Prénom Nom - Correlyce Diffusion
Transcription
Prénom Nom - Correlyce Diffusion
Corrélyce diffusion Procédure d’installation de la plate-forme Corréé Titre du document Nom du document Date État Auteur(s) Observations Procédure d’installation de la plate-forme Corréé correlyce-diffusion_doc_install_081111.pdf 8 novembre 2011 Évolutif Version Statut Jean-Christophe Pérennes Diffusion Document validé avec la version 0.7.8 du code 1.0 Validé Sommaire 1. 2. Origine du document ........................................................................................................ 3 L'installation des serveurs ldap ......................................................................................... 3 2.1. 2.2. 2.3. 2.4. 2.5. 3. Les commandes ......................................................................................................................... 3 Fichier de configuration slapd.conf du Master ........................................................................... 4 Fichier de configuration slapd.conf du Slave ............................................................................. 6 Fichier de configuration de l'hôte virtuel ldap1.correex.fr .......................................................... 8 Mise en place SSL ..................................................................................................................... 9 L'installation des applicatifs pour correex ......................................................................... 9 3.1. Exim............................................................................................................................................ 9 3.1.1. Installation de Exim : ........................................................................................................ 9 3.1.2. Configuration de Exim :: ................................................................................................... 9 3.1.3. Test d'exim...................................................................................................................... 10 3.2. Sympa ........................................................................................................................................ 10 3.2.1. Installation de Sympa ....................................................................................................... 10 3.2.2. Configuration de Sympa ............................................................................................... 10 3.2.3. Récupération des listes existantes .................................................................................. 14 3.2.4. Bugs sympa ..................................................................................................................... 14 3.3. Mysql .......................................................................................................................................... 14 3.3.1. Installation de Mysql......................................................................................................... 14 3.3.2. Configuration de Mysql .................................................................................................... 14 3.4. Php ............................................................................................................................................. 17 3.4.1. Installer Php5 ................................................................................................................... 17 3.4.2. Modules complémentaires à installer .......................................................................... 17 3.5. PhpMyAdmin .............................................................................................................................. 17 3.5.1. Installer PhpMyAdmin ...................................................................................................... 17 3.5.2. Utilisateurs et bases à sauvegarder................................................................................. 17 3.5.3. Paramétrage d'apache ..................................................................................................... 17 3.6. Apache 2 .................................................................................................................................... 17 3.6.1. Installer Apache ............................................................................................................... 17 3.6.2. Modules complémentaires à installer............................................................................... 17 Ce document est diffusé sous licence Creative Commons Attribution - Pas d'Utilisation Commerciale - Partage à l'Identique 3.0 non transposé. Pour accéder à une copie de cette licence, merci de vous rendre à l'adresse suivante &(url_licence) ou envoyez un courrier à Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. 3.7. Java 1.5 ...................................................................................................................................... 18 3.7.1. Installer Java .................................................................................................................... 18 3.7.2. Utilisation de Java 1.5 par défaut..................................................................................... 18 3.8. Tomcat 5.5 ................................................................................................................................. 18 3.8.1. Installer Tomcat 5.5.......................................................................................................... 18 3.8.2. Configuration de Tomcat 5.5 ............................................................................................ 18 3.8.3. Configuration du tas de la JVM .................................................................................... 25 3.9. Configuration d'Apache .............................................................................................................. 26 3.9.1. Configuration des modules pré-installés .......................................................................... 26 3.9.2. Configuration de l'hôte virtuel........................................................................................... 28 3.9.3. Configuration des ports .................................................................................................... 29 3.9.4. Configuration des certificats ............................................................................................. 