Apache2 configuration for SOGo and MediaWiki: Difference between revisions

From WickyWiki
← Older editNewer edit →
mNo edit summary
Line 146: Line 146:
<blockquote>
<blockquote>
<syntaxhighlight lang=apache>
<syntaxhighlight lang=apache>
SSLRandomSeed startup file:/dev/urandom 1024  
SSLRandomSeed startup file:/dev/urandom 1024  
SSLRandomSeed connect file:/dev/urandom 1024  
SSLRandomSeed connect file:/dev/urandom 1024  


<VirtualHost _default_:80>
<VirtualHost _default_:80>
# forward http to https
# forward http to https
RewriteEngine On
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
</VirtualHost>


<VirtualHost _default_:443>
<VirtualHost _default_:443>
Servername wilbertvolkers.linkpc.net
Servername wilbertvolkers.linkpc.net
ServerAdmin admin@wilbertvolkers.linkpc.net
ServerAdmin admin@wilbertvolkers.linkpc.net
 
SSLEngine On
SSLOptions +StrictRequire
# Note: +SSLv3 not supported by this version of OpenSSL
SSLProtocol -all +TLSv1
# Support only for strong cryptography:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
ServerSignature Off
 
#enable debug info to fix stuff
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
#LogLevel debug


SSLCertificateFile /etc/apache2/ssl/server.cer
SSLEngine On
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLOptions +StrictRequire
# Note: +SSLv3 not supported by this version of OpenSSL
SSLProtocol -all +TLSv1
# Support only for strong cryptography:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
ServerSignature Off
#enable debug info to solve problems
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
#LogLevel debug


DocumentRoot /var/www/docroot/
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key


# MediaWiki ###################
DocumentRoot /var/www/docroot/
 
# MediaWiki security manual
# MediaWiki ###################
php_flag register_globals off
 
# MediaWiki security manual
ErrorLog ${APACHE_LOG_DIR}/error.log
php_flag register_globals off
CustomLog ${APACHE_LOG_DIR}/access.log combined
 
ErrorLog ${APACHE_LOG_DIR}/error.log
Alias "/mediawiki" "/var/www/mediawiki"
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Directory /var/www/mediawiki>
Alias "/mediawiki" "/var/www/mediawiki"
<Directory /var/www/mediawiki>
SSLRequireSSL
SSLRequireSSL
AllowOverride None
AllowOverride None
Require all granted
Require all granted
</Directory>
</Directory>


# MediaWiki security manual
# MediaWiki security manual
<Directory /var/www/mediawiki/images>
<Directory /var/www/mediawiki/images>
# Ignore .htaccess files
# Ignore .htaccess files
AllowOverride None
AllowOverride None
Line 204: Line 203:
# Don't run arbitrary PHP code.
# Don't run arbitrary PHP code.
php_admin_flag engine off
php_admin_flag engine off
</Directory>
</Directory>


# MediaWiki security manual
# MediaWiki security manual
<Directory /var/www/mediawiki/images/deleted>
<Directory /var/www/mediawiki/images/deleted>
Deny from all
Deny from all
AllowOverride AuthConfig Limit
AllowOverride AuthConfig Limit
Require local
Require local
</Directory>
</Directory>


# SOGo ########################
# SOGo ########################


<IfModule mpm_itk_module>
<IfModule mpm_itk_module>
AssignUserId sogo-a sogo-a
AssignUserId sogo-a sogo-a
</IfModule>
</IfModule>
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
<Directory /usr/lib/GNUstep/SOGo/>
<Directory /usr/lib/GNUstep/SOGo/>
SSLRequireSSL
SSLRequireSSL
AllowOverride None
AllowOverride None
Require all granted
Require all granted
</Directory>
</Directory>
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
SetHandler default-handler
SetHandler default-handler
</LocationMatch>
</LocationMatch>
ProxyRequests Off
ProxyRequests Off
SetEnv proxy-nokeepalive 1
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
Line 241: Line 240:
AddDefaultCharset UTF-8
AddDefaultCharset UTF-8
Require all granted
Require all granted
</Proxy>
</Proxy>


# use mod_rewrite to pass remote address to the SOGo proxy.
# use mod_rewrite to pass remote address to the SOGo proxy.
# The remote address will appear in SOGo's log files and in the X-Forward
# The remote address will appear in SOGo's log files and in the X-Forward
# header of emails.
# header of emails.
RewriteEngine On
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>
</virtualhost>
</syntaxhighlight>
</syntaxhighlight>
</blockquote>
</blockquote>

Revision as of 13:11, 31 December 2017


Info

Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.

  • MediaWiki on http (80) and https (443). Force secure SSL login.
  • SOGo only on https (443) redirect http (80) to https (443)

An entry for a Raspberry Pi has been added.

