License

Copyright (C) 2008-2020 Oliver Bohlen.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.

A copy of the license is included in the section entitled "GNU Free Documentation License".

Introduction

This documentation comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

Howto: Webserver for Gentoo Linux

I use name based virtual hosts for multiple domains under the same IP. Here is my Webserver and PHP configuration.
Before installing (emergeing) apache, change the /etc/make.conf as shown below.

If you want to use this solution you need the following howto(s) finished:

• Basesystem

Required software

The required software has to be installed with the following command(s):

emerge www-servers/apache

Changes in /etc/apache2/modules.d/00_mod_log_config.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/apache2/modules.d/00_mod_log_config.conf

Changed on 13.01.09
Issued by olli
Beginning line 23

This activates apache logging for with vhost names in the log file

Before change

CustomLog /var/log/apache2/access_log common

After change

CustomLog /var/log/apache2/access_log vhost

Changes in /etc/apache2/vhosts.d/01_vhosts.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/apache2/vhosts.d/01_vhosts.conf

Changed on 13.01.09
Issued by olli
Beginning line 1

Here are some settings for name based virtual hosts and some security settings before.

# Some default settings
Listen 80
Listen 443
#NameVirtualHost *:80
#NameVirtualHost *:443
# ServerName
ServerName xgabosh.example.com
# Directory Index
DirectoryIndex index.html

# MPM-Settings
ServerLimit         500
MaxClients          500

# Some security settings
Timeout 60
# Allow a maximum of 100MB for upload.
LimitRequestBody 104857600
# Mallow a maximum of 50 headersites
LimitRequestFields 50
# Sets maximum length of the from client sent HTTP-Request-Headers
LimitRequestFieldsize 4094
# Maximum leght of HTTP request line
LimitRequestLine 8190
# Allow a maximum of 100MB for upload. per webdav
LimitXMLRequestBody 104857600

# ITK Settings
LimitUIDRange 10 20000
LimitGIDRange 10 20000

# Deactvate SSL compression
SSLCompression off
# deactivate SSLv2+3 (Poodle Attack)
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Ciphers recommended by Mozilla https://wiki.mozilla.org/Security/Server_Side_TLS
# TEST: https://www.ssllabs.com/ssltest/analyze.html?d=nextcloud.example.com
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
#SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLHonorCipherOrder on
#SSLCipherSuite EECDH+AES:EDH+AES:EECDH+RC4:EDH+RC4:RC4-SHA:EECDH+AES256:EDH+AES256:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
SSLCertificateFile /etc/ssl/example.com/example.com.crt
SSLCertificateKeyFile /etc/ssl/example.com/example.com.key
SSLCertificateChainFile /etc/ssl/example.com/letsencryptchain.pem
# OCSP Stapling
#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
#SSLStaplingCache shmcb:/var/run/ocsp(128000)
# Secure cookies
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# Enable HTTP Strict Transport Security
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

# Load LDAP Auth modules
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

# Security
<Directory />
 Require all denied
 Options None
 AllowOverride None
</Directory>
<Directory /var/www>
 Require all granted
 Options None
 AllowOverride None
</Directory>
<Directory /srv/www>
 Require all granted
 Options None
 AllowOverride None
</Directory>

ServerSignature Off
TraceEnable off

# Disables massive http 206
RequestHeader unset Range

# Server-status
LoadModule status_module /usr/lib/apache2/modules/mod_status.so
ExtendedStatus On
<Location /server-status>
 SetHandler server-status
 Require all denied
 Require host 127.0.0.1
 Require host my.lan.network.ip/16
 Require host XXX.XXX.XXX.XXX/16
</Location>

