Apache2 configuration for SOGo and MediaWiki: Difference between revisions
From WickyWiki
| Line 32: | Line 32: | ||
SSLRandomSeed connect file:/dev/urandom 1024 | SSLRandomSeed connect file:/dev/urandom 1024 | ||
<VirtualHost | <VirtualHost _default_:80> | ||
< | #pi-hole admin via http | ||
Alias /admin/ /var/www/html/admin/ | |||
<Directory /var/www/html/admin/> | |||
AllowOverride None | |||
Require all granted | |||
</Directory> | |||
Alias /pihole/ /var/www/html/pihole/ | |||
<Directory /var/www/html/pihole/> | |||
AllowOverride None | |||
Require all granted | |||
</Directory> | |||
#RPi-monitor | |||
Alias /rpimonitor/ /usr/share/rpimonitor/web/ | |||
<Directory /usr/share/rpimonitor/web/> | |||
AllowOverride None | |||
Require all granted | |||
</Directory> | |||
</VirtualHost> | |||
#only alow strong encryption | |||
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |||
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 | |||
SSLHonorCipherOrder off | |||
SSLSessionTickets off | |||
<VirtualHost _default_:443> | |||
#Mediawiki / SOGo | |||
Servername wilbertvolkers.linkpc.net | |||
ServerAdmin admin@wilbertvolkers.linkpc.net | |||
SSLEngine On | |||
SSLSessionCacheTimeout 600 | |||
SSLVerifyClient none | |||
SSLProxyEngine off | |||
SSLCertificateFile /etc/apache2/ssl/server.cer | |||
SSLCertificateKeyFile /etc/apache2/ssl/server.key | |||
ServerSignature Off | |||
ErrorLog ${APACHE_LOG_DIR}/error.log | |||
CustomLog ${APACHE_LOG_DIR}/access.log combined | |||
#enable debug info to solve problems | |||
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel | |||
#LogLevel debug | |||
DocumentRoot /var/www/docroot/ | |||
# MediaWiki ################### | |||
Alias "/mediawiki" "/var/www/mediawiki" | |||
<Directory /var/www/mediawiki> | |||
SSLRequireSSL | |||
AllowOverride None | |||
Require all granted | |||
</Directory> | |||
# MediaWiki security manual | |||
php_flag register_globals off | |||
<Directory /var/www/mediawiki/images> | |||
# Ignore .htaccess files | |||
AllowOverride None | |||
</Directory> | # Serve HTML as plaintext, don't execute SHTML | ||
AddType text/plain .html .htm .shtml .php .phtml .php5 | |||
# Don't run arbitrary PHP code. | |||
php_admin_flag engine off | |||
</Directory> | |||
<Directory /var/www/mediawiki/images/deleted> | |||
Deny from all | |||
AllowOverride AuthConfig Limit | |||
Require local | |||
</Directory> | |||
# use mod_rewrite to pass remote address to the SOGo proxy. | <Directory /var/www/mediawiki/cache> | ||
Deny from all | |||
AllowOverride AuthConfig Limit | |||
Require local | |||
</Directory> | |||
# SOGo ######################## | |||
<IfModule mpm_itk_module> | |||
AssignUserId sogo-a sogo-a | |||
</IfModule> | |||
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/ | |||
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/ | |||
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2 | |||
<Directory /usr/lib/GNUstep/SOGo/> | |||
SSLRequireSSL | |||
AllowOverride None | |||
Require all granted | |||
</Directory> | |||
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)"> | |||
SetHandler default-handler | |||
</LocationMatch> | |||
ProxyRequests Off | |||
SetEnv proxy-nokeepalive 1 | |||
ProxyPreserveHost On | |||
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0 | |||
<Proxy http://127.0.0.1:20000/SOGo> | |||
RequestHeader set "x-webobjects-server-port" "443" | |||
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net" | |||
RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net" | |||
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0" | |||
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST | |||
AddDefaultCharset UTF-8 | |||
Require all granted | |||
</Proxy> | |||
# use mod_rewrite to pass remote address to the SOGo proxy. | |||
# The remote address will appear in SOGo's log files and in the X-Forward | |||
# header of emails. | |||
RewriteEngine On | |||
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT] | |||
</virtualhost> | </virtualhost> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 17:47, 12 August 2019
Info
Here I keep the most up-to-date script for server wilbertvolkers.linkpc.net for both MediaWiki and SOGo.
- MediaWiki on http (80) and https (443). Force secure SSL login.
- SOGo only on https (443) redirect http (80) to https (443)
An entry for a Raspberry Pi has been added.