Configuration (Ubuntu)

Disable default SOGo configuration of Apache: 

sudo mv /etc/apache2/conf.d/SOGo.conf /etc/apache2/conf.d/SOGo.conf.backup

Create new configuration in 'sites-available': 

sudo gedit /etc/apache2/sites-available/wilbertvolkers.linkpc.net.conf
SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 

<VirtualHost *:80>
	# forward http to https
	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</virtualhost>

<VirtualHost *:443>
	Servername wilbertvolkers.linkpc.net
	SSLEngine On
	SSLOptions +StrictRequire
	SSLProtocol -all +TLSv1 +SSLv3 
	# Support only for strong cryptography:
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 
	SSLSessionCacheTimeout 600 
	SSLVerifyClient none 
	SSLProxyEngine off
	ServerSignature Off
 
	SSLCertificateFile /etc/apache2/ssl/server.cer
	SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	#mediawiki via https
	Alias /mediawiki/ /var/www/mediawiki/
	<Directory /var/www/mediawiki/>
		SSLRequireSSL
		AllowOverride None
		Require all granted
	</Directory>

	#SOGo
	DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
	<IfModule mpm_itk_module>
		AssignUserId sogo-a sogo-a
	</IfModule>
	Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
	Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
	AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
	<Directory /usr/lib/GNUstep/SOGo/>
		SSLRequireSSL
		AllowOverride None
		Require all granted
	</Directory>
	<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
 		SetHandler default-handler
	</LocationMatch>
	ProxyRequests Off
	SetEnv proxy-nokeepalive 1
	ProxyPreserveHost On
	ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
	<Proxy http://127.0.0.1:20000/SOGo>
		RequestHeader set "x-webobjects-server-port" "443"
		RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
		RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
		RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
		RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
		AddDefaultCharset UTF-8
		Require all granted
	</Proxy>
 
	# use mod_rewrite to pass remote address to the SOGo proxy.
	# The remote address will appear in SOGo's log files and in the X-Forward
	# header of emails.
	RewriteEngine On
	RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>

Enable Apache modules and website

Enable needed Apache2 modules: 

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
sudo a2enmod ssl
sudo service apache2 restart

Enable the site: 

sudo a2ensite wilbertvolkers.linkpc.net
sudo service apache2 reload

To test if everything is working go to:

Configuration (Raspberry Pi)

An example of an Apache2 conf file, targeting a Raspberry Pi system but not exclusively. This configuration:

  • allows only https access, http is redirected to https
  • contains some additional security measures for MediaWiki
  • no SSLv3, search for 'poodle attack' is you want to know more
sudo gedit /etc/apache2/sites-available/raspberrypi.conf
SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 

<VirtualHost _default_:80>
 # forward http to https
 RewriteEngine On
 RewriteCond %{HTTPS} off
 RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost _default_:443>
 Servername wilbertvolkers.linkpc.net
 ServerAdmin admin@wilbertvolkers.linkpc.net

 SSLEngine On
 SSLOptions +StrictRequire
 # Note: +SSLv3 not supported by this version of OpenSSL
 SSLProtocol -all +TLSv1
 # Support only for strong cryptography:
 SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 
 SSLSessionCacheTimeout 600 
 SSLVerifyClient none 
 SSLProxyEngine off
 ServerSignature Off
 
 #enable debug info to solve problems
 #http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
 #LogLevel debug

 SSLCertificateFile /etc/apache2/ssl/server.cer
 SSLCertificateKeyFile /etc/apache2/ssl/server.key

 DocumentRoot /var/www/docroot/
 
 # MediaWiki ###################
 
 # MediaWiki security manual
 php_flag register_globals off
 
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
 
 Alias "/mediawiki" "/var/www/mediawiki"
 <Directory /var/www/mediawiki>
	SSLRequireSSL
	AllowOverride None
	Require all granted
 </Directory>

 # MediaWiki security manual
 <Directory /var/www/mediawiki/images>
	# Ignore .htaccess files
	AllowOverride None
	# Serve HTML as plaintext, don't execute SHTML
	AddType text/plain .html .htm .shtml .php .phtml .php5
	# Don't run arbitrary PHP code.
	php_admin_flag engine off
 </Directory>

 # MediaWiki security manual
 <Directory /var/www/mediawiki/images/deleted>
	Deny from all
	AllowOverride AuthConfig Limit
	Require local
 </Directory>

# SOGo ########################

 <IfModule mpm_itk_module>
	AssignUserId sogo-a sogo-a
 </IfModule>
 Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
 Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
 AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
 <Directory /usr/lib/GNUstep/SOGo/>
	SSLRequireSSL
	AllowOverride None
	Require all granted
 </Directory>
 <LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
	SetHandler default-handler
 </LocationMatch>
 ProxyRequests Off
 SetEnv proxy-nokeepalive 1
 ProxyPreserveHost On
 ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
 <Proxy http://127.0.0.1:20000/SOGo>
	RequestHeader set "x-webobjects-server-port" "443"
	RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
	RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
	RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
	RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
	AddDefaultCharset UTF-8
	Require all granted
 </Proxy>

 # use mod_rewrite to pass remote address to the SOGo proxy.
 # The remote address will appear in SOGo's log files and in the X-Forward
 # header of emails.
 RewriteEngine On
 RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>

See also

Retrieved from "https://wjv.duckdns.org/mediawiki/index.php?title=Apache2_configuration_for_SOGo_and_MediaWiki&oldid=2489"