# Know Media Files
AddType audio/mpeg mp3
AddType audio/mp4 m4a
AddType audio/ogg ogg oga
AddType video/webm webm

# favicon.ico for all
Alias /favicon.ico /var/www/gabosh.ico

# VHost Templade Macro
<Macro VHost $vhost>
# HTTP
<VirtualHost *:80>
  ServerName $vhost
  DocumentRoot /var/www/$vhost/htdocs
  # letsencrypt noproxy
  ProxyPass /.well-known/acme-challenge !
  # Additional Config
  Include /etc/apache2/vhosts.d/vhosts/$vhost.vhost
  # letsencrypt auth
  Include /etc/apache2/vhosts.d/letsencrypt.include
  # favicon.ico for PW-Secured sites
  <Location /favicon.ico>
   Require all granted
  </Location>
 </VirtualHost>
# HTTPS
 <VirtualHost *:443>
  ServerName $vhost
  DocumentRoot /var/www/$vhost/htdocs
  # Activate SSL for VHost
  SSLEngine on
  # letsencrypt noproxy
  ProxyPass /.well-known/acme-challenge !
  # Additional Config
  Include /etc/apache2/vhosts.d/vhosts/$vhost.sslvhost
  # letsencrypt auth
  Include /etc/apache2/vhosts.d/letsencrypt.include
  # favicon.ico for PW-Secured sites
  <Location /favicon.ico>
   Require all granted
  </Location>
 </VirtualHost>
</Macro>

# default vHost
<VirtualHost *:80>
 Redirect / http://www.example.com/
</VirtualHost>
<VirtualHost *:443>
 Redirect / http://www.example.com/
 SSLEngine on
 Include /etc/apache2/vhosts.d/letsencrypt.include
</VirtualHost>

# Generate VHosts from Macro
Use VHost www.example.com
Use VHost fbofl.example.com
Use VHost drucker-ofl.example.com
Use VHost get.example.com
Use VHost mailman.example.com
Use VHost doc.example.com
Use VHost gtc.example.com
#Use VHost mdforms.example.com
Use VHost camofl.example.com
Use VHost epson.example.com
Use VHost fhem.example.com
Use VHost fhemphone.example.com
Use VHost fhemtablet.example.com
Use VHost status.example.com
Use VHost olmusic.example.com
Use VHost nextcloud.example.com
Use VHost nextcloud-test.example.com
Use VHost autoconfig.example.com
Use VHost vnc.example.com
Use VHost share.example.com

<Location /favicon.ico>
 Require all granted
</Location>

Changes in /etc/conf.d/apache2

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/conf.d/apache2

Changed on 09.09.08
Issued by olli
Beginning line 36

Apache startoptions for enabling PHP5 and SSL

Before change

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

After change

APACHE2_OPTS="-D DAV -D DAV_FS -D PHP -D SSL -D LANGUAGE -D PROXY -D MPM_ITK -D AUTHNZ_EXTERNAL"

Changes in /etc/php/gabosh-php.ini

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/php/gabosh-php.ini

Changed on 23.02.11
Issued by olli
Beginning line 1

PHP-Configuration

; Don't log deprecated errors
error_reporting = E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT
; Don't display errors
display_errors = Off
display_startup_errors = Off
track_errors = Off
html_errors = Off
; Log errors to file
error_log = /var/log/apache2/php_errors.log
; Maximum post size of 20MB
post_max_size = 100M
; Maximum of 20MB upload
upload_max_filesize = 100M
; Default timezone for PHP
date.timezone = "Europe/Berlin"
; Maximum of 200 MySQL active connections at the same time
mysql.max_persistent = 200
; Maximum of 300 MySQL connections at the same time
mysql.max_links = 300
; Set max memory
memory_limit = 512M

Changes in /etc/portage/make.conf

File permissions:
Owner: root
Group: root
Permissions: -rw-r--r--

Click here for a download of the complete file: /etc/portage/make.conf

Changed on 13.01.09
Issued by olli
Beginning line 29

The Apache MPM which should be compiled in

APACHE2_MPMS="prefork"
APACHE2_MODULES="$APACHE2_MODULES cgid proxy proxy_http proxy_wstunnel macro"

Setting up services

For starting the new service after system reboot you should add it to a runlevel with the following command(s):

rc-update add apache2 

Please send a feedback to: doc<at>gabosh.net

Howto listing
File Index

Here you can find the official Gentoo Linux Forums where you can find a lot of answers.

Here a link to the official Gentoo Linux Homepage.

Edit Howto

About / Impressum

Click here for About / Impressum

Wishlist

If you want to support my work you can find my Amazon whishlist here