-
-
Notifications
You must be signed in to change notification settings - Fork 134
/
Copy pathSkeleton-site-ssl.conf
222 lines (190 loc) · 8.35 KB
/
Skeleton-site-ssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
<IfModule mod_ssl.c>
<VirtualHost *:443>
# Site-specific variables
Define SITE_DOMAIN @@SITE_DOMAIN@@
Define SITE_USER @@SITE_USER@@
Define DOCUMENT_ROOT "/home/${SITE_USER}/website/code"
Define WORDPRESS_ROOT_URL "/site/"
Define WORDPRESS_UPLOADS_URL "/wp-content/uploads/"
ServerName ${SITE_DOMAIN}
ServerAlias www.${SITE_DOMAIN}
DocumentRoot "${DOCUMENT_ROOT}"
# Custom error documents
ErrorDocument 500 "System failure. Sorry! Please try again. [email protected]"
ErrorDocument 503 "Timeout occurred. Sorry! Please try again. [email protected]"
<IfModule pagespeed_module>
ModPagespeed off
ModPagespeedStatistics off
ModPagespeedFileCachePath /home/${SITE_USER}/website/pagespeed
ModPagespeedRewriteDeadlinePerFlushMs 100
#ModPagespeedMapRewriteDomain s.${SITE_DOMAIN} ${SITE_DOMAIN}
#ModPagespeedEnableFilters rewrite_javascript
ModPagespeedDisableFilters rewrite_images
#ModPagespeedCssInlineMaxBytes 10
</IfModule>
# Enable SSL
# Current master in Debian https://salsa.debian.org/apache-team/apache2/blob/master/debian/config-dir/sites-available/default-ssl.conf
SSLEngine On
# Off for self-signed certificates
#SSLUseStapling Off
# Public key + "include intermediate CA certificates, sorted from leaf to root"
SSLCertificateFile /etc/ssl/localcerts/${SITE_DOMAIN}-public.pem
# Private key
SSLCertificateKeyFile /etc/ssl/private/${SITE_DOMAIN}-private.key
# Separate Diffie Hellman Ephemeral Parameters for OpenSSL 1.0.2+
# { nice openssl dhparam 1024; nice openssl dhparam 2048; nice openssl dhparam 4096; } \
# > /etc/ssl/private/${SITE_DOMAIN}-dhparams.pem
#SSLOpenSSLConfCmd DHParameters /etc/ssl/private/${SITE_DOMAIN}-dhparams.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# Allow file access and .htaccess usage
<Directory "/home/${SITE_USER}/website">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
# Disable HTTP/0.9
HttpProtocolOptions Strict RegisteredMethods Require1.0
# HSTS for 1 year
Header always set "Strict-Transport-Security" "max-age=31536000; includeSubDomains"
RewriteEngine On
## Enable apache status
## Consider enabling it in the webmail's vhost
#<IfModule mod_status.c>
# <Location /server-status>
# SetHandler server-status
# Require local
# </Location>
# RewriteRule "^/server-status$" - [END]
#</IfModule>
## Enable status for this php-fpm pool
#<Location /statusphp>
# Require local
# <IfModule mod_proxy_fcgi.c>
# ProxyPass "unix:///run/php/php7.4-fpm-${SITE_USER}.sock|fcgi://localhost${DOCUMENT_ROOT}"
# </IfModule>
#</Location>
#RewriteRule "^/statusphp$" - [END]