30 3.9.5. Applications Tomcat ......................................................................................................... 30 3.1. Application web .......................................................................................................................... 30 CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 2 1. ORIGINE DU DOCUMENT Ce document d’installation a été établi dans le cadre du projet Correex, pour permettre à l’hébergeur exploitant de réaliser les opérations d’installation. Il a été validé par le CRDP, qui assure l’exploitation de Correex et la société Jaguar Networks, qui en assure l’hébergement. Ce document est valide pour la version 0.7.8 du code Corréé. Il devra bénéficier de nouveaux enrichissements pour les versions ultérieures. Dans ce qui suit, le nom de la plate-forme a été remplacé par Correex, désignation générique des implémentations du code Corréé dans le cadre du dispositif Corrélyce Diffusion. 2. L'INSTALLATION DES SERVEURS LDAP 2.1. Les commandes # # # # # # # # # # # # # # # # # # # # # # # # # # apt-get install slapd ldap-utils /etc/init.d/slapd stop cd /etc/ldap/schema/ mkdir corree cd /etc/ldap/schema/corree/ cp /home/crdpadmin/corree/init/ldap/schema/corree/* . chmod 644 * vi /etc/ldap/slapd.conf chown root:openldap slapd.conf chmod 640 slapd.conf slapadd -b 'dc=corree,dc=fr' -l /home/crdpadmin/corree.fr.ldif /etc/init.d/slapd start Pour deboggage si nécessaire cd /var/lib/ldap rm -R * /etc/init.d/slapd start ou slapd -d 16383 /etc/init.d/slapd stop chown -R openldap.openldap /var/lib/ldap chmod -R 600 /var/lib/ldap apt-get install php5-ldap phpldapadmin vi /etc/phpldapadmin/config.php Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 3 2.2. Fichier de configuration slapd.conf du Master # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions #include /etc/ldap/schema/core.schema #include /etc/ldap/schema/cosine.schema #include /etc/ldap/schema/nis.schema #include /etc/ldap/schema/inetorgperson.schema include include include include /etc/ldap/schema/corree/core_corree.schema /etc/ldap/schema/corree/cosine_corree.schema /etc/ldap/schema/corree/inetorgperson_corree.schema /etc/ldap/schema/corree/ENT_corree.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb #checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 4 # # # # # # # # # # # ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # Where the database file are physically stored for database #1 directory "/var/lib/ldap" #replica uri=ldap://78.153.226.118:389 binddn="cn=admin,dc=corree,dc=fr" bindmethod=simple # #credentials = "$cour13_" # # replogfile /var/lib/ldap/replog # # # For the Debian package we use 2MB as default but be sure to update this # # value if you have plenty of RAM # dbconfig set_cachesize 0 2097152 0 # # # Sven Hartge reported that he had to set this value incredibly high # # to get slapd running at all. See http://bugs.debian.org/303057 # # for more information. # # # Number of objects that can be locked at the same time. # dbconfig set_lk_max_objects 1500 # # Number of locks (both requested and granted) # dbconfig set_lk_max_locks 1500 # # Number of lockers # dbconfig set_lk_max_lockers 1500 # # # Save the time that the entry gets modified, for database #1 # lastmod on # # # Where to store the replica logs for database #1 # # replogfile /var/lib/ldap/replog # # # The base of your directory in database #1 # suffix "dc=corree,dc=fr" # moduleload syncprov # rootdn "cn=admin,dc=corree,dc=fr" # rootpw "$cour13_" # # index objectClass pres,eq # index cn pres,eq,sub # index sn pres,eq,sub # index givenname eq # index uid eq # index l eq # index ENTPersonLogin eq,sub # index ENTPersonStructRattach eq # index ENTAuxEnsClasses eq # index ENTAuxEnsGroupes eq # index ENTEleveClasses eq # index ENTEleveGroupes eq # index ENTStructureUAI eq # index ENTStructureSIREN eq # Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 5 # # # # # index entryCSN,entryUUID eq overlay syncprov syncprov-checkpoint 50 5 syncprov-sessionlog 50 2.3. Fichier de configuration slapd.conf du Slave # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options. ####################################################################### # Global Directives: # Features to permit #allow bind_v2 # Schema and objectClass definitions #include /etc/ldap/schema/core.schema #include /etc/ldap/schema/cosine.schema #include /etc/ldap/schema/nis.schema #include /etc/ldap/schema/inetorgperson.schema include include include include /etc/ldap/schema/corree/core_corree.schema /etc/ldap/schema/corree/cosine_corree.schema /etc/ldap/schema/corree/inetorgperson_corree.schema /etc/ldap/schema/corree/ENT_corree.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_bdb # The maximum number of entries that is returned for a search operation sizelimit 500 # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1 ####################################################################### # Specific Backend Directives for bdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend bdb #checkpoint 512 30 ####################################################################### # Specific Backend Directives for 'other': CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 6 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other> ####################################################################### # Specific Directives for database #1, of type bdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database bdb # Where the database file are physically stored for database #1 directory "/var/lib/ldap" #updatedn cn=admin,dc=corree,dc=fr #updateref ldap://78.153.226.117:389 # For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0 # Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 # for more information. # Number dbconfig # Number dbconfig # Number dbconfig of objects that can be locked at the same time. set_lk_max_objects 1500 of locks (both requested and granted) set_lk_max_locks 1500 of lockers set_lk_max_lockers 1500 # Save the time that the entry gets modified, for database #1 lastmod on # Where to store the replica logs for database #1 #replogfile /var/lib/ldap/replog # The base of your directory in database #1 suffix "dc=corree,dc=fr" rootdn "cn=admin,dc=corree,dc=fr" rootpw "$cour13_" #updateref index index index index index index index index index index index index index index ldap://78.153.226.117 objectClass pres,eq cn pres,eq,sub sn pres,eq,sub givenname eq uid eq l eq ENTPersonLogin eq,sub ENTPersonStructRattach eq ENTAuxEnsClasses eq ENTAuxEnsGroupes eq ENTEleveClasses eq ENTEleveGroupes eq