ssl.template.erb 7.6 KB
Newer Older
Paul Cammish's avatar
Paul Cammish committed
1
###
Steve Kemp's avatar
Steve Kemp committed
2
3
##
#  This file is automatically generated from the template located at
4
#  /etc/sympl/apache.d/ssl.template.erb.
Steve Kemp's avatar
Steve Kemp committed
5
#
Paul Cammish's avatar
Paul Cammish committed
6
#  Any extra Apache configurations can be added as .conf files in
7
#  /srv/<%= domain %>/config/apache.d/
Paul Cammish's avatar
Paul Cammish committed
8
9
10
11
12
#  which will be read after the base configuration has been read.
#  Warning: Ensure these are valid, as you may break Apache!
#
#  Alternatively, feel free to make changes to this file, however this
#  file will NOT be updated automatically when the template changes.
Steve Kemp's avatar
Steve Kemp committed
13
14
15
##
###

16
<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>
17

Paul Cammish's avatar
Paul Cammish committed
18
  # Set the ServerName to this sites domain name.
Paul Cammish's avatar
Paul Cammish committed
19
20
  ServerName  <%= domain %>

Paul Cammish's avatar
Paul Cammish committed
21
  # Add the testing alias and any others.
Paul Cammish's avatar
Paul Cammish committed
22
23
24
  ServerAlias <%= domain %>.testing.<%= hostname() %>
  <%= server_aliases %>

Paul Cammish's avatar
Paul Cammish committed
25
26
  # Enable HTTP/2
  Protocols h2 http/1.1
Paul Cammish's avatar
Paul Cammish committed
27
28

  <IfModule ssl_module>
Paul Cammish's avatar
Paul Cammish committed
29
30
    # Enable SSL
    SSLEngine On
Paul Cammish's avatar
Paul Cammish committed
31

Paul Cammish's avatar
Paul Cammish committed
32
33
    # The certificate, key, and intermediate bundle (if needed)
    <%= ssl_config %>
Paul Cammish's avatar
Paul Cammish committed
34

Paul Cammish's avatar
Paul Cammish committed
35
36
37
38
39
40
    # Intermediate configuration, taken from
    #   https://ssl-config.mozilla.org/#server=apache&server-version=2.4.25&config=intermediate&openssl-version=1.0.1k
    SSLProtocol                       all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite                    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder               off
    SSLSessionTickets                 off
Paul Cammish's avatar
Paul Cammish committed
41

42
% if hsts_enabled?
Paul Cammish's avatar
Paul Cammish committed
43
44
45
46
    <IfModule headers_module>
      # Enable HSTS (mod_headers is required, 15768000 seconds = 6 months)
      Header always set Strict-Transport-Security "max-age=15768000"
    </IfModule>
47
% end
Paul Cammish's avatar
Paul Cammish committed
48
49
  </IfModule>

Paul Cammish's avatar
Paul Cammish committed
50
51
52
53
54
55
56
57
  # This provides a helpful error message when the root of the
  #   site has no content or is inaccessible.
  Alias /__sympl/ "/usr/share/sympl/static/"

  <Directory "/usr/share/sympl/static/">
    DirectoryIndex index.html
    AllowOverride none
    Require all granted
Paul Cammish's avatar
Paul Cammish committed
58
59
  </Directory>

Paul Cammish's avatar
Paul Cammish committed
60
61
62
63
64
65
66
  <LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /__sympl/index.html
    ErrorDocument 404 /__sympl/index.html
  </LocationMatch>

  # Allow users to override settings via .htaccess
Paul Cammish's avatar
Paul Cammish committed
67
68
69
70
  <Directory <%=domain_directory%>/public/ >
    AllowOverride all
    Require all granted
  </Directory>
Steve Kemp's avatar
Steve Kemp committed
71

72
% if php_security_disabled?
Paul Cammish's avatar
Paul Cammish committed
73
  # Set a unique php_tmp/ and php_sessions/ directory for the site.
Paul Cammish's avatar
Paul Cammish committed
74
75
76
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/
  # WARNING: Further PHP restrictions are disabled.
77
% else
Paul Cammish's avatar
Paul Cammish committed
78
79
  # Restrict PHP from leaving the public directory.
  #   and set a unique php_tmp/ and php_sessions/ directories.
Paul Cammish's avatar
Paul Cammish committed
80
81
82
83
84
  php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/