## Static website
#ErrorDocument 404 /404.html
#<LocationMatch ".+\.php">
# Require all denied
#</LocationMatch>
#<FilesMatch ".+\.php">
# Require all denied
#</FilesMatch>
#DirectoryIndex disabled
#DirectoryIndex index.html
<IfModule mod_proxy_fcgi.c>
DirectoryIndex disabled
DirectoryIndex index.html index.php
AcceptPathInfo Off
ProxyRequests Off
## Pass on HTTP/Auth
#SetEnvIfNoCase "^Authorization$" "(.+)" HTTP_AUTHORIZATION=$1
## Requests with trailing pathname information (PathInfo)
#AcceptPathInfo On
#<LocationMatch "^/.+\.php(/.+)?$">
# SetEnvIf Request_URI "^" proxy-fcgi-pathinfo=first-dot
#<LocationMatch "^/.+\.php$">
# # For aliases
# #ProxyPassMatch "unix:///run/php/php7.4-fpm-${SITE_USER}.sock|fcgi://localhost/ALIAS/PATH"
# ProxyPassMatch "unix:///run/php/php7.4-fpm-${SITE_USER}.sock|fcgi://localhost${DOCUMENT_ROOT}"
#</LocationMatch>
#ProxyTimeout 65
# Prevent 'Primary script unknown'
<FilesMatch ".+\.php$">
# No trailing slash!
SetHandler "proxy:unix:/run/php/php7.4-fpm-${SITE_USER}.sock|fcgi://localhost"
</FilesMatch>
<Proxy "fcgi://localhost">
ProxySet connectiontimeout=5 timeout=65
</Proxy>
# Localization default
SetEnv "LC_ALL" "en_US.UTF-8"
#SetEnv "LC_ALL" "hu_HU.UTF-8"
</IfModule>
# Throttle requests with empty user-agent
<IfModule mod_ratelimit.c>
<If "-z '%{HTTP_USER_AGENT}'">
SetOutputFilter RATE_LIMIT
# 10 KB/s
SetEnv rate-limit 10
</If>
</IfModule>
# Deny requests with connection reuse/different SNI
RewriteCond expr "%{SSL:SSL_TLS_SNI} != %{HTTP_HOST}"
RewriteRule "^" - [R=421,END]
# Refuse Microsoft Office Autodiscover requests
RewriteRule "^/autodiscover/autodiscover\.xml$" - [NC,R=404,END]
# Refuse OPTIONS requests from Microsoft Office and alternatives
RewriteCond "%{REQUEST_METHOD}" "^(OPTIONS|PROPFIND)$" [NC]
RewriteCond "%{HTTP_USER_AGENT}" "=Microsoft Office Protocol Discovery" [OR]
RewriteCond "%{HTTP_USER_AGENT}" "^(Microsoft-WebDAV-MiniRedir/|Apache OpenOffice/|LibreOffice$)"
RewriteRule "^" - [R=405,END]
# AMP Preconnect Polyfill for Safari https://github.com/ampproject/amphtml/blob/master/src/preconnect.js#L309
RewriteCond "%{REQUEST_METHOD}" "=HEAD"
RewriteCond "%{QUERY_STRING}" "^_AMP_safari_preconnect_polyfill_cachebust=[0-9]+$"
RewriteRule "^/robots\.txt$" "/robots.txt"
# Do not serve JavaScript and CSS .map files in production
RewriteRule "\.map$" - [R=404,END]
# Canonical redirect
RewriteCond "%{HTTP_HOST}" "!=${SITE_DOMAIN}"
RewriteRule "^" "%{REQUEST_SCHEME}://${SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,END]
#RewriteCond "%{HTTP_HOST}" "!=www.${SITE_DOMAIN}"
#RewriteRule "^" "%{REQUEST_SCHEME}://www.${SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,END]
# Filename revisioning - in <VirtualHost>
# Check for existing files
# grep -E '\.[0-9][0-9]+\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp|webmanifest|eot|otf|ttf|woff|woff2) HTTP/' /var/log/apache2/*access.log
RewriteCond "${DOCUMENT_ROOT}%{REQUEST_FILENAME}" !-f
RewriteRule "^(.+)\.\d\d+\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp|webmanifest|eot|otf|ttf|woff|woff2)$" "$1.$2"
## Filename revisioning - in <Directory>/.htaccess
#RewriteCond "%{REQUEST_FILENAME}" !-f
#RewriteRule "^(.+)\.\d\d+\.(bmp|css|cur|gif|ico|jpe?g|js|png|svgz?|webp|webmanifest|eot|otf|ttf|woff|woff2)$" "/$1.$2"
## Missing images
#RewriteCond "${DOCUMENT_ROOT}%{REQUEST_FILENAME}" !-f
#RewriteRule "^.+\.(jpe?g|png|gif)$" "/default-image.jpg" [END]
# Don't index files for robots
<LocationMatch "^/(robots\.txt|.*sitemap.*\.xml)$">
Header append "X-Robots-Tag" "noindex, nofollow"
</LocationMatch>
# WordPress
Include conf-available/wordpress.inc.conf
# Site specific
# Rewrite order: DirectoryMatch -> .htaccess -> Directory
<DirectoryMatch "${DOCUMENT_ROOT}">
#AllowOverride None
# Dot files
RewriteOptions InheritBefore
RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
RewriteCond %{SCRIPT_FILENAME} -d [OR]
RewriteCond %{SCRIPT_FILENAME} -f
RewriteRule "(^|/)\." - [F]
#Include conf-available/well-known-relocate.inc.conf
</DirectoryMatch>
# Log 404-s
LogLevel info reqtimeout:notice ssl:notice
ErrorLog ${APACHE_LOG_DIR}/${SITE_USER}-ssl-error.log
CustomLog ${APACHE_LOG_DIR}/${SITE_USER}-ssl-access.log combined
#LogLevel info reqtimeout:notice ssl:notice pagespeed:notice
## CloudFlare, Incapsula, StackPath, Sucuri
#ErrorLog ${APACHE_LOG_DIR}/${SITE_USER}-ssl-errorCF.log
#CustomLog ${APACHE_LOG_DIR}/${SITE_USER}-ssl-access.log mod_remoteip
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerName ${SITE_DOMAIN}
ServerAlias www.${SITE_DOMAIN}
DocumentRoot "${DOCUMENT_ROOT}"
RewriteEngine On
RewriteRule "^" "https://${SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,L]
#RewriteRule "^" "https://www.${SITE_DOMAIN}%{REQUEST_URI}" [R=permanent,L]
# Log 404-s
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/${SITE_USER}-error.log
CustomLog ${APACHE_LOG_DIR}/${SITE_USER}-access.log combined
</VirtualHost>