/ Passage en SSL
- Activation du mode : a2enmod ssl
- Edition de /etc/apache2/ports.conf
Ajout : Listen 443
- Dans le cadre de certif auto signé, édition des alias du certificat SSL. Celui-ci sera valide pour
les 2 sites hébergés par Apache.
vim /usr/share/apache2/ssleay.cnf
#
# SSLeay example configuration file.
5
#
# Si non auto signé utiliser :
# [ req ]
#req_extensions = v3_req
#[ v3_req ]
#subjectAltName = critical,DNS:site1.com,DNS:site2.net
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
[ v3_ca ]
subjectAltName = critical,DNS:glpi.kiko.fr, DNS:ocs.kiko.fr
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company; recommended)
organizationName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_max = 64
commonName = server name (eg. ssl.domain.tld; required!!!)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
- Génération du certificat auto signé :
apache2-ssl-certificate –days 1095
! Indiquer « glpi.kiko.fr » lorsqu’il demande le server name !
- Edition des Vhosts
vim /etc/apache2/site-available/glpi
NameVirtualHost IP_serveur:443
ServerAdmin webmaster@localhost
ServerName glpi.kiko.fr
DocumentRoot /var/www/glpi/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
Options FollowSymLinks
6
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/glpi.log combined
ServerSignature Off
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
vim /etc/apache2/site-available/ocs
ServerAdmin webmaster@localhost
ServerName ocs.kiko.fr
DocumentRoot /var/www/ocsreports/
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
7
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/ocs.log combined
ServerSignature Off
Alias /doc/ "/usr/share/doc/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
puis /etc/init.d/apache2 restart
6/ Redirection http->https
- On va utiliser une redirection pour passer automatiquement de http vers https :
a2enmod rewrite
Editer /etc/apache2/site-available/default
NameVirtualHost *:80
RewriteEngine On
#Redirection automatique de http en https sauf pour ocs.lmarc.fr, nécessaire pour déployer ocslogon, dans un
#premier temps
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST}%{REQUEST_URI} !ocs\.lmarc\.fr
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Redémarrer Apache. Si une personne indique http://glpi.kiko.fr , elle sera dirigée directement vers
https://glpi.kiko.fr
- Il faut également modifier un fichier de configuration d’ocs, uniquement si l’on utilise la
redirection, afin de permettre l’import local de machines à partir de la console OCS.
Editer /var/www/ocsreports/local.php
Changer la ligne :
$result = post_it($contents, "http://".LOCAL_SERVER."/ocsinventory");
en
$result = post_it($contents, "http://ocs.lmarc.fr/ocsinventory");
Publié by KiKo "the ordasqueireinse".... heheheheh