Revision as of 16:36, 30 December 2017

Info

Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.

MediaWiki on http (80) and https (443). Force secure SSL login.
SOGo only on https (443) redirect http (80) to https (443)

An entry for a Raspberry Pi has been added.

Configuration (Ubuntu)

Disable default SOGo configuration of Apache:

sudo mv /etc/apache2/conf.d/SOGo.conf /etc/apache2/conf.d/SOGo.conf.backup

Create new configuration in 'sites-available':

sudo gedit /etc/apache2/sites-available/wilbertvolkers.linkpc.net.conf

SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 
#Apache2.2:
##SSLSessionCache shm:/usr/local/apache2/logs/ssl_cache_shm

<VirtualHost *:80>
	Servername wilbertvolkers.linkpc.net
	SSLEngine Off
	SSLSessionCacheTimeout 600 
	SSLVerifyClient none 
	SSLProxyEngine off
	ServerSignature Off
	RewriteEngine On

	#mediawiki on port 80
	#redirect UserLogin page to https
	RewriteCond %{REQUEST_URI} ^/mediawiki/index.php$
	RewriteCond %{QUERY_STRING} ^title=Special:UserLogin
	RewriteCond %{REQUEST_METHOD} ^GET$
	RewriteRule ^(.*)$ https://%{SERVER_NAME}/$1 [R]
 
	DocumentRoot /var/www/
	Alias /mediawiki/ /var/www/mediawiki/
	<Directory /var/www/mediawiki/>
		AllowOverride None
		#Apache2.2:
		##Order allow,deny
		##allow from all
		#Apache2.4:
		Require all granted
	</Directory>
 
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
 
	#SOGo redirect http://../SOGo to https://../SOGo
	#Note: leave this out to make it a bit more difficult to find things on your server
	#RewriteCond %{REQUEST_URI} ^/SOGo(.*)$
	#RewriteCond %{REQUEST_METHOD} ^GET$
	#RewriteRule ^(.*)$ https://wilbertvolkers.linkpc.net/SOGo$1 [R]
</virtualhost>

<VirtualHost *:443>
	Servername wilbertvolkers.linkpc.net
	SSLEngine On
	SSLOptions +StrictRequire
	SSLProtocol -all +TLSv1 +SSLv3 
	# Support only for strong cryptography:
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 
	SSLSessionCacheTimeout 600 
	SSLVerifyClient none 
	SSLProxyEngine off
	ServerSignature Off
 
	SSLCertificateFile /etc/apache2/ssl/server.cer
	SSLCertificateKeyFile /etc/apache2/ssl/server.key
 
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	#mediawiki via https
	Alias /mediawiki/ /var/www/mediawiki/
	<Directory /var/www/mediawiki/>
		SSLRequireSSL
		AllowOverride None
		#Apache2.2:
		##Order deny,allow
		##Allow from all
		#Apache2.4:
		Require all granted
	</Directory>

	#SOGo
	DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
	<IfModule mpm_itk_module>
		AssignUserId sogo-a sogo-a
	</IfModule>
	Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
	Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
	AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
	<Directory /usr/lib/GNUstep/SOGo/>
		SSLRequireSSL
		AllowOverride None
		#Apache2.2:
		##Order deny,allow
		##Allow from all
		#Apache2.4:
		Require all granted
	</Directory>
	<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
 		SetHandler default-handler
	</LocationMatch>
	ProxyRequests Off
	SetEnv proxy-nokeepalive 1
	ProxyPreserveHost On
	ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
	<Proxy http://127.0.0.1:20000/SOGo>
		RequestHeader set "x-webobjects-server-port" "443"
		RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
		RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
		RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
		RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
		AddDefaultCharset UTF-8
		#Apache2.2:
		##Order allow,deny
		##allow from all
		#Apache2.4:
		Require all granted
	</Proxy>
 
	# use mod_rewrite to pass remote address to the SOGo proxy.
	# The remote address will appear in SOGo's log files and in the X-Forward
	# header of emails.
	RewriteEngine On
	RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
 
	# redirect https://../ to https://../SOGo
	#Note: leave this out to make it a bit more difficult to find things on your server
	#Redirect temp /index.html https://%{SERVER_NAME}/SOGo
</virtualhost>

Enable Apache modules and website

Enable needed Apache2 modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
sudo a2enmod ssl
sudo service apache2 restart