ENTStructureUAI eq ENTStructureSIREN eq Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 7 # # index entryCSN,entryUUID eq # # syncrepl rid=123 # provider=ldap://78.153.226.117:389 # type=refreshOnly # interval=00:00:01:00 # searchbase="dc=corree,dc=fr" # filter="(objectClass=*)" # scope=sub # attrs="*,+" # schemachecking=off # bindmethod=simple # binddn="cn=admin,dc=corree,dc=fr" # credentials="$cour13_" 2.4. Fichier de configuration de l'hôte virtuel ldap1.correex.fr NameVirtualHost *:443 <VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/apache2/certs_tbs/ldap1.correex.fr.pem SSLCertificateKeyFile /etc/apache2/certs_tbs/ldap1.correex.fr.key SSLCertificateChainFile /etc/apache2/certs_tbs/chain.crt SSLCipherSuite HIGH SSLProtocol all -SSLv2 ServerName ldap1.correex.fr ServerAlias ldap1.correex.fr ServerAdmin [email protected] DocumentRoot /var/www-https/ ErrorLog /var/log/apache2/error.ldap1.correex.fr.log CustomLog /var/log/apache2/access.ldap1.correex.fr.log combined RewriteEngine On RewriteRule ^/$ /phpldapadmin/\? [R] ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from 194.254.139.209 </Directory> </VirtualHost> Indications complémentaires Activer les modes ssl, rewrite, alias Attention certificats dans /etc/apache2/cert_tbs Supprimer l'écoute de l'hôte virtuels sur le port 80 d'apache. CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 8 2.5. Mise en place SSL • Génération de la clé et de la demande de certificat du server (cn=ldap1.correex.fr) openssl genrsa 2048 > slapd-key.pem openssl req -new -key slapd-key.pem > slapd-csr .pem • Obtenir certificat seveur auprès d'une autorité de certification slap-crt.pem • récupérer La chaine de certification myca-cacert.pem • Modifier le fichier /etc/default/slapd SLAPD_SERVICES="ldap:/// ldaps:///" • Modifier le fichier /etc/ldap/slapd.conf pour y ajouter avant le backend: TLSCertificateFile /etc/ssl/certs/slapd-crt.pem TLSCertificateKeyFile /etc/ldap/slapd-key.pem TLSCACertificateFile /etc/ssl/certs/myca-cacert.pem 3. L'INSTALLATION DES APPLICATIFS POUR CORREEX 3.1. Exim 3.1.1. Installation de Exim : # apt-get install exim4 3.1.2. Configuration de Exim :: Il est possible de configurer Exim en modifiant directement le fichier de configuration (/etc/exim4/update-exim4.conf.conf)ou par interface graphique (accessible par dpkg-reconfigure exim4-config) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # /etc/exim4/update-exim4.conf.conf Edit this file and /etc/mailname by hand and execute update-exim4.conf yourself or use 'dpkg-reconfigure exim4-config' Please note that this is _not_ a dpkg-conffile and that automatic changes to this file might happen. The code handling this will honor your local changes, so this is usually fine, but will break local schemes that mess around with multiple versions of the file. update-exim4.conf uses this file to determine variable values to generate exim configuration macros for the configuration file. Most settings found in here do have corresponding questions in the Debconf configuration, but not all of them. This is a Debian specific file dc_eximconfig_configtype='internet' dc_other_hostnames='correex.fr' dc_local_interfaces='127.0.0.1;192.168.0.10' Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 9 # # # # # # # # # # dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='mail_spool' 3.1.3. Test d'exim host mx1.correex.fr exim -bt [email protected] mail [email protected] tail /var/log/exim4/mainlog 3.2. Sympa L’utilisation de Sympa est une spécificité de la plate-forme Courdecol13. Les plates-formes Corrééx doivent disposer d’un accès à un gestionnaire de liste de diffusion, permettant notamment la diffusion des informations aux administrateurs, aux superviseurs, aux usagers et aux personnes s’étant inscrites sur l’interface publique du site. En fonction des applicatifs exploités par l’organisation qui conduit l’installation, de son système d’information et de ses règles de fonctionnement propres, on pourra disposer d’un serveur de listes spécifiques, pouvant être Sympa ou un autre. 3.2.1. Installation de Sympa # # apt-get install sympa libapache2-mod-fastcgi 3.2.2. Configuration de Sympa Il est possible de configurer Sympa en modifiant directement le fichier de configuration (/etc/sympa/sympa.conf)ou par interface graphique (accessible par dpkg-reconfigure -plow sympa) ## Configuration file for Sympa ## many parameters are optional (defined in src/Conf.pm) ## refer to the documentation for a detailed list of parameters ###\\\\ Directories and file location ////### ## Directory containing mailing lists subdirectories home /var/lib/sympa/expl ## Directory for configuration files ; it also contains scenari/ and templates/ directories etc /etc/sympa ## File containing Sympa PID while running. ## Sympa also locks this file to ensure that it is not running more than once. Caution : user sympa need to write access without special privilegee. pidfile /var/run/sympa/sympa.pid CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 10 ## Umask used for file creation by Sympa umask 027 ## The main spool containing various specialized spools ## All spool are created at runtime by sympa.pl spool /var/spool/sympa ## Incoming spool queue /var/spool/sympa/msg ## Bounce incoming spool queuebounce /var/spool/sympa/bounce ###\\\\ Syslog ////### ## The syslog facility for sympa ## Do not forget to edit syslog.conf syslog `/bin/cat /etc/sympa/facility` ## Communication mode with syslogd is either unix (via Unix sockets) or inet (use of UDP) log_socket_type unix ## Log intensity ## 0 : normal, 2,3,4 for debug log_level 0 ###\\\\ General definition ////### ## Main robot hostname domain correex.fr ## Listmasters email list comma separated ## Sympa will associate listmaster privileges to these email addresses (mail and web interfaces). Some error reports may also be sent to these addresses. listmaster [email protected],[email protected] ## Local part of sympa email adresse ## Effective address will be [EMAIL]@[HOST] email sympa ## Default lang (cs | de | el | en_US | fr | hu | it | ja_JP | nl | oc | pt_BR | tr) lang fr ## Who is able to create lists ## This parameter is a scenario, check sympa documentation about scenarios if you want to define one create_list public_listmaster ## Secret used by Sympa to make MD5 fingerprint in web cookies secure ## Should not be changed ! May invalid all user password cookie `/bin/cat /etc/sympa/cookie` ###\\\\ Errors management ////### ## Bouncing email rate for warn list owner #bounce_warn_rate 20 ## Bouncing