# uname -a

Switch

Mot-clé -

Fil des billets

samedi 16 mars 2013

Apache : globally configure HTTPS for all VirtualHosts

You want to configure “once and for all” HTTPs for all domains and sub-domains handled by your webserver, and you don’t want to redeclare the certificate in each VirtualHost. Here is the trick.

I run Debian. In a default Apache installation, the directory /etc/sites-enabled contains a file named 000-default which declares a default VirtualHost for HTTP.

You have to know that when Apache loads an entire directory of configuration files, the files are read in alphabetical order. So if you want to declare something before something else, you can cheat on its name in the loaded configuration. It is exactly what 000-default does.

In /etc/apache2/sites-available, you have a file named default-ssl. Edit this file to fit your needs (path to certificate, etc). Note that this certificate will be the same for all the domains hosted on your server. It’s what we want : only one configuration. If you are hosting multiple domains on the same server, the certificate will probably be invalid for at least one of your domains, and you should use mod_macro instead of a global HTTPs configuration.

Now, enable the website the common way : a2ensite default-ssl. Don’t restart Apache yet.

Rename the file default-ssl created in /etc/apache2/sites-enabled/ to 000-default-ssl.

Configure your other VirtualHost with a *:80 section and a *:443 section, as usual but without specifying certificate and SSL informations for VirtualHosts on *:443.

If you restart Apache, you will notice something like this :

_default_ virtualhost overlap on port 443

To get rid of these warnings, just add to your ports.conf, in the right section :

NameVirtualHost *:443
Listen 443 http

When you finally restart Apache, every VirtualHost declared as *:443 will use the certificate defined in 000-default-ssl without mentioning it.

samedi 26 novembre 2011

Git push origin master : erreur 22

Petite note pour eux qui ont comme moi suivi les conseils et les exemples sur Internet pour installer un serveur Git avec WebDAV, il faut savoir que c’est comme avec Subversion, le serveur WebDAV aime pas trop les protocoles loufoques (https, as-t-on idée ?), et qu’il faut lui expliquer gentiment de faire de la substitution de protocole, pour le calmer.

Bref, comme j’ai cherché pendant trois heures, je vous livre la solution à cette erreur 22, il faut expliquer à Apache de remplacer https par http lorsqu’il passe à WebDAV.

RequestHeader edit Destination ^https http early

En principe ça ne change rien sur le fait que la connexion soit chiffrée, ça calme juste le module WebDAV derrière, pour qu’il retrouve ses petits. Autre petite astuce, pour éviter que un client un peu bête ne passe sur le http parce qu’il a pas compris :

SetEnv redirect-carefully 1

Et en exclusivité mondiale, je vous livre ma configuration, au cas où ça vous serait utile :

Pour Subversion :

        SetEnv redirect-carefully 1
        RequestHeader edit Destination ^https http early
        <Directory /path/to/repos/>
                AllowOverride None
                Options Indexes
                Order allow,deny
                Allow from all
        </Directory>

        <Location /repos>
                DAV svn
                SVNPath /path/to/repos/
                SetEnv redirect-carefully 1

                AuthType Basic
                Authname "Subversion repository"
                AuthUserFile /path/to/passwd
                AuthzSVNAccessFile /path/to/authz

                # Repository accessible en lecture sans identification
                <LimitExcept GET PROPFIND OPTIONS REPORT>
                        Require valid-user
                </LimitExcept>
        </Location>

Pour Git :

        SetEnv redirect-carefully 1
        RequestHeader edit Destination ^https http early

        Alias /repos /path/to/repos

        <Directory /path/to/repos>
                AllowOverride None
                Options Indexes MultiViews
                Order allow,deny
                Allow from all
        </Directory>

        <Location /repos>
                DAV on
                SetEnv redirect-carefully 1

                AuthType Basic
                Authname "Git repository"
                AuthUserFile /path/to/repos

                #Oui, normalement là il faudrait une gestion des groupes pour read/write mais bon...
                #<LimitExcept GET PROPFIND OPTIONS REPORT>
                        Require valid-user
                #</LimitExcept>
        </Location>