Reference
MODULE.JP - 「自信を持ってApacheを操るために」スライド公開http://module.jp/blog/internet_week_2005T16.html
Internet Week 2005
http://internetweek.jp/
via
cl.pocari.org - 2005-12-09 - 「自信を持って Apache を操るために」スライド公開http://cl.pocari.org/2005-12-09-1.html
[06/Dec/2005 00:01:03 10178] [error] Init: (www.example.com:443) You have to perform a *full* server restart when you added or removed a certificate and/or key file
# apachectl stop
# apachectl startssl
が必要
NameVirtualHost *
<VirtualHost *:80>
DocumentRoot /var/www
ServerName xight.org
</VirtualHost>
<VirtualHost *:80>
DocumentRoot /home/yoshiki/public_html/chalow
ServerName memo.xight.org
ServerAlias memo
CustomLog /var/log/apache/memo.access.log combined
ErrorLog /var/log/apache/memo.error.log
</VirtualHost>
# mv awstats.conf awstats.xight.conf
# cp awstats.xight.conf awstats.memo.conf
/etc/awstats/awstats.xight.conf
LogFile="/var/log/apache/access.log.enc"
SiteDomain="xight.org"
/etc/awstats/awstats.memo.conf
LogFile="/var/log/apache/memo.access.log.enc"
SiteDomain="memo.xight.org"
解析結果画面は
http://example.com/cgi-bin/awstats.pl?config=xight
http://example.com/cgi-bin/awstats.pl?config=memo
で確認できる.
45 * * * * /home/yoshiki/bin/conv_weblog_to_utf8.pl < /var/log/apache/access.log > /var/log/apache/access.log.enc
45 * * * * /home/yoshiki/bin/conv_weblog_to_utf8.pl < /var/log/apache/memo.access.log > /var/log/apache/memo.access.log.enc
0 * * * * /usr/lib/cgi-bin/awstats.pl -config=xight -update > /dev/null 2>&1
0 * * * * /usr/lib/cgi-bin/awstats.pl -config=memo -update > /dev/null 2>&1
# For sites running on a port other than 80
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{SERVER_PORT} !^80$
RewriteRule ^/(.*) http://www.example.com:%{SERVER_PORT}/$1 [L,R]
# And for a site running on port 80
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://www.example.com/$1 [L,R]
RewriteEngine on
RewriteCond %{HTTP_HOST} ^(example\.lolipop\.jp|www\.example\.com)(:80)?
RewriteRule ^(.*) http://example.com/$1 [R,L]"
NameVirtualHost *
<VirtualHost *>
ServerName www.example.net
ServerAlias example.com
Redirect permanent / http://www.example.com/
</VirtualHost>
<VirtualHost *>
ServerName www.example.com
DocumentRoot /usr/local/apache/htdocs
</VirtualHost>
RewriteCond %{HTTP_HOST} !^www\.example\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://www.example.com/$1 [L,R=301]
RewriteCond %{HTTP_HOST} !^example\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^/(.*) http://example.com/$1 [L,R=301]
% htpasswd -c .htpasswd username
New password: xxxxxxxx
Re-type new password: xxxxxxxx
Adding password for user username
3. .htaccess の作成,又は httpd.conf の編集
AuthType Basic
AuthUserFile /path/to/.htpasswd
AuthGroupFile /dev/null
AuthName "Please input ID,Password"
Order deny,allow
Deny from all
Allow from example.com example.org
Require valid-user
# aptitude install libapache-mod-ssl
# aptitude install libapache-mod-ssl-doc
# cat /usr/share/doc/libapache-mod-ssl-doc/examples/mod-ssl.conf >> /etc/apache/conf.d/ssl.conf
# zcat /usr/share/doc/libapache-mod-ssl-doc/examples/vhost.conf.gz >> /etc/apache/conf.d/vhost.conf
# apachectl configtest
# mod-ssl-makecert
What type of certificate do you want to create?
1. dummy (dummy self-signed Snake Oil cert)
2. test (test cert signed by Snake Oil CA)
3. custom (custom cert signed by own CA)
4. existing (existing cert)
Use dummy when you are a vendor package maintainer,
test when you are an admin but want to do tests only,
custom when you are an admin willing to run a real server
existing when you are an admin who upgrades a server.
Normally you would choose 2.
your choice: 2
Which algorithm should be used to generate required key(s)?
1. RSA
2. DSA
Normally you would choose 1.
your choice: 1
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.
Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________
STEP 1: Generating RSA private key (1024 bit) [server.key]
1261417 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.++++++
....++++++
e is 65537 (0x10001)
______________________________________________________________________
STEP 2: Generating X.509 certificate signing request [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
1. Country Name (2 letter code) [XY]:JP
2. State or Province Name (full name) [Snake Desert]:Tokyo
3. Locality Name (eg, city) [Snake Town]:Itabashi-ku
4. Organization Name (eg, company) [Snake Oil, Ltd]:Example Co.,Ltd.
5. Organizational Unit Name (eg, section) [Webserver Team]:Web Contents Group
6. Common Name (eg, FQDN) [www.snakeoil.dom]:example.com
7. Email Address (eg, name@FQDN) [www@snakeoil.dom]:admin@example.com
8. Certificate Validity (days) [365]:
______________________________________________________________________
STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:3
Signature ok
subject=/C=JP/ST=Tokyo/L=Itabashi-ku/O=Example Co.,Ltd./OU=Web Contents
Group/CN=example.com/emailAddress=admin@example.com
Getting CA Private Key
Verify: matching certificate & key modulus
Verify: matching certificate signature
/etc/apache/ssl.crt/server.crt: OK
______________________________________________________________________
STEP 4: Enrypting RSA private key with a pass phrase for security
[server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________
RESULT: Server Certification Files
o /etc/apache/ssl.key/server.key
The PEM-encoded RSA private key file which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o /etc/apache/ssl.crt/server.crt
The PEM-encoded X.509 certificate file which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o /etc/apache/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our demonstration-only Snake Oil CA) which later can replace
the /etc/apache/ssl.crt/server.crt file.
WARNING: Do not use this for real-life/production systems
# chmod 600 /etc/apache/ssl.key/server.key
# apachectl stop
# apachectl start
RedirectMatch permanent /path/to/(.*)$ http://example.com/
<IfModule mod_rewrite.c>
# http://www.microsoft.com ?
# http://127.0.0.1/ ?
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/default.ida(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)\/x90\/(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)Admin.dll(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)cmd.exe(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)null.ida(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)NULL.IDA(.*)$ http://127.0.0.1/$1
RedirectMatch permanent (.*)root.exe(.*)$ http://127.0.0.1/$1
</IfModule>
Include /etc/apache/conf.d
SetEnvIf Referer "^http://example\.com/" ref_ok
order deny,allow
deny from all
allow from env=ref_ok