  # Prevent executing anything from a WordPress uploads directory,
Paul Cammish's avatar
Paul Cammish committed
85
  #   and block access to any PHP files in that directory.
Paul Cammish's avatar
Paul Cammish committed
86
  <LocationMatch "wp-content/uploads/">
Paul Cammish's avatar
Paul Cammish committed
87
     php_admin_flag engine off
Paul Cammish's avatar
Paul Cammish committed
88
89
  </LocationMatch>
  <LocationMatch "wp-content/uploads/.*\.php">
Paul Cammish's avatar
Paul Cammish committed
90
     deny from all
Paul Cammish's avatar
Paul Cammish committed
91
  </LocationMatch>
92
93
% end

Paul Cammish's avatar
Paul Cammish committed
94
  # Set the DocumentRoot
Paul Cammish's avatar
Paul Cammish committed
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
  DocumentRoot <%= htdocs_directory %>/

  <IfModule cgi_module>
    # General CGI Handling
    ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
    <Location /cgi-bin>
      Options +ExecCGI
    </Location>
  </IfModule>

  # Disable indexes by default on the top-level.
  <LocationMatch "^/+$">
    Options -Indexes
  </LocationMatch>

  # Disable any restrictions or rewrites to /.well-known/acme-challenge
Paul Cammish's avatar
Paul Cammish committed
111
112
  #   This ensures Let's Encrypt can validate domain ownership.
  <Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
Paul Cammish's avatar
Paul Cammish committed
113
114
115
116
117
118
    Require all granted
    <IfModule rewrite_module>
      RewriteEngine off
    </IfModule>
  </Directory>

Paul Cammish's avatar
Paul Cammish committed
119
  # Write logs directly.
Paul Cammish's avatar
Paul Cammish committed
120
121
  ErrorLog   "<%= domain.log_dir %>/ssl_error.log"
  CustomLog  "<%= domain.log_dir %>/ssl_access.log" combined
Paul Cammish's avatar
Paul Cammish committed
122

123
  # Read the directory /srv/<%= domain %>/config/apache.d for any other Apache  
Paul Cammish's avatar
Paul Cammish committed
124
  # configuration files.
125
  IncludeOptional /srv/<%= domain %>/[c]onfig/[a]pache.d/*.conf
Paul Cammish's avatar
Paul Cammish committed
126
127
  # Ensure these are valid as they will break Apache if they are incorrect!

Steve Kemp's avatar
Steve Kemp committed
128
129
</VirtualHost>

Paul Cammish's avatar
Paul Cammish committed
130
131


132
<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>
Steve Kemp's avatar
Steve Kemp committed
133

Paul Cammish's avatar
Paul Cammish committed
134
  # Set the ServerName to this sites domain name.
Paul Cammish's avatar
Paul Cammish committed
135
136
  ServerName  <%= domain %>

Paul Cammish's avatar
Paul Cammish committed
137
  # Add the testing alias and any others.
Paul Cammish's avatar
Paul Cammish committed
138
139
140
  ServerAlias <%= domain %>.testing.<%= hostname() %>
  <%= server_aliases %>

Paul Cammish's avatar
Paul Cammish committed
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
% if mandatory_ssl?
  # ssl-only is enabled - sending all traffic to HTTPS
  <IfModule rewrite_module>
    RewriteEngine On
    # Use our server name if HTTP_HOST is empty.
    RewriteCond "%{HTTP_HOST}" =""
    RewriteRule ^/?(.*) https://<%= domain %>/$1 [R=301,L]
    # Otherwise redirect to the same hostname on HTTPS
    RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
  </IfModule>
% else
  # ssl-only is not enabled - server traffic as normal

  # This provides a helpful error message when the root of the
  #   site has no content or is inaccessible.
Paul Cammish's avatar
Paul Cammish committed
156
  Alias /__sympl/ "/usr/share/sympl/static/"
Paul Cammish's avatar
Paul Cammish committed
157

