Apache2

Aus SchnallIchNet
Wechseln zu: Navigation, Suche

Global parameters

IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable

Direcrory-Indexing Options.
diese haben auswirkung auf die 'Options +Indexes' angabe, also das directory-listing...


Auth-Config Snippets

Authorization through LDAP-Directory


LDAP Auth (User)

        <Location /folder>
                AuthType Basic
                AuthName "Secure"
                AuthLDAPURL "ldap://HOSTNAME:389/ou=people,dc=DCname,dc=lan?uid?sub?(objectClass=*)"
                Require valid-user
        </Location>


LDAP Auth (Group)

        <Location /folder>
                AuthType Basic
                AuthName "Secure"
                AuthLDAPURL "ldap://HOSTNAME:389/dc=DCname,dc=lan?uid?sub?(objectClass=*)"
                AuthLDAPGroupAttribute memberUid
                AuthLDAPGroupAttributeIsDN off
                Require group cn=engineering,ou=Groups,dc=DCname,dc=lan
        </Location>


Proxy config

VIA

I hit a tricky issue setting up an apache2 based https reverse proxy today.

Essentially, the public address https://secure.example.com/ is a reverse proxy to a private application server on backend.private.example.com . Since the backend application server uses specific hostnames, we need to preserve the hostname when proxying. The apache configuration fragment is straight forward: 

<IfModule mod_proxy.c>
  <Proxy *>
    Order deny,allow
    Allow from all
  <Proxy>

  ProxyRequests Off
  ProxyVia Off
  ProxyErrorOverride Off
  ProxyPreserveHost On
  ProxyPassReverse / http://backend.private.example.com/
  ProxyPass / http://backend.private.example.com/

</IfModule>

The problem is that we have another server, media.example.com that acts as a frontend for our distributed media storage. In normal http served pages embeded media directly refers to this sever in the html. However, for https pages, media being served from another site will result in error dialogs for the user.

The short term work around was to serve all media from under https://secure.example.com/media/ and to implement a reverse proxy for "/media/" on the application server. This works, but is less than ideal.

What I need to do is specify two different proxies, which is ususally supported by apache2 mod_proxy: 

  ProxyPass /media/ http://media.example.com/
  ProxyPass / http://backend.private.example.com/

But this doesn't work for me, since media.example.com requires that media.example.com be sent as the host identifier. Since ProxyPreserveHost needs to be on for the application server, it's attempting to send secure.example.com to media.example.com. I can't modify media.example.com to recognise this additional name. ProxyPreserveHost can only be set once per VirtualHost, so I can't enclose it in a Location block or similar.

Looking around for a solution I came across a patch, proxy-sethost.patch, but loathe as I am to patch binaries to do things that can be done in configuration, I tried implementing the suggested RequestHeader workaround ("a2enmod headers" if not already enabled). 

<IfModule mod_proxy.c>
  <Proxy *>
    Order deny,allow
    Allow from all
  </Proxy>

  ProxyRequests Off
  ProxyVia Off
  ProxyErrorOverride Off
  ProxyPreserveHost On

  <IfModule mod_headers.c>
  <Proxy "http://media.example.com/">
    RequestHeader set Host media.example.com
  </Proxy>
  ProxyPass /media/ http://media.example.com/
  ProxyPassReverse /media/ http://media.example.com/
  </IfModule>

  ProxyPass / http://backend.private.example.com/
  ProxyPassReverse / http://backend.private.example.com/

</IfModule>

A quick test, and checking the logs of media.example.com, show requests are now coming from the frontend proxy rather than the app server, so that looks to have done the trick.


Bandwith Limit (mod_bw)

limiting the bandwith 

<virtualhost *:80>

  # ... leave old config as is ...

  BandWidthModule On
  ForceBandWidthModule On
  BandWidth 10.0.0.0/24 0
  BandWidth all 80000
</virtualhost>
  1. activate the module for the virtualhost
  2. force the module to limit all http-requests
  3. set NO limit for network 10.0.0.0/24
  4. set the limit to 80KB/s to all other requests


mod_spdy

spdy is the google-developed 'replacement' for http.
see: https://developers.google.com/speed/spdy/


get and install

  1. get the binary modules or source from here... https://developers.google.com/speed/spdy/mod_spdy/
  2. needs apache >= 2.2.4 !
  3. install and configure it...
    1. all configuration is done by dpkg, if usinf the .deb packages. rpms not tested...
  4. restart apache


browser-related

some hints on browsers regarding spdy...


firefox

if using firefox >= 11.0 the spdy protocol is available but deactivated by default.
to use it, you will have to activate it in config...

  1. open 'about:config'
  2. search for: 'network.http.spdy.enabled' and set it to 'true'
  3. be happy! ;-)

chrome

because chrome is a google product, spdy is enabled by default since version 11.


Internet Explorer

unknown...

Von „https://schnallich.net/index.php?title=Apache2&oldid=1178