Actions

System Administrator's Guide/Installing Mahara/Apache//nginx

From Mahara Wiki

< System Administrator's Guide‎ | Installing Mahara
Revision as of 15:20, 8 September 2011 by Hughdavenport (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Apache and nginx forced https

The following is instructions for how to have apache process your .php files and nginx statically serve your non-dynamic files while acting as an ssl proxy.

Nginx can be installed with apt-get install nginx or whatever is applicable for your server.

Apache configuration

/etc/apache2/sites-available/default

<VirtualHost *:8080>
	ServerAdmin webmaster@localhost

	DocumentRoot /path/to/mahara/htdocs
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	</Directory>
	<Directory /path/to/mahara/htdocs/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride None
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

Add the following to /etc/apache2/ports.conf

NameVirtualHost *:8080
Listen 8080


Nginx configuration

If this is the only domain that will be served from this server, it's probably ok to use /etc/nginx/sites-available/default otherwise substitute "default" for your domain's identifier.

server {
        listen          443;

        server_name     example.com www.example.com ;
        server_name_in_redirect on;

        # Note: single domain setups obviously need only one listen directive
        # and one single domain declaration in server_name

        # ssl setup
        ssl             on;
        ssl_certificate      /etc/nginx/conf/server.crt;
        ssl_certificate_key  /etc/nginx/conf/server.key;
        add_header           Front-End-Https    on;

        # logging
        access_log      /var/log/nginx/example/access.log;
        error_log       /var/log/nginx/example/error.log debug;

        # enable for debugging purpose
        # error_log     /var/log/nginx/example/error.log debug;

        location / {
            root        /path/to/mahara/htdocs;
            index       index.html index.php;
        }

        include /etc/nginx/apachemod.conf;

}

You will need to set up the /var/log/nginx/example/ directory (or equivalent) for the logs, if it doesn't already exist, before nginx will load.

Setting up the ssl

(These instructions taken from the nginx docs)

First change directory to where you want to create the certificate and private key, for example:

$ mkdir /usr/local/nginx/conf
$ cd /usr/local/nginx/conf

Now create the server private key, you'll be asked for a passphrase:

$ openssl genrsa -des3 -out server.key 1024

Create the Certificate Signing Request (CSR):

$ openssl req -new -key server.key -out server.csr

Remove the necessity of entering a passphrase for starting up nginx with SSL using the above private key:

$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

Finally sign the certificate using the above private key and CSR:

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

The modapache include for nginx

You don't need to put this in a separate file, but it's advisable (makes it reusable across more than one domain)

Create a new file at /etc/nginx/modapache.conf with the following contents:

location ~ .*\\.(php)$ {
    proxy_pass         http://localhost:8080;
    proxy_redirect     off;

    proxy_set_header   Host             $host;
    proxy_set_header   X-Real-IP        $remote_addr;
    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;

    client_max_body_size       10m;
    client_body_buffer_size    128k;

    proxy_connect_timeout      90;
    proxy_send_timeout         90;
    proxy_read_timeout         90;

    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;
}