Paul Cammish's avatar
Paul Cammish committed
158
159
160
161
162
163
164
165
166
  <Directory "/usr/share/sympl/static/">
    DirectoryIndex index.html
    AllowOverride none
    Require all granted
  </Directory>

  <LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /__sympl/index.html
Paul Cammish's avatar
Paul Cammish committed
167
    ErrorDocument 404 /__sympl/index.html
Paul Cammish's avatar
Paul Cammish committed
168
  </LocationMatch>
169

Paul Cammish's avatar
Paul Cammish committed
170
171
  # Allow users to override settings via .htaccess
  <Directory "/srv">
Paul Cammish's avatar
Paul Cammish committed
172
173
174
    AllowOverride all
    Require all granted
  </Directory>
Steve Kemp's avatar
Steve Kemp committed
175

176
% if php_security_disabled?
Paul Cammish's avatar
Paul Cammish committed
177
  # Set a unique php_tmp/ and php_sessions/ directory for the site.
Paul Cammish's avatar
Paul Cammish committed
178
179
180
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/
  # WARNING: Further PHP restrictions are disabled.
181
% else
Paul Cammish's avatar
Paul Cammish committed
182
183
  # Restrict PHP from leaving the public directory.
  #   and set a unique php_tmp/ and php_sessions/ directories.
Paul Cammish's avatar
Paul Cammish committed
184
185
186
  php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/
Paul Cammish's avatar
Paul Cammish committed
187

Paul Cammish's avatar
Paul Cammish committed
188
  # Prevent executing anything from a WordPress uploads directory,
Paul Cammish's avatar
Paul Cammish committed
189
  #   and block access to any PHP files in that directory.
Paul Cammish's avatar
Paul Cammish committed
190
  <LocationMatch "wp-content/uploads/">
Paul Cammish's avatar
Paul Cammish committed
191
     php_admin_flag engine off
Paul Cammish's avatar
Paul Cammish committed
192
193
  </LocationMatch>
  <LocationMatch "wp-content/uploads/.*\.php">
Paul Cammish's avatar
Paul Cammish committed
194
     deny from all
Paul Cammish's avatar
Paul Cammish committed
195
  </LocationMatch>
196
197
% end

Paul Cammish's avatar
Paul Cammish committed
198
199
  # Set the DocumentRoot
  DocumentRoot <%= htdocs_directory %>/
Paul Cammish's avatar
Paul Cammish committed
200
201
202
203
204
205
206
207
208

  <IfModule cgi_module>
    # General CGI Handling
    ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
    <Location /cgi-bin>
      Options +ExecCGI
    </Location>
  </IfModule>

Paul Cammish's avatar
Paul Cammish committed
209
  # Disable indexes by default on the top-level.
Paul Cammish's avatar
Paul Cammish committed
210
211
212
213
214
  <LocationMatch "^/+$">
    Options -Indexes
  </LocationMatch>

  # Disable any restrictions or rewrites to /.well-known/acme-challenge
Paul Cammish's avatar
Paul Cammish committed
215
216
  #   This ensures Let's Encrypt can validate domain ownership.
  <Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
Paul Cammish's avatar
Paul Cammish committed
217
218
219
220
221
    Require all granted
    <IfModule rewrite_module>
      RewriteEngine off
    </IfModule>
  </Directory>
Paul Cammish's avatar
Paul Cammish committed
222
223
% end
  # Write logs directly.
Paul Cammish's avatar
Paul Cammish committed
224
225
  ErrorLog   "<%= domain.log_dir %>/error.log"
  CustomLog  "<%= domain.log_dir %>/access.log" combined
Paul Cammish's avatar
Paul Cammish committed
226

227
  # Read the directory /srv/<%= domain %>/config/apache.d for any other Apache  
Paul Cammish's avatar
Paul Cammish committed
228
  # configuration files.
229
  IncludeOptional /srv/<%= domain %>/[c]onfig/[a]pache.d/*.conf
Paul Cammish's avatar
Paul Cammish committed
230
231
  # Ensure these are valid as they will break Apache if they are incorrect!

Steve Kemp's avatar
Steve Kemp committed
232
233
</VirtualHost>

Paul Cammish's avatar
Paul Cammish committed
234
235
# Vim Defaults: //vim: ts=2:tw=78: et: