License

Copyright (C) 2008-2018 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: Webserver for Gentoo Linux

I use name based virtual hosts for multiple domains under the same IP. Here is my Webserver and PHP configuration.
Before installing (emergeing) apache, change the /etc/make.conf as shown below.

If you want to use this solution you need the following howto(s) finished:

Required software

The required software has to be installed with the following command(s):
emerge www-servers/apache

Changes in /etc/apache2/modules.d/00_mod_log_config.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/apache2/modules.d/00_mod_log_config.conf

Changed on 13.01.09
Issued by olli
Beginning line 23

This activates apache logging for with vhost names in the log file


Before change
CustomLog /var/log/apache2/access_log common
After change
CustomLog /var/log/apache2/access_log vhost

Changes in /etc/apache2/vhosts.d/01_vhosts.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/apache2/vhosts.d/01_vhosts.conf

Changed on 13.01.09
Issued by olli
Beginning line 1

Here are some settings for name based virtual hosts and some security settings before.


# Some default settings
Listen 80
Listen 443
#NameVirtualHost *:80
#NameVirtualHost *:443
# ServerName
ServerName silent-gabosh.example.com
# Directory Index
DirectoryIndex index.html

# MPM-Settings
ServerLimit         500
MaxClients          500

# Some security settings
Timeout 60
# Allow a maximum of 100MB for upload.
LimitRequestBody 104857600
# Mallow a maximum of 50 headersites
LimitRequestFields 50
# Sets maximum length of the from client sent HTTP-Request-Headers
LimitRequestFieldsize 4094
# Maximum leght of HTTP request line
LimitRequestLine 8190
# Allow a maximum of 100MB for upload. per webdav
LimitXMLRequestBody 104857600

# ITK Settings
LimitUIDRange 10 20000
LimitGIDRange 10 20000

# Deactvate SSL compression
SSLCompression off
# deactivate SSLv2+3 (Poodle Attack)
SSLProtocol All -SSLv2 -SSLv3
# Ciphers recommended by Mozilla https://wiki.mozilla.org/Security/Server_Side_TLS
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
#SSLCipherSuite EECDH+AES:EDH+AES:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLCertificateFile /etc/ssl/example.com/example.com.crt
SSLCertificateKeyFile /etc/ssl/example.com/example.com.key
SSLCertificateChainFile /etc/ssl/example.com/letsencryptchain.pem
# OCSP Stapling
#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
#SSLStaplingCache shmcb:/var/run/ocsp(128000)
# Secure cookies
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Enable HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

# Load LDAP Auth modules
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

# Security
<Directory />
 Require all denied
 Options None
 AllowOverride None
</Directory>
<Directory /var/www>
 Require all granted
 Options None
 AllowOverride None
</Directory>
<Directory /srv/www>
 Require all granted
 Options None
 AllowOverride None
</Directory>

ServerSignature Off
TraceEnable off

# Disables massive http 206
RequestHeader unset Range

# Server-status
LoadModule status_module /usr/lib/apache2/modules/mod_status.so
ExtendedStatus On
<Location /server-status>
 SetHandler server-status
 Require all denied
 Require host 127.0.0.1
 Require host my.lan.network.ip/16
 Require host XXX.XXX.XXX.XXX/16
</Location>

# Know Media Files
AddType audio/mpeg mp3
AddType audio/mp4 m4a
AddType audio/ogg ogg oga
AddType video/webm webm

# favicon.ico for all
Alias /favicon.ico /var/www/gabosh.ico

# VHost Templade Macro
<Macro VHost $vhost>
# HTTP
<VirtualHost *:80>
  ServerName $vhost
  DocumentRoot /var/www/$vhost/htdocs
  # letsencrypt noproxy
  ProxyPass /.well-known/acme-challenge !
  # Additional Config
  Include /etc/apache2/vhosts.d/vhosts/$vhost.vhost
  # letsencrypt auth
  Include /etc/apache2/vhosts.d/letsencrypt.include
  # favicon.ico for PW-Secured sites
  <Location /favicon.ico>
   Require all granted
  </Location>
 </VirtualHost>
# HTTPS
 <VirtualHost *:443>
  ServerName $vhost
  DocumentRoot /var/www/$vhost/htdocs
  # Activate SSL for VHost
  SSLEngine on
  # letsencrypt noproxy
  ProxyPass /.well-known/acme-challenge !
  # Additional Config
  Include /etc/apache2/vhosts.d/vhosts/$vhost.sslvhost
  # letsencrypt auth
  Include /etc/apache2/vhosts.d/letsencrypt.include
  # favicon.ico for PW-Secured sites
  <Location /favicon.ico>
   Require all granted
  </Location>
 </VirtualHost>
</Macro>

# Generate VHosts from Macro
Use VHost default
Use VHost www.example.com
Use VHost fbofl.example.com
Use VHost horde-test.example.com
Use VHost horde.example.com
Use VHost get.example.com
Use VHost mailman.example.com
Use VHost doc.example.com
Use VHost gtc.example.com
Use VHost mdforms.example.com
Use VHost offlimits.example.com
Use VHost olmusic.example.com
Use VHost camofl.example.com
Use VHost epson.example.com
Use VHost fhem.example.com
Use VHost fhemphone.example.com
Use VHost fhemtablet.example.com
Use VHost fotos.example.com

<Location /favicon.ico>
 Require all granted
</Location>

Changes in /etc/conf.d/apache2

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/apache2

Changed on 09.09.08
Issued by olli
Beginning line 36

Apache startoptions for enabling PHP5 and SSL


Before change
APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"
After change
APACHE2_OPTS="-D DAV -D DAV_FS -D PHP -D SSL -D LANGUAGE -D PROXY -D MPM_ITK"

Changes in /etc/php/gabosh-php.ini

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/php/gabosh-php.ini

Changed on 23.02.11
Issued by olli
Beginning line 1

PHP-Configuration

; Don't log deprecated errors
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
; Don't display errors
display_errors = Off
display_startup_errors = Off
track_errors = Off
html_errors = Off
; Log errors to file
error_log = /var/log/apache2/php_errors.log
; Maximum post size of 20MB
post_max_size = 50M
; Maximum of 20MB upload
upload_max_filesize = 50M
; Default timezone for PHP
date.timezone = "Europe/Berlin"
; Maximum of 200 MySQL active connections at the same time
mysql.max_persistent = 200
; Maximum of 300 MySQL connections at the same time
mysql.max_links = 300
; Set the session path (for security reasons) to /var/www/php_sessions
session.save_path = "/var/www/php_sessions"
session.gc_divisor = 10000
; Set max memory
memory_limit = 512M

Changes in /etc/portage/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/portage/make.conf

Changed on 13.01.09
Issued by olli
Beginning line 25

The Apache MPM which should be compiled in

APACHE2_MPMS="prefork"
APACHE2_MODULES="$APACHE2_MODULES cgid proxy proxy_http proxy_wstunnel macro"

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add apache2 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here