email rate for halt the list (not implemented) ## Not yet used in current version, Default is 50 #bounce_halt_rate 50 Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 11 ## Task name for expiration of old bounces #expire_bounce_task daily ## Welcome message return-path ## If set to unique, new subcriber is removed if welcome message bounce #welcome_return_path unique ###\\\\ MTA related ////### ## Path to the MTA (sendmail, postfix, exim or qmail) ## should point to a sendmail-compatible binary (eg: a binary named 'sendmail' is distributed with Postfix) sendmail /usr/sbin/sendmail ## Maximum number of recipients per call to Sendmail. The nrcpt_by_domain.conf file allows a different tuning per destination domain. nrcpt 25 ## Max. number of different domains per call to Sendmail avg 10 ## Max. number of Sendmail processes (launched by Sympa) running simultaneously ## Proposed value is quite low, you can rise it up to 100, 200 or even 300 with powerfull systems. maxsmtp 40 ###\\\\ Pluggin ////### ## Path to the antivirus scanner engine ## supported antivirus : McAfee/uvscan, Fsecure/fsav, Sophos, AVP and Trend Micro/VirusWall #antivirus_path /usr/local/uvscan/uvscan ## Antivirus pluggin command argument #antivirus_args --secure --summary --dat /usr/local/uvscan ###\\\\ S/MIME pluggin ////### ## Path to OpenSSL ## Sympa knowns S/MIME if openssl is installed #openssl /usr/local/bin/openssl ## The directory path use by OpenSSL for trusted CA certificates #capath /etc/sympa/ssl.crt ## This parameter sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) #cafile /usr/local/apache/conf/ssl.crt/ca-bundle.crt ## User CERTs directory ssl_cert_dir /var/lib/sympa/x509-user-certs ## Password used to crypt lists private keys #key_passwd your_password ###\\\\ Database ////### ## Database type (mysql | Pg | Oracle | Sybase | SQLite) ## be carefull to the case #db_type mysql ## Name of the database ## with SQLite, the name of the DB corresponds to the DB file #db_name sympa CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 12 ## The host hosting your sympa database #db_host localhost ## Database user for connexion #db_user sympa ## Database password (associated to the db_user) ## What ever you use a password or not, you must protect the SQL server (is it a not a public internet service ?) #db_passwd your_passwd ## Database private extention to user table ## You need to extend the database format with these fields #db_additional_user_fields age,address ## Database private extention to subscriber table ## You need to extend the database format with these fields #db_additional_subscriber_fields billing_delay,subscription_expiration ###\\\\ Web interface ////### css_path /usr/lib/cgi-bin/sympa/css css_url https://www.correex.fr/wws/css ## Sympa's main page URL wwsympa_url http://correex.fr/wws ## web interface color : dark dark_color #006666 ## web interface color : selected_color selected_color #996666 ## web interface color : light light_color #cccc66 ## web_interface color : shaded shaded_color #66cccc ## web_interface color : background bg_color #ffffcc ## Supported languages for the user interface supported_lang fr,en_US #-- Database configuration begin # DO NOT REMOVE SURROUNDING COMMENTS # DO NOT EDIT BY HAND # USE dpkg-reconfigure -plow sympa TO RECONFIGURE ## Database driver (DBD) db_type mysql ## Name of your database db_name sympa ## Your database hostname db_host localhost ## Username to connect to the DB db_user sympa Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 13 ## Password for the user db_passwd cour13## #-- Database configuration end 3.2.3. Récupération des listes existantes En cas de réinstallation ou de mise à jour de Sympa, penser à /var/lib/sympa/expl. 3.2.4. sauvegarder le répertoire Bugs sympa Si vous recevez un mail du type : Could Could Could Could not not not not lock lock lock lock /var/run/sympa/sympa.pid, process is probably already running /var/run/sympa/archived.pid, process is probably already running /var/run/sympa/task_manager.pid, process is probably already running /var/run/sympa/bounced.pid, process is probably already running Il faut arrêter sympa, suppr imer ces fichiers et redémarrer sympa. Si sympa n'envoie pas le msessage à la liste alors qu'il a été validé, procédure à suivre avant de redémarrer exim : ## router/400_exim4-config_system_aliases .ifndef SYSTEM_ALIASES_PIPE_TRANSPORT SYSTEM_ALIASES_PIPE_TRANSPORT = address_pipe .endif 3.3. Mysql 3.3.1. Installation de Mysql # apt-get install mysql-server-5.0 3.3.2. Configuration de Mysql /etc/mysql/my.cnf # # # # # # # # # # # # # The MySQL database server configuration file. You can copy this to one of: - "/etc/mysql/my.cnf" to set global options, - "~/.my.cnf" to set user-specific options. One can use all long options that the program supports. Run program with --help to get a list of available options and with --print-defaults to see which it would actually understand and use. For explanations see http://dev.mysql.com/doc/mysql/en/server-system-variables.html # This will be passed to all mysql clients # It has been reported that passwords should be enclosed with ticks/quotes # escpecially if they contain "#" chars... # Remember to edit /etc/mysql/debian.cnf when changing the socket location. [client] CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 14 port socket = 3306 = /var/run/mysqld/mysqld.sock # Here is entries for some specific programs # The following values assume you have at least 32M ram # This was formally known as [safe_mysqld]. Both versions are currently parsed. [mysqld_safe] socket = /var/run/mysqld/mysqld.sock nice =0 [mysqld] # # * Basic Settings # user = mysql pid-file = /var/run/mysqld/mysqld.pid socket = /var/run/mysqld/mysqld.sock port = 3306 basedir = /usr datadir = /var/lib/mysql tmpdir = /tmp language = /usr/share/mysql/english skip-external-locking default-character-set=utf8 default-storage-engine=INNODB lower_case_table_names=1 # # Instead of skip-networking the default is now to listen only on # localhost which is more compatible and is not less secure. bind-address = 127.0.0.1 # # * Fine Tuning # key_buffer = 16M max_allowed_packet = 16M thread_stack = 128K thread_cache_size =8 # This replaces the startup script and checks MyISAM tables if needed # the first time they are touched myisam-recover = BACKUP #max_connections = 100 #table_cache = 64 #thread_concurrency = 10 # # * Query Cache Configuration # query_cache_limit = 1M query_cache_size = 16M # # * Logging and Replication # # Both location gets rotated