
# use mod_rewrite to pass remote address to the SOGo proxy.
# The remote address will appear in SOGo's log files and in the X-Forward
# header of emails.
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>
</virtualhost>
</syntaxhighlight>
</blockquote>
 
=See also=
* [[SOGo]]
* [[MediaWiki]]
* [[Apache2 webserver]]
* [[Create certificates for Apache2]]
* [[Configure local DNS file]]
* [[Dynamic DNS service]]
* [[DNS server]]

Latest revision as of 18:11, 14 April 2021


See also

Info

Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.

  • An entry for Raspberry Pi monitor pages local http (80)
  • An entry for thw Pi-hole pages local http (80)
  • MediaWiki on https (443). Force secure SSL login.
  • SOGo only on https (443) redirect http (80) to https (443)

Configuration (Raspberry Pi)

Disable default SOGo configuration of Apache: 

sudo mv /etc/apache2/conf.d/SOGo.conf /etc/apache2/conf.d/SOGo.conf.backup

Create new configuration in 'sites-available': 

sudo nano /etc/apache2/sites-available/raspberrypi.conf

SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 

ServerName wjv.duckdns.org
ServerAdmin admin@wjv.duckdns.org
ServerSignature Off

# ACME challenge ###################

Listen 8080
<VirtualHost _default_:8080>
 Alias "/.well-known/acme-challenge" "/var/www/acme-challenge"
 <Directory /var/www/acme-challenge>
	AllowOverride None
	Require all granted
 </Directory>

 # forward 80 >(router)> 8080 > https
 RewriteEngine On
 RewriteCond %{HTTPS} !=on
 RewriteRule ^/.well-known/(.*)  -  [L]
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] 
</VirtualHost>

# Local port 80 ####################

<VirtualHost _default_:80>

 #pi-hole admin via http
 Alias /admin/ /var/www/html/admin/
 <Directory /var/www/html/admin/>
	AllowOverride None
	Require all granted
 </Directory>

 Alias /pihole/ /var/www/html/pihole/
 <Directory /var/www/html/pihole/>
	AllowOverride None
	Require all granted
 </Directory>

 #RPi-monitor
 Alias /rpimonitor/ /usr/share/rpimonitor/web/
 <Directory /usr/share/rpimonitor/web/>
	AllowOverride None
	Require all granted
 </Directory>

</VirtualHost>

# HTTPS/SSL port 443 ################

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLSessionTickets       off

<VirtualHost _default_:443>
 #Mediawiki / SOGo

 DocumentRoot /var/www/docroot/

 SSLEngine Off
 SSLEngine On
 SSLSessionCacheTimeout 600 
 SSLVerifyClient none 
 SSLProxyEngine off
 
 SSLCertificateFile /etc/apache2/ssl/server.cer
 SSLCertificateKeyFile /etc/apache2/ssl/server.key

 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 
 #enable debug info to solve problems
 #http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
 #LogLevel debug

 # MediaWiki ###################
 
 Alias "/mediawiki" "/var/www/mediawiki"
 <Directory /var/www/mediawiki>
	SSLRequireSSL
	AllowOverride None
	Require all granted
 </Directory>

 # MediaWiki security manual
 php_flag register_globals off
 
 <Directory /var/www/mediawiki/images>
	# Ignore .htaccess files
	AllowOverride None
	# Serve HTML as plaintext, don't execute SHTML
	AddType text/plain .html .htm .shtml .php .phtml .php5
	# Don't run arbitrary PHP code.
	php_admin_flag engine off
 </Directory>

 <Directory /var/www/mediawiki/images/deleted>
	Deny from all
	AllowOverride AuthConfig Limit
	Require local
 </Directory>
 
 <Directory /var/www/mediawiki/cache>
	Deny from all
	AllowOverride AuthConfig Limit
	Require local
 </Directory>

 # SOGo ########################
 # https://wjv.duckdns.org/(null):/SOGo/so/wilbert/Calendar
 
 <IfModule mpm_itk_module>
	AssignUserId sogo-a sogo-a
 </IfModule>
 Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
 Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
 AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
 <Directory /usr/lib/GNUstep/SOGo/>
	SSLRequireSSL
	AllowOverride None
	Require all granted
 </Directory>
 <LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
	SetHandler default-handler
 </LocationMatch>
 ProxyRequests Off
 SetEnv proxy-nokeepalive 1
 ProxyPreserveHost On
 ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
 <Proxy http://127.0.0.1:20000/SOGo>
	RequestHeader set "x-webobjects-server-port" "443"
	RequestHeader set "x-webobjects-server-name" "wjv.duckdns.org"
	RequestHeader set "x-webobjects-server-url" "https://wjv.duckdns.org"
	RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
	RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
	AddDefaultCharset UTF-8
	Require all granted
 </Proxy>

 # use mod_rewrite to pass remote address to the SOGo proxy.
 # The remote address will appear in SOGo's log files and in the X-Forward
 # header of emails.
 RewriteEngine On
 RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>

Enable Apache modules and website

Enable needed Apache2 modules: 

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
sudo a2enmod ssl
sudo service apache2 restart

Enable the site: 

sudo a2ensite wilbertvolkers.linkpc.net
sudo service apache2 reload

To test if everything is working go to:

Retrieved from "https://wjv.duckdns.org/mediawiki/index.php?title=Apache2_configuration_for_SOGo_and_MediaWiki&oldid=3323"