Enable the site:

sudo a2ensite wilbertvolkers.linkpc.net
sudo service apache2 reload

To test if everything is working go to:

https://wilbertvolkers.linkpc.net/SOGo
http://wilbertvolkers.linkpc.net/SOGo
- You should go to https
http://wilbertvolkers.linkpc.net/mediawiki
https://wilbertvolkers.linkpc.net/mediawiki
http://wilbertvolkers.linkpc.net/mediawiki/index.php?title=Special:UserLogin
- You should go to https

Configuration (Raspberry Pi)

Another example of an Apache2 conf file, targeting a Rasberry Pi system but not exclusively. This configuration:

allows only https access, http is redirected to https
contains some additional security measures for MediaWiki
no SSLv3, search for 'poodle attack' is you want to know more

sudo gedit /etc/apache2/sites-available/raspberrypi.conf

SSLRandomSeed startup file:/dev/urandom 1024 
SSLRandomSeed connect file:/dev/urandom 1024 

<VirtualHost 192.168.1.2:80>
	# forward http to https
	RewriteEngine On
	RewriteCond %{HTTPS} off
	RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost 192.168.1.2:443>
	Servername wilbertvolkers.linkpc.net
	ServerAdmin admin@wilbertvolkers.linkpc.net

	SSLEngine On
	SSLOptions +StrictRequire
	# Note: +SSLv3 not supported by this version of OpenSSL
	SSLProtocol -all +TLSv1
	# Support only for strong cryptography:
	SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM 
	SSLSessionCacheTimeout 600 
	SSLVerifyClient none 
	SSLProxyEngine off
	ServerSignature Off

	#enable debug info to find reasons, for axample when you get http 500 internal server error
	#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
	# debug, trace1 - trace8
	#LogLevel debug

	SSLCertificateFile /etc/apache2/ssl/server.cer
	SSLCertificateKeyFile /etc/apache2/ssl/server.key

	# MediaWiki security manual
	php_flag register_globals off

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	# DocumentRoot /var/www/docroot
	Alias "/mediawiki" "/var/www/mediawiki"
	<Directory /var/www/mediawiki>
		SSLRequireSSL
		AllowOverride None
		Require all granted
	</Directory>

	# MediaWiki security manual
	<Directory /var/www/mediawiki/images>
		# Ignore .htaccess files
		AllowOverride None
		# Serve HTML as plaintext, don't execute SHTML
		AddType text/plain .html .htm .shtml .php .phtml .php5
		# Don't run arbitrary PHP code.
		php_admin_flag engine off
		# If you've other scripting languages, disable them too.
	</Directory>

	# MediaWiki security manual
	<Directory /var/www/mediawiki/images/deleted>
		Deny from all
		AllowOverride AuthConfig Limit
		Require local
	</Directory>
	
	# SOGo
	DocumentRoot /usr/lib/GNUstep/SOGo/WebServerResources/
	<IfModule mpm_itk_module>
		AssignUserId sogo-a sogo-a
	</IfModule>
	Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
	Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
	AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
	<Directory /usr/lib/GNUstep/SOGo/>
		SSLRequireSSL
		AllowOverride None
		Require all granted
	</Directory>
	<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
		SetHandler default-handler
	</LocationMatch>
	ProxyRequests Off
	SetEnv proxy-nokeepalive 1
	ProxyPreserveHost On
	ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
	<Proxy http://127.0.0.1:20000/SOGo>
		RequestHeader set "x-webobjects-server-port" "443"
		RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
		RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
		RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
		RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
		AddDefaultCharset UTF-8
		Require all granted
	</Proxy>
 
	# use mod_rewrite to pass remote address to the SOGo proxy.
	# The remote address will appear in SOGo's log files and in the X-Forward
	# header of emails.
	RewriteEngine On
	RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>
</virtualhost>

Anonymous

Search

Apache2 configuration for SOGo and MediaWiki: Difference between revisions

Namespaces

More

Page actions

Revision as of 16:36, 30 December 2017

Contents

Info

Configuration (Ubuntu)

Enable Apache modules and website

Configuration (Raspberry Pi)

See also

Navigation

Navigation

Wiki tools

Wiki tools

Anonymous

Search

Apache2 configuration for SOGo and MediaWiki: Difference between revisions

Revision as of 16:36, 30 December 2017

Info

Configuration (Ubuntu)

Enable Apache modules and website

Configuration (Raspberry Pi)

See also

Navigation

Wiki tools

Page tools

Categories