by the cronjob. # Be aware that this log type is a performance killer. #log = /var/log/mysql/mysql.log # # Error logging goes to syslog. This is a Debian improvement :) # # Here you can see queries with especially long duration #log_slow_queries = /var/log/mysql/mysql-slow.log #long_query_time = 2 #log-queries-not-using-indexes # Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 15 # The following can be used as easy to replay backup logs or for replication. # note: if you are setting up a replication slave, see README.Debian about # other settings you may need to change. #server-id =1 #log_bin = /var/log/mysql/mysql-bin.log expire_logs_days = 10 max_binlog_size = 100M #binlog_do_db = include_database_name #binlog_ignore_db = include_database_name # # * BerkeleyDB # # Using BerkeleyDB is now discouraged as its support will cease in 5.1.12. skip-bdb # # * InnoDB # # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/. # Read the manual for more InnoDB related options. There are many! # You might want to disable InnoDB to shrink the mysqld process by circa 100MB. #skip-innodb # # * Security Features # # Read the manual, too, if you want chroot! # chroot = /var/lib/mysql/ # # For generating SSL certificates I recommend the OpenSSL GUI "tinyca". # # ssl-ca=/etc/mysql/cacert.pem # ssl-cert=/etc/mysql/server-cert.pem # ssl-key=/etc/mysql/server-key.pem [mysqldump] quick quote-names max_allowed_packet = 16M [mysql] #no-auto-rehash # faster start of mysql but no tab completition default-character-set=utf8 [isamchk] key_buffer = 16M # # # # # # # # # # * NDB Cluster See /usr/share/doc/mysql-server-*/README.Debian for more information. The following configuration is read by the NDB Data Nodes (ndbd processes) not from the NDB Management Nodes (ndb_mgmd processes). [MYSQL_CLUSTER] ndb-connectstring=127.0.0.1 # # * IMPORTANT: Additional settings that can override those from this file! # The files must end with '.cnf', otherwise they'll be ignored. # !includedir /etc/mysql/conf.d/ CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 16 3.4. Php 3.4.1. Installer Php5 # apt-get install php5 3.4.2. # # # # # # # # apt-get apt-get apt-get apt-get Modules complémentaires à installer install install install install php5-curl php5-gd php5-ldap php5-mcrypt 3.5. PhpMyAdmin 3.5.1. Installer PhpMyAdmin # apt-get install PhpMyAdmin 3.5.2. Utilisateurs et bases à sauvegarder Eléments à sauvegarder en cas d’intervention sur une plate-forme existante • Utilisateur corree → base correedb et spipactus • Utilisateur sympa → base sympa • Jeu de caractères pour MySQL: UTF-8 Unicode (utf8) • Chaque base est de type innoDb et d'interclassement utf8_general_ci 3.5.3. Paramétrage d'apache • Supprimer l'accès sur la déclaration de l'hôte virtuel port 80 • Supprimer le lien de /etc/apache2/conf.d • Déclaration ssl → voir le fichier de conf de l'hôte viruels 3.6. Apache 2 3.6.1. Installer Apache # apt-get install apache2 3.6.2. Modules complémentaires à installer # apt-get install apache2-mpm-prefork Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 17 # # # # # apt-get apt-get apt-get apt-get a2enmod install install install install rewrite libapache2-mod-fastcgi libapache2-mod-jk libapache2-mod-php5 libapache2-mod-python 3.7. Java 1.5 3.7.1. Installer Java Le paquet java n’étant pas libre, il faut ajouter des sources spécifiques aux dépôts. Pour ce faire, il faut modifier le fichier /etc/apt/sources.list pour y ajouter les adresses suivantes deb http://ftp2.fr.debian.org/debian/ lenny main contrib non-free deb-src http://ftp.fr.debian.org/debian/ lenny main contrib non-free Installation # apt-get install sun-java5-jdk 3.7.2. Utilisation de Java 1.5 par défaut # vi /root/.bash_profile JAVA_HOME=/usr/lib/jvm/java-1.5.0-sun export JAVA_HOME PATH=$JAVA_HOME/bin:$PATH export PATH export LANG=fr_FR@euro 3.8. Tomcat 5.5 3.8.1. Installer Tomcat 5.5 # apt-get install tomcat5.5 tomcat5.5-admin tomcat5.5-webapps 3.8.2. Configuration de Tomcat 5.5 # vi /var/lib/tomcat5,5/conf/server.xml <!-- Server Configuration File for Tomcat 5.5 on Debian You can find a more complete example in /usr/share/doc/tomcat5.5/examples/ --> <!-- Note that component elements are nested corresponding to their parent-child relationships with each other --> <!-- A "Server" is a singleton element that represents the entire JVM, which may contain one or more "Service" instances. The Server CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 18 listens for a shutdown command on the indicated port. Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. --> <Server port="8005" shutdown="SHUTDOWN"> <!-- Comment these entries out to disable JMX MBeans support used for the administration web application --> <Listener className="org.apache.catalina.core.AprLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> <!-- Global JNDI resources --> <GlobalNamingResources> <!-- Test entry for demonstration purposes --> <Environment name="simpleValue" type="java.lang.Integer" value="30"/> <!-- Editable user database that can also be used by UserDatabaseRealm to authenticate users --> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <!-- A "Service" is a collection of one or more "Connectors" that share a single "Container" (and therefore the web applications visible within that Container). Normally, that Container is an "Engine", but this is not required. Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" or "Loggers" at this level. --> <!-- Define the Tomcat Stand-Alone Service --> <Service name="Catalina"> <!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated "Container" (normally an Engine) for processing. By default, a non-SSL HTTP/1.1 Connector is established on port 8180. You can also enable an SSL HTTP/1.1 Connector on port 8443 by following the instructions below and uncommenting the second Connector entry. SSL support requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into "$JAVA_HOME/jre/lib/ext". * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of "changeit" for both the certificate and the keystore itself. By default, DNS lookups are enabled when a web application calls request.getRemoteHost(). This can have an adverse impact on Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 19 performance, so you can disable it by setting the "enableLookups" attribute to "false". When DNS lookups are disabled, request.getRemoteHost() will return the String version of the IP address of the remote client. --> <!-- Define a non-SSL HTTP/1.1 Connector on port 8180 --> <Connector port="8080" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8"/> <!