ssl.template.erb

###
##
#  This file is automatically generated from the template located at
#  /etc/sympl/apache.d/ssl.template.erb.
#
#  Any extra Apache configurations can be added as .conf files in
#  /srv/<%= domain %>/config/apache.d/
#  which will be read after the base configuration has been read.
#  Warning: Ensure these are valid, as you may break Apache!
#
#  Alternatively, feel free to make changes to this file, however this
#  file will NOT be updated automatically when the template changes.
##
###

<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>

  # Set the ServerName to this sites domain name.
  ServerName  <%= domain %>

  # Add the testing alias and any others.
  ServerAlias <%= domain %>.testing.<%= hostname() %>
  <%= server_aliases %>

  # Enable HTTP/2
  Protocols h2 http/1.1

  <IfModule ssl_module>
    # Enable SSL
    SSLEngine On

    # The certificate, key, and intermediate bundle (if needed)
    <%= ssl_config %>

    # Intermediate configuration, taken from
    #   https://ssl-config.mozilla.org/#server=apache&server-version=2.4.25&config=intermediate&openssl-version=1.0.1k
    SSLProtocol                       all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite                    ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    SSLHonorCipherOrder               off
    SSLSessionTickets                 off

% if hsts_enabled?
    <IfModule headers_module>
      # Enable HSTS (mod_headers is required, 15768000 seconds = 6 months)
      Header always set Strict-Transport-Security "max-age=15768000"
    </IfModule>
% end
  </IfModule>

  # This provides a helpful error message when the root of the
  #   site has no content or is inaccessible.
  Alias /__sympl/ "/usr/share/sympl/static/"

  <Directory "/usr/share/sympl/static/">
    DirectoryIndex index.html
    AllowOverride none
    Require all granted
  </Directory>

  <LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /__sympl/index.html
    ErrorDocument 404 /__sympl/index.html
  </LocationMatch>

  # Allow users to override settings via .htaccess
  <Directory <%=domain_directory%>/public/ >
    AllowOverride all
    Require all granted
  </Directory>

% if php_security_disabled?
  # Set a unique php_tmp/ and php_sessions/ directory for the site.
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/
  # WARNING: Further PHP restrictions are disabled.
% else
  # Restrict PHP from leaving the public directory.
  #   and set a unique php_tmp/ and php_sessions/ directories.
  php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/

  # Prevent executing anything from a WordPress uploads directory,
  #   and block access to any PHP files in that directory.
  <LocationMatch "wp-content/uploads/">
     php_admin_flag engine off
  </LocationMatch>
  <LocationMatch "wp-content/uploads/.*\.php">
     deny from all
  </LocationMatch>
% end

  # Set the DocumentRoot
  DocumentRoot <%= htdocs_directory %>/

  <IfModule cgi_module>
    # General CGI Handling
    ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
    <Location /cgi-bin>
      Options +ExecCGI
    </Location>
  </IfModule>

  # Disable indexes by default on the top-level.
  <LocationMatch "^/+$">
    Options -Indexes
  </LocationMatch>

  # Disable any restrictions or rewrites to /.well-known/acme-challenge
  #   This ensures Let's Encrypt can validate domain ownership.
  <Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
    Require all granted
    <IfModule rewrite_module>
      RewriteEngine off
    </IfModule>
  </Directory>

  # Write logs directly.
  ErrorLog   "<%= domain.log_dir %>/ssl_error.log"
  CustomLog  "<%= domain.log_dir %>/ssl_access.log" combined

  # Read the directory /srv/<%= domain %>/config/apache.d for any other Apache  
  # configuration files.
  IncludeOptional /srv/<%= domain %>/[c]onfig/[a]pache.d/*.conf
  # Ensure these are valid as they will break Apache if they are incorrect!

</VirtualHost>



<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>

  # Set the ServerName to this sites domain name.
  ServerName  <%= domain %>

  # Add the testing alias and any others.
  ServerAlias <%= domain %>.testing.<%= hostname() %>
  <%= server_aliases %>

% if mandatory_ssl?
  # ssl-only is enabled - sending all traffic to HTTPS
  <IfModule rewrite_module>
    RewriteEngine On
    # Use our server name if HTTP_HOST is empty.
    RewriteCond "%{HTTP_HOST}" =""
    RewriteRule ^/?(.*) https://<%= domain %>/$1 [R=301,L]
    # Otherwise redirect to the same hostname on HTTPS
    RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L]
  </IfModule>
% else
  # ssl-only is not enabled - server traffic as normal

  # This provides a helpful error message when the root of the
  #   site has no content or is inaccessible.
  Alias /__sympl/ "/usr/share/sympl/static/"

  <Directory "/usr/share/sympl/static/">
    DirectoryIndex index.html
    AllowOverride none
    Require all granted
  </Directory>

  <LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /__sympl/index.html
    ErrorDocument 404 /__sympl/index.html
  </LocationMatch>

  # Allow users to override settings via .htaccess
  <Directory "/srv">
    AllowOverride all
    Require all granted
  </Directory>

% if php_security_disabled?
  # Set a unique php_tmp/ and php_sessions/ directory for the site.
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/
  # WARNING: Further PHP