目錄表
Apache2 + SSL
安裝套件
# apt-get install apache2 # apt-get install openssl ssl-cert # apt-get install libapache2-mod-php5 php5-cli php5-common php5-cgi php5
產生 certificate file
# openssl req $@ -new -x509 -days 365 -nodes -out /etc/apache2/apache.pem -keyout /etc/apache2/apache.pem # chmod 600 /etc/apache2/apache.pem
Country Name (2 letter code) [AU]:TW State or Province Name (full name) [Some-State]:Taiwan Locality Name (eg, city) []:Taoyuan Organization Name (eg, company) [Internet Widgits Pty Ltd]:SARS TW Organizational Unit Name (eg, section) []:wiki Common Name (eg, YOUR name) []:wiki.sars.tw Email Address []:webmaster@localhost
開啟port
確認 /etc/apache2/ports.conf 內容如下:
Listen 80
<IfModule mod_ssl.c>
Listen 443
</IfModule>
修改 /etc/apache2/sites-available/default
加入列幾行(實際上此例是直接複製本 port 80的部份, 差只在於將port改成443)
NameVirtualHost *:443 <VirtualHost *:443> ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/apache2/apache.pem DocumentRoot /var/www/ <Directory /> Options FollowSymLinks AllowOverride None </Directory> <Directory /var/www/> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all # This directive allows us to have apache2’s default start page # in /apache2-default/, but still have / go to the right place #RedirectMatch ^/$ /apache2-default/ </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory “/usr/lib/cgi-bin”> AllowOverride None Options ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Alias /doc/ “/usr/share/doc/” <Directory “/usr/share/doc/”> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost>
設定 https 的目錄路徑
設定 http.conf
<Directory /var/www/test/subdir>
# Inside the subarea any Intranet access is allowed
# but from the Internet only HTTPS + Strong-Cipher + Password
# or the alternative HTTPS + Strong-Cipher + Client-Certificate
# If HTTPS is used, make sure a strong cipher is used.
# Additionally allow client certs as alternative to basic auth.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# Force clients from the Internet to use HTTPS
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
# Allow Network Access and/or Basic Auth
#Satisfy any
# Network Access Control
Order allow,deny
Allow from all
#Allow from 192.168.1.0/24
# HTTP Basic Authentication
</Directory>
enable ssl & rewrite.load modules
(建立softlink,mods-enabled → mods-available)
# a2enmod ssl
需要啟動apache2
自動導向 https
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)$ https://%{SERVER_NAME}/~somewhere/$1 [L,R]
Log 分析
GoAccess
http://goaccess.prosoftcorp.com/
http://www.openfoundry.org/index.php?option=com_content&task=view&id=8228&Itemid=4
使用Apache自動判別語系
http://casper.tiger2.net/blog/2006/04/23/apache/
httpd.conf內容如下:
DirectoryIndex index.html index.html.var index.php index.php3 index.php4 AddHandler type-map var
index.html.var內容如下:
URI: index.en.html Content-language: en Content-type: text/html
URI: index.zh-tw.html Content-language: tw, zh-tw Content-type: text/html
URI: index.zh-cn.html Content-language: cn, zh-cn Content-type: text/html
這樣一來, 當browser連線上來時, Apache便會去判別browser的預設語言. 若是英語, 則轉到index.en.html, 若是zh-tw, 則轉到index.zh-tw.html
不過有個問題, 如果browser的語言不在上面, 在Apache 2.0測試的結果是會抓第一個, 而Apache 2.2測試會出現錯誤訊息, 說找不到語言檔.
2006/06/03 Update: 今天才注意到, 是因為 Apache 2.2 的 language 設定檔放到 conf/extra/httpd-languages.conf, 然後我忘了把httpd.conf裡面的include打開了. 而當browser設定的語言都找不到時, Apache 會根據LanguagePriority (在httpd-languages.conf)的順序顯示. (其實這地方似乎只有第一個會用到吧? 什麼情況下會用到後面的語言呢?)
又, 看了一下Apache的manual目錄, 才注意到有另外的方法可以設定, 有興趣的可以參考conf/extra/httpd-manual.conf和manual下面的任何一個.html檔案. 下次再找機會研究一下, 看有什麼不同.