Configuration (Ubuntu)
Disable default SOGo configuration of Apache:
sudo mv /etc/apache2/conf.d/SOGo.conf /etc/apache2/conf.d/SOGo.conf.backup
Create new configuration in 'sites-available':
sudo gedit /etc/apache2/sites-available/wilbertvolkers.linkpc.net.conf
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
<VirtualHost _default_:80>
#pi-hole admin via http
Alias /admin/ /var/www/html/admin/
<Directory /var/www/html/admin/>
AllowOverride None
Require all granted
</Directory>
Alias /pihole/ /var/www/html/pihole/
<Directory /var/www/html/pihole/>
AllowOverride None
Require all granted
</Directory>
#RPi-monitor
Alias /rpimonitor/ /usr/share/rpimonitor/web/
<Directory /usr/share/rpimonitor/web/>
AllowOverride None
Require all granted
</Directory>
</VirtualHost>
#only alow strong encryption
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLSessionTickets off
<VirtualHost _default_:443>
#Mediawiki / SOGo
Servername wilbertvolkers.linkpc.net
ServerAdmin admin@wilbertvolkers.linkpc.net
SSLEngine On
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ServerSignature Off
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#enable debug info to solve problems
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
#LogLevel debug
DocumentRoot /var/www/docroot/
# MediaWiki ###################
Alias "/mediawiki" "/var/www/mediawiki"
<Directory /var/www/mediawiki>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
# MediaWiki security manual
php_flag register_globals off
<Directory /var/www/mediawiki/images>
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php .phtml .php5
# Don't run arbitrary PHP code.
php_admin_flag engine off
</Directory>
<Directory /var/www/mediawiki/images/deleted>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
<Directory /var/www/mediawiki/cache>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
# SOGo ########################
<IfModule mpm_itk_module>
AssignUserId sogo-a sogo-a
</IfModule>
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
<Directory /usr/lib/GNUstep/SOGo/>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
SetHandler default-handler
</LocationMatch>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Require all granted
</Proxy>
# use mod_rewrite to pass remote address to the SOGo proxy.
# The remote address will appear in SOGo's log files and in the X-Forward
# header of emails.
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>
Enable Apache modules and website
Enable needed Apache2 modules:
sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod headers sudo a2enmod rewrite sudo a2enmod ssl sudo service apache2 restart
Enable the site:
sudo a2ensite wilbertvolkers.linkpc.net sudo service apache2 reload
To test if everything is working go to:
- https://wilbertvolkers.linkpc.net/SOGo
- http://wilbertvolkers.linkpc.net/SOGo
- You should go to https
- http://wilbertvolkers.linkpc.net/mediawiki
- https://wilbertvolkers.linkpc.net/mediawiki
- http://wilbertvolkers.linkpc.net/mediawiki/index.php?title=Special:UserLogin
- You should go to https
Configuration (Raspberry Pi)
An example of an Apache2 conf file, targeting a Raspberry Pi system but not exclusively. This configuration:
- allows only https access, http is redirected to https
- contains some additional security measures for MediaWiki
- no SSLv3, search for 'poodle attack' if you want to know more
sudo gedit /etc/apache2/sites-available/raspberrypi.conf
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024
<VirtualHost _default_:80>
# forward http to https
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>
<VirtualHost _default_:443>
Servername wilbertvolkers.linkpc.net
ServerAdmin admin@wilbertvolkers.linkpc.net
SSLEngine On
SSLOptions +StrictRequire
# Note: +SSLv3 not supported by this version of OpenSSL
SSLProtocol -all +TLSv1
# Support only for strong cryptography:
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM
SSLSessionCacheTimeout 600
SSLVerifyClient none
SSLProxyEngine off
ServerSignature Off
SSLCertificateFile /etc/apache2/ssl/server.cer
SSLCertificateKeyFile /etc/apache2/ssl/server.key
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
#enable debug info to solve problems
#http://httpd.apache.org/docs/2.4/mod/core.html#loglevel
#LogLevel debug
DocumentRoot /var/www/docroot/
# MediaWiki ###################
Alias "/mediawiki" "/var/www/mediawiki"
<Directory /var/www/mediawiki>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
# MediaWiki security manual
php_flag register_globals off
<Directory /var/www/mediawiki/images>
# Ignore .htaccess files
AllowOverride None
# Serve HTML as plaintext, don't execute SHTML
AddType text/plain .html .htm .shtml .php .phtml .php5
# Don't run arbitrary PHP code.
php_admin_flag engine off
</Directory>
<Directory /var/www/mediawiki/images/deleted>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
<Directory /var/www/mediawiki/cache>
Deny from all
AllowOverride AuthConfig Limit
Require local
</Directory>
# SOGo ########################
<IfModule mpm_itk_module>
AssignUserId sogo-a sogo-a
</IfModule>
Alias /SOGo.woa/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
Alias /SOGo/WebServerResources/ /usr/lib/GNUstep/SOGo/WebServerResources/
AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*) /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2
<Directory /usr/lib/GNUstep/SOGo/>
SSLRequireSSL
AllowOverride None
Require all granted
</Directory>
<LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
SetHandler default-handler
</LocationMatch>
ProxyRequests Off
SetEnv proxy-nokeepalive 1
ProxyPreserveHost On
ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
<Proxy http://127.0.0.1:20000/SOGo>
RequestHeader set "x-webobjects-server-port" "443"
RequestHeader set "x-webobjects-server-name" "wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-url" "https://wilbertvolkers.linkpc.net"
RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
RequestHeader set "x-webobjects-remote-host" %{REMOTE_HOST}e env=REMOTE_HOST
AddDefaultCharset UTF-8
Require all granted
</Proxy>
# use mod_rewrite to pass remote address to the SOGo proxy.
# The remote address will appear in SOGo's log files and in the X-Forward
# header of emails.
RewriteEngine On
RewriteRule ^/SOGo/(.*)$ /SOGo/$1 [env=REMOTE_HOST:%{REMOTE_ADDR},PT]
</virtualhost>
