Best apache2 configuration to provide independent services
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Best apache2 configuration to provide independent services
Hello,
I've read the apache docs, but I don't see any clear explanation on what's the best configuration to provide several independent services with the same web server.
I want for instance to provide some services through https and/or plain http, on the local network and/or the Internet. I want also for instance to be able to deactivate a service without affecting the others or to activate / deactivate a service on http and leave it accessible through https.
My idea was to have one config file in /etc/apache/sites-available for each combination like 'service1-http', 'service1-https', ... so I can enable/disable each one with the 'a2ensite' and 'a2dissite' commands.
But I'm not quite sure it's the best approach (it seems to complexify the configuration rather than simplifying it), or if there's any impact on performances and memory.
Also, I dont want to write the full qualified name of the server in the config files in case it changes in the future.
What's the best approach for this when I want to provide both local and public/remote services ? Do I really need to use virtual hosts ?
Virtual hosts allow you to use a different combination of IP and name-based virtual hosts. If your server only has 1 IP address, and you want to host different domains (e.g. www.site1.com and www.site2.com) then you need to use virtual hosts, otherwise Apache will simply serve the same site out.
One thing to remember with virtual hosts, is when enabled, if Apache can't locate a site/virtual host, it will serve the first configured virtual host in it's config.
What we do here, is define the default DocumentRoot and first virtual host to be a "default" site - look at www.mailnetwork.co.uk. That's a site that's not yet configured on one of our machines - so Apache serves the first virtual host - which is the page you see.
We then have a different configuration file for each domain - e.g. andyshellam.eu has it's own config file, as does mailnetwork.co.uk. The virtual hosts needed for each site are then inside this config file, and they're Include'd into the main httpd.conf file.
As for logging we do the same thing, we have a directory called 'www' in /var/logs, and inside this we have one log file per domain, with the virtual host (%v) at the beginning of each host line (see LogFormat.)
So in /var/logs/www, we have "access.log", "error.log" (which are the default log files) and "access-andyshellam_eu.log", "access-mailnetwork_co_uk.log" and "error-andyshellam_eu.log" etc.
You can have different VirtualHost containers for different ports, although we don't use SSL yet. You could have one set of config files for port 80 virtual hosts, and one for port 443 hosts, and have them in separate folder (e.g. /usr/local/apache2/conf/sites/80, /443 etc.)
No answer to your question, but be aware the each independent secure website (https) needs its own ip address and that you need to use ip-based virtual hosting, not name-based.
Well, thanks to point that out Wim, but I'm bit confused about it because I see a lot of <VirtualHost _default_:443> on the Internet, isn't it name based virtual hosting ?
In fact, I read somewhere that, because of the intrinsic nature of SSL (no clue about what, precisely), the virtual hosts should be distinguished using IP addresses, so I'm inclined to trust you, but I've no real explanation for that : do you know of an article/tutorial/... I can read about that ?
I know that there is an article somewhere on the Apache website, but I have always problems to find it. The explanation:
https encrypts the (http) data part of the TCP/IP packets. This includes the name of the requested site. Hence apache does not have a way to determine which virtual host to use. However, the ip address of the server is not encrypted as it's not in the data part of the TCP/IP packets and therefore apache can distinguish different sites based on the ip address.
I currently use a name-based virtual host for SSL, and we do in IIS at work - so, yes, you can use name-based virtual hosting for SSL sites too. I believe it's because the web-server does know how to decrypt the packets, because it was the service that encrypted them in the first place.
Yes, I've seen it myself working. But there seems to be something very specific with ssl anyway :
I'm using apache2 on debian, and I've installed the phpmyadmin package from the debian repositories. This package creates the file /etc/apache2/conf.d/phpmyadmin which holds the configuration for the phpmyadmin site (alias, etc.).
I've myself created /etc/apache2/sites-available/mysite and /etc/apache2/sites-available/mysite-https to run my own site both on plain http and https.
I've tried several configurations with and without virtual hosts, and it's only working fine when I put a single site in https (whether mysite-https or phpmyadmin by modifying its configuration).
I don't understand what's messing my configuration, because phpmyadmin and mysite are working well together when no ssl is used...
Maybe the problem comes from the order / precedence of the SSL directives ?
The following code is for SSL and is either in phpmyadmin or mysite-https, I even tried to put in both, and also inside / outside of the <VirtualHost> directive.
Code:
<IfModule mod_ssl.c>
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache2.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache2.key
</IfModule>
This configuration doesn't work with me, there must be some slight difference somewhere but I can't find it...
Aynway I've set up a temporary solution using one Include directive per service I want to provide.
There are only two virtual hosts : one http only and one with ssl, and in each one I include the configurations for the services I want, which are distinguished by their path (e.g. /service1, /service2).
Code:
<VirtualHost _default_:80>
...
Include services/service1.conf
Include services/service2.conf
...
</VirtualHost>
Code:
<VirtualHost _default_:443>
...
Include services/service1.conf
Include services/service3.conf
...
</VirtualHost>
One problem is that I cannot enable/disable a given service without editing the config of the server (by adding/removing the corresponding Include directive).
I tried to make the services as modules so I can use a2enmod/dismod, but then they're enabled/disabled for all hosts.
Another problem is that the services's access rules cannot be clearly detached from their config file.
I want to put all access rules in the virtual host's config because they can be different from one vh to another ; for instance : access is authorized in plain http only from local network or in ssl for everybody.
But if I do that, that means I've to have knowledge of the paths defined in the module, in order to give or deny access to them.
You're using subdomains and (I assume) a wildcard certificate in which case you can use a single IP address. That will not work for different domains. The visitor will get warnings that the certificate does not belong to the site.
You're using subdomains and (I assume) a wildcard certificate in which case you can use a single IP address. That will not work for different domains. The visitor will get warnings that the certificate does not belong to the site.
For the moment, we're using a self-signed certificate, when we get a verified certificate it will just be for the domain secure.mailnetwork.co.uk.
Saying that, I don't know why dspam.mailnetwork.co.uk is set up as a secure site, as there's a redirect on the insecure site dspam.mailnetwork.co.uk which redirects to https://secure.mailnetwork.co.uk/dspam.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.