Changes between Version 2 and Version 3 of WebDienste

Timestamp:

Aug 1, 2020, 3:41:04 PM (5 years ago)

Author:

Johannes Lode

Comment:

--

WebDienste

@@ -5 +5 @@
 == Apache
 
-tbd.
-
+=== neuen V-Host erstellen mit SSL-Cert und getssl
+
+==== Apache und Datenverzeichnis konfigurieren
+
+ 1. auf Laubfrosch anmelden, `root` werden
+ 1. im Verzeichnis `/var/www`
+   a. für eine Web-Service: \\ ein neues Verzeichnis mit dem Hostnamen anlegen: `mkdir twiki.mtronig.de`
+   a. für einen Nicht-Web-Server (z.B. IMAP, murmur, ...): \\ einen Sym-Link auf `localhost` anlegen: `mkdir ln -s localhost murmur.vpn21.net`
+ 1. SSL Verzeichnis erstellen
+    a. mit eigenem SSL-Cert oder als zentrale Stelle für ein Sammel-Cert: \\ ein Unterverzeichnis `ssl` anlegen: `mkdir -p twiki.mtronig.de/ssl`
+    a. zu einem Sammel-Cert hinzufügen: \\ einen Symlink auf das `ssl` Verzeichnis des Sammel-Cert-Halters legen: `ln -s ../usvn/ssl twiki.mtronig.de/ssl`
+    a. für einen Nicht-Web-Server (z.B. IMAP, murmur, ...) ist das im `localhost` geregelt.
+  Im `ssl` Verzeichnis (Link oder physisch) werden folgende Dateien für die nachfolgende Konfigruation benötigt und müssen durch getssl.sh erstellt werden:
+    * `ca-bundle.pem`
+    * `server.crt`
+    * `server.key_decrypted`
+ 1. im Host-Verzeichnis die Web-Daten unterbringen, für einen Forwarder auf einen anderen Web-Service via `http` oder `https` kommen keine Daten hier hinein. \\ Die Web-Daten hier sollten dem `apache` User gehören: `chown -R apache:apache twiki.mtronig.de`.
+ 1. im Konfigurations-Verzeichnis `/etc/apache2/vhosts.d` eine neue Host-Konfiguration erstellen nach dem Namensmuster `nn-hostname.mit.domaine.tld.conf`. Jeder V-Host bekommt eine eigene Nummer, die vor `99` und auch vor `78` einsortiert wird, normalerweise aufsteigend ab `21` die nächste freie Nummer. Die Konfigurationsdatei richtet sich nach den Eigenschaften des Web-Service, soll aber auf jeden Fall die Teile der SSL-Konfiguration enthalten:
+{{{
+### Section 3: Virtual Hosts
+#
+# VirtualHost: If you want to maintain multiple domains/hostnames on your
+# machine you can setup VirtualHost containers for them. Most configurations
+# use only name-based virtual hosts so the server doesn't need to worry about
+# IP addresses. This is indicated by the asterisks in the directives below.
+#
+# Please see the documentation at 
+# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
+# for further details before you try to setup virtual hosts.
+#
+# You may use the command line option '-S' to verify your virtual host
+# configuration.
+
+#
+# Use name-based virtual hosting.
+#
+#NameVirtualHost *:80
+
+#
+# Almost any Apache directive may go into a VirtualHost container.
+# The first VirtualHost section is used for requests without a known
+# server name.
+#
+<VirtualHost *:80>
+    ServerName wrp.vpn21.net
+    RedirectMatch permanent "^(/(?!.well-known/acme-challenge?).*)" https://wrp.vpn21.net$1
+</VirtualHost>
+
+<VirtualHost *:443>
+        ServerName wrp.vpn21.net
+#        SSLProxyEngine On
+#        RequestHeader set Front-End-Https "On"
+
+        RequestHeader edit Destination https://wrp.vpn21.net/ http://172.18.2.3:8080/
+        ProxyRequests Off
+        ProxyPass /.well-known !
+        ProxyPass / http://172.18.2.3:8080/
+        ProxyPassReverse / http://172.18.2.3:8080/
+
+    SSLEngine on
+    
+    ## Server Certificate:
+    # Point SSLCertificateFile at a PEM encoded certificate. If the certificate
+    # is encrypted, then you will be prompted for a pass phrase. Note that a 
+    # kill -HUP will prompt again. Keep in mind that if you have both an RSA
+    # and a DSA certificate you can configure both in parallel (to also allow
+    # the use of DSA ciphers, etc.)
+    SSLCertificateFile /var/www/wrp.vpn21.net/ssl/server.crt
+
+    ## Server Private Key:
+    # If the key is not combined with the certificate, use this directive to
+    # point at the key file. Keep in mind that if you've both a RSA and a DSA
+    # private key you can configure both in parallel (to also allow the use of
+    # DSA ciphers, etc.)
+    SSLCertificateKeyFile /var/www/wrp.vpn21.net/ssl/server.key_decrypted
+
+    ## Server Certificate Chain:
+    # Point SSLCertificateChainFile at a file containing the concatenation of 
+    # PEM encoded CA certificates which form the certificate chain for the
+    # server certificate. Alternatively the referenced file can be the same as
+    # SSLCertificateFile when the CA certificates are directly appended to the
+    # server certificate for convinience.
+    SSLCertificateChainFile /var/www/wrp.vpn21.net/ssl/ca-bundle.pem
+
+    Header always add Strict-Transport-Security "max-age=15768000"
+</VirtualHost>
+}}}
+ 1. Apache neu starten/laden, um die Konfiguration zu übernehmen
+
+==== getssl einrichten
+
+ a. für einen Web-Host mit eigenem SSL-Cert:
+   1. in das Verzeichnis `~root/.getssl` wechseln
+   1. Host-/Domain-Verzeichnis anlegen: `mkdir twiki.mtronig.de`
+   1. Konfigurationsdatei `twiki.mtronig.de/getssl.cfg` erstellen:
+{{{
+# Uncomment and modify any variables you need
+# see https://github.com/srvrco/getssl/wiki/Config-variables for details
+# see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
+#
+# The staging server is best for testing
+CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+# This server issues full certificates, however has rate limits
+#CA="https://acme-v02.api.letsencrypt.org"
+
+#PRIVATE_KEY_ALG="rsa"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+# Note: this is Additional domains - so should not include the primary domain.
+#SANS="trac.mtronig.de"
+
+# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
+# If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.
+# An ssh key will be needed to provide you with access to the remote server.
+# Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.
+# If left blank, the username on the local server will be used to authenticate against the remote server.
+# If these start with ftp: then the next variables are ftpuserid:ftppassword:servername:ACL_location
+# These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"
+# where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.
+#ACL=('/var/www/twiki.mtronig.de/web/.well-known/acme-challenge'
+#     'ssh:server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge'
+#     'ssh:sshuserid@server5:/var/www/usvn.vpn21.net/web/.well-known/acme-challenge'
+#     'ftp:ftpuserid:ftppassword:usvn.vpn21.net:/web/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+#USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/server.crt"
+DOMAIN_KEY_LOCATION="/var/www/twiki.mtronig.de/ssl/server.key_decrypted"
+CA_CERT_LOCATION="/var/www/twiki.mtronig.de/ssl/ca-bundle.pem"
+#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+#DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+#RELOAD_CMD=""
+
+# Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
+# smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
+# will be checked for certificate expiry and also will be checked after
+# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
+#SERVER_TYPE="https"
+#CHECK_REMOTE="true"
+}}}
+   1. `getssl` Konfiguration testen: \\ `getssl twiki.mtronig.de`
+   
 == Trac