-- Note : To disable connection timeouts, set connectionTimeout value to 0 --> <!-- Note : To use gzip compression you could set the following properties : compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="text/html,text/xml" --> <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <!-<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" URIEncoding="UTF-8" truststoreFile="/var/lib/tomcat5.5/keys/.keystore" truststorePass="correex" keystoreFile="/var/lib/tomcat5.5/keys/.keystore" keystorePass="correex" /> --> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" /> <!-- Define a Proxied HTTP/1.1 Connector on port 8082 --> <!-- See proxy documentation for more information about using this. --> <!-<Connector port="8082" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" acceptCount="100" connectionTimeout="20000" proxyPort="80" disableUploadTimeout="true" /> --> <!-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). --> <!-- You should set jvmRoute to support load-balancing via AJP ie : <Engine name="Standalone" defaultHost="localhost" jvmRoute="jvm1"> --> <!-- Define the top level container in our container hierarchy --> <Engine name="Catalina" defaultHost="localhost"> <!-- The request dumper valve dumps useful debugging information about CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 20 the request headers and cookies that were received, and the response headers and cookies that were sent, for all requests received by this instance of Tomcat. If you care only about requests to a particular virtual host, or a particular application, nest this element inside the corresponding <Host> or <Context> entry instead. For a similar mechanism that is portable to all Servlet 2.4 containers, check out the "RequestDumperFilter" Filter in the example application (the source for this filter may be found in "$CATALINA_HOME/webapps/examples/WEB-INF/classes/filters"). Request dumping is disabled by default. Uncomment the following element to enable it. --> <!-<Valve className="org.apache.catalina.valves.RequestDumperValve"/> --> <!-- Because this Realm is here, an instance will be shared globally --> <!-- This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. --> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> <!-- Comment out the old realm but leave here for now in case we need to go back quickly --> <!-<Realm className="org.apache.catalina.realm.MemoryRealm" /> --> <!-- Replace the above Realm with one of the following to get a Realm stored in a database and accessed via JDBC --> <!-<Realm className="org.apache.catalina.realm.JDBCRealm" driverName="org.gjt.mm.mysql.Driver" connectionURL="jdbc:mysql://localhost/authority" connectionName="test" connectionPassword="test" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-<Realm className="org.apache.catalina.realm.JDBCRealm" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL" connectionName="scott" connectionPassword="tiger" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-<Realm className="org.apache.catalina.realm.JDBCRealm" driverName="sun.jdbc.odbc.JdbcOdbcDriver" connectionURL="jdbc:odbc:CATALINA" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" /> --> <!-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 21 --> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"> <!-- Defines a cluster for this node, By defining this element, means that every manager will be changed. So when running a cluster, only make sure that you have webapps in there that need to be clustered and remove the other ones. A cluster has the following parameters: className = the fully qualified name of the cluster class clusterName = a descriptive name for your cluster, can be anything mcastAddr = the multicast address, has to be the same for all the nodes mcastPort = the multicast port, has to be the same for all the nodes mcastBindAddr = bind the multicast socket to a specific address mcastTTL = the multicast TTL if you want to limit your broadcast mcastSoTimeout = the multicast readtimeout mcastFrequency = the number of milliseconds in between sending a "I'm alive" heartbeat mcastDropTime = the number a milliseconds before a node is considered "dead" if no heartbeat is received tcpThreadCount = the number of threads to handle incoming replication requests, optimal would be the same amount of threads as nodes tcpListenAddress = the listen address (bind address) for TCP cluster request on this host, in case of multiple ethernet cards. auto means that address becomes InetAddress.getLocalHost().getHostAddress() tcpListenPort = the tcp listen port tcpSelectorTimeout = the timeout (ms) for the Selector.select() method in case the OS has a wakup bug in java.nio. Set to 0 for no timeout printToScreen = true means that managers will also print to std.out expireSessionsOnShutdown = true means that useDirtyFlag = true means that we only replicate a session after setAttribute,removeAttribute has been called. false means to replicate the session after each request. false means that replication would work for the following piece of code: (only for SimpleTcpReplicationManager) <% HashMap map = (HashMap)session.getAttribute("map"); map.put("key","value"); %> replicationMode = can be either 'pooled', 'synchronous' or 'asynchronous'. * Pooled means that the replication happens using several sockets in a synchronous way. Ie, the data gets replicated, then the request return. This is the same as the 'synchronous' setting except it uses a pool of sockets, hence it is CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 22 multithreaded. This is the fastest and safest configuration. To use this, also increase the nr of tcp threads that you have dealing with replication. * Synchronous means that the thread that executes the request, is also the thread the replicates the data to the other nodes, and will not return until all nodes have received the information. * Asynchronous means that there is a specific 'sender' thread for each cluster node, so the request thread will queue the replication request into a "smart" queue, and then return to the client. The "smart" queue is a queue where when a session is added to the queue, and the same session already exists in the queue from a previous request, that session will be replaced in the queue instead of replicating two requests. This almost never happens, unless there is a large network delay. --> <!-When configuring for clustering, you also add in a valve to catch all the requests coming in, at the end of the request, the session may or may not be replicated. A session is replicated if and only if all the conditions are met: 1. useDirtyFlag is true or setAttribute or removeAttribute has been called AND 2. a session exists (has been created) 3. the request is not trapped by the "filter" attribute The filter attribute is to filter out requests that could not modify the session, hence we don't replicate the session after the end of this request. The filter is negative, ie, anything you put in the filter, you mean to filter out, ie, no replication will be done on requests that match one of the filters. The filter attribute is delimited by ;, so you can't escape out ; even if you wanted to. filter=".*\.gif;.*\.js;" means that we will not replicate the session after requests with the URI ending with .gif and .js are intercepted. The deployer element can be used to deploy apps cluster wide. Currently the deployment only deploys/undeploys to working members in the cluster so no WARs are copied upons startup of a broken node. The deployer watches a directory (watchDir) for WAR files when watchEnabled="true" When a new war file is added the war gets deployed to the local instance, and then deployed to the other instances in the cluster. When a war file is deleted from the watchDir the war is undeployed locally and cluster wide --> <!-<Cluster className="org.apache.catalina.cluster.tcp.SimpleTcpCluster" managerClassName="org.apache.catalina.cluster.session.DeltaManager" expireSessionsOnShutdown="false" useDirtyFlag="true" notifyListenersOnReplication="true"> <Membership className="org.apache.catalina.cluster.mcast.McastService" Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 23 mcastAddr="228.0.0.4" mcastPort="45564" mcastFrequency="500" mcastDropTime="3000"/> <Receiver className="org.apache.catalina.cluster.tcp.ReplicationListener" tcpListenAddress="auto" tcpListenPort="4001" tcpSelectorTimeout="100" tcpThreadCount="6"/> <Sender className="org.apache.catalina.cluster.tcp.ReplicationTransmitter" replicationMode="pooled" ackTimeout="15000"/> <Valve className="org.apache.catalina.cluster.tcp.ReplicationValve" filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/> <Deployer className="org.apache.catalina.cluster.deploy.FarmWarDeployer" tempDir="/tmp/war-temp/" deployDir="/tmp/war-deploy/" watchDir="/tmp/war-listen/" watchEnabled="false"/> <ClusterListener className="org.apache.catalina.cluster.session.ClusterSessionListener"/> </Cluster> --> <!-- Normally, users must authenticate themselves to each web app individually. Uncomment the following entry if you would like a user to be authenticated the first time they encounter a resource protected by a security constraint, and then have that user identity maintained across *all* web applications contained in this virtual host. --> <!-<Valve className="org.apache.catalina.authenticator.SingleSignOn" /> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. --> <!-<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. This access log implementation is optimized for maximum performance, but is hardcoded to support only the "common" and "combined" patterns. --> <!-- CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 24 <Valve className="org.apache.catalina.valves.FastCommonAccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> <!-- Access log processes all requests for this virtual host. By default, log files are created in the "logs" directory relative to $CATALINA_HOME. If you wish, you can specify a different directory with the "directory" attribute. Specify either a relative (to $CATALINA_HOME) or absolute path to the desired directory. This access log implementation is optimized for maximum performance, but is hardcoded to support only the "common" and "combined" patterns. This valve use NIO direct Byte Buffer to asynchornously store the log. --> <!-<Valve className="org.apache.catalina.valves.ByteBufferAccessLogValve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolveHosts="false"/> --> </Host> </Engine> </Service> </Server> Vi /var/lib/tomcat5.5/conf/tomcat-users.xml <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <user username="root" password="123456crdp;:!" roles="admin,manager"/> </tomcat-users> 3.8.3. Configuration du tas de la JVM Vi /etc/default/tomcat5.5 # Run Tomcat as this user ID. Not setting this or leaving it blank will use the # default of tomcat55. #TOMCAT5_USER=tomcat55 # The home directory of the Java development kit (JDK). You need at least # JDK version 1.4. If JAVA_HOME is not set, some common directories for # the Sun JDK, various J2SE 1.4 versions, and the free runtimes # java-gcj-compat-dev and kaffe are tried. #JAVA_HOME=/usr/lib/jvm/java-6-sun # Directory for per-instance configuration files and webapps. It contain the # directories conf, logs, webapps, work and temp. See RUNNING.txt for details. # Default: /var/lib/tomcat5.5 #CATALINA_BASE=/var/lib/tomcat5.5 # Arguments to pass to the Java virtual machine (JVM). JAVA_OPTS="-Djava.awt.headless=true -Xmx512M" Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 25 # Java compiler to use for translating JavaServer Pages (JSPs). You can use all # compilers that are accepted by Ant's build.compiler property. #JSP_COMPILER=jikes # Use the Java security manager? (yes/no, default: yes) # WARNING: Do not disable the security manager unless you understand # the consequences! # NOTE: java-gcj-compat-dev currently doesn't support a security # manager. #TOMCAT5_SECURITY=yes 3.9. Configuration d'Apache 3.9.1. Configuration des modules pré-installés vi /etc/libapache2-mod-jk/workers.properties # # # # # # # # # # # # # # # # # # # # # # # # # # workers.properties This file is a simplified version of the workers.properties supplied with the upstream sources. The jni inprocess worker (not build in the debian package) section and the ajp12 (deprecated) section are removed. As a general note, the characters $( and ) are used internally to define macros. Do not use them in your own configuration!!! Whenever you see a set of lines such as: x=value y=$(x)\something the final value for y will be value\something Normaly all you will need to do is un-comment and modify the first three properties, i.e. workers.tomcat_home, workers.java_home and ps. Most of the configuration is derived from these. When you are done updating workers.tomcat_home, workers.java_home and ps you should have 3 workers configured: - An ajp13 worker that connects to localhost:8009 - A load balancer worker # OPTIONS ( very important for jni mode ) # # workers.tomcat_home should point to the location where you # installed tomcat. This is where you have your conf, webapps and lib # directories. # workers.tomcat_home=/usr/share/tomcat5 # # workers.java_home should point to your Java installation. Normally # you should have a bin and lib directories beneath it. # workers.java_home=/usr/lib/jvm/java-1.5.0-sun CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 26 # # You should configure your environment slash... ps=\ on NT and / on UNIX # and maybe something different elsewhere. # ps=/ # #------ ADVANCED MODE -----------------------------------------------#--------------------------------------------------------------------# # #------ worker list -----------------------------------------#--------------------------------------------------------------------# # # The workers that your plugins should create and work with # worker.list=ajp13_worker # #------ ajp13_worker WORKER DEFINITION -----------------------------#--------------------------------------------------------------------# # # Defining a worker named ajp13_worker and of # Note that the name and the type do not have # worker.ajp13_worker.port=8009 worker.ajp13_worker.host=localhost worker.ajp13_worker.type=ajp13 # # Specifies the load balance factor when used # a load balancing worker. # Note: # ----> lbfactor must be > 0 # ----> Low lbfactor means less work done by worker.ajp13_worker.lbfactor=1 type ajp13 to match. with the worker. # # Specify the size of the open connection cache. #worker.ajp13_worker.cachesize # #------ DEFAULT LOAD BALANCER WORKER DEFINITION ---------------------#--------------------------------------------------------------------# # # The loadbalancer (type lb) workers perform wighted round-robin # load balancing with sticky sessions. # Note: # ----> If a worker dies, the load balancer will check its state # once in a while. Until then all work is redirected to peer # workers. worker.loadbalancer.type=lb worker.loadbalancer.balance_workers=ajp13_worker Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 27 vi /etc/apache2/conf.d/jk # JkWorkersFile /etc/libapache2-mod-jk/workers.properties # JkLogFile /var/log/apache2/mod_jk.log # JkLogLevel info 3.9.2. Configuration de l'hôte virtuel vi /etc/apache2/sites-available/www.correex.fr NameVirtualHost *:80 NameVirtualHost *:443 <VirtualHost *:80> ServerName www.correex.fr ServerAlias correex.fr ServerAdmin [email protected] DocumentRoot /var/www/ ErrorLog /var/log/apache2/error.www.correex.fr.log CustomLog /var/log/apache2/access.www.correex.fr.log combined RewriteEngine On RewriteRule ^/$ /correex/ [R] RewriteRule ^/correex$ /correex/ [R] JkMount /correex/* ajp13_worker JkMount /cas/* ajp13_worker JkMount /oai/* ajp13_worker JkMount /oaicat/* ajp13_worker JkMount /correetest/* ajp13_worker <Location /actus/ecrire> Order deny,allow #Deny from all #Allow from 194.254.139.66 Allow from all </Location> </VirtualHost> <VirtualHost *:443> SSLEngine On SSLCertificateFile /etc/apache2/certs/correex_tbs.crt SSLCertificateKeyFile /etc/apache2/certs/correex.key SSLCertificateChainFile /etc/apache2/certs/chain.crt SSLCipherSuite HIGH SSLProtocol all -SSLv2 ServerName www.correex.fr ServerAlias www.correex.fr ServerAdmin [email protected] DocumentRoot /var/www-https/ ErrorLog /var/log/apache2/error.www.correex.fr.log CustomLog /var/log/apache2/access.www.correex.fr.log combined Alias /wwsicons /usr/share/sympa/icons ScriptAlias /wws /usr/lib/cgi-bin/sympa/wwsympa.fcgi RewriteEngine On RewriteRule ^/$ /correex/\? [R] JkMount /correex/* ajp13_worker JkMount /cas/* ajp13_worker CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 28 JkMount JkMount JkMount JkMount /oai/* ajp13_worker /oaicat/* ajp13_worker /admin/* ajp13_worker /manager/* ajp13_worker <Location /wws> #AddDefaultCharset ISO-8859-15 </Location> # Alias /phpmyadmin/ "/usr/share/phpmyadmin/" <Location /phpmyadmin/> Order deny,allow Deny from all Allow from 194.254.139.66 194.254.139.209 </Location> #Location /phpldapadmin/> # Order deny,allow # Deny from all # Allow from 194.254.139.66 194.254.139.209 #</Location> <Location /trac> SetHandler mod_python PythonInterpreter main_interpreter PythonPath "['/usr/lib/python2.5/site-packages']+sys.path" PythonHandler trac.web.modpython_frontend PythonOption TracEnv /var/local/trac/courdecol PythonOption TracUriRoot /trac PythonOption TracLocale fr_FR.ISO-8859-1 #PythonOption TracLocale fr_FR.iso885915@euro Order deny,allow Deny from all Allow from 194.254.139.66/32 194.254.139.209 AuthType Basic AuthName "Trac" AuthBasicProvider "ldap" AuthLDAPURL "ldap://78.153.226.117/ou=personnes,dc=corree,dc=fr?uid?one?(objectClass=inetOrgPerson)" authzldapauthoritative Off require valid-user </Location> </VirtualHost> 3.9.3. Configuration des ports # vi /etc/apache2/ports.conf # # # # # # If you just change the port or add more ports here, you will likely also have to change the VirtualHost statement in /etc/apache2/sites-enabled/000-default This is also true if you have upgraded from before 2.2.9-3 (i.e. from Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and README.Debian.gz Document technique du projet Correlyce - Diffusion Correlyce est une marque déposée par la Région PACA page 29 #NameVirtualHost *:80 Listen 80 <IfModule mod_ssl.c> # SSL name based virtual hosts are not yet supported, therefore no # NameVirtualHost statement here Listen 443 </IfModule> 3.9.4. Configuration des certificats Les certificats se trouvent dans /etc/apache2/certs. 3.9.5. Applications Tomcat Il s'agit des applications de Corréé, des serveurs oai et cas. Recopier le contenu du répertoire /var/lib/tomcat5.5/webapps/ # chown -R www-data:nogroup /var/lib/tomcat5.5/webapps/ # chmod -R 700 /var/lib/tomcat5.5/webapps/ 3.1. Application web Il s'agit d'un cms spip. L’outil de génération de métadonnées LOMPADFR n’est plus utilisé, au profit du service www.coredu.fr. Il reste disponible, mais exploite un format de métadonnées qui n’est pas conforme à l’évolution de la norme LOMFR. Recopier le répertoire /var/www/ # chown -R www-data:nogroup /var/www/ # chmod -R 700 /var/www/ Ce document est diffusé sous licence Creative Commons Attribution - Pas d'Utilisation Commerciale - Partage à l'Identique 3.0 non transposé. Pour accéder à une copie de cette licence, merci de vous rendre à l'adresse suivante &(url_licence) ou envoyez un courrier à Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA. CRDP de l’Académie d’Aix-Marseille G. Puimatto, JC Pérennes Novembre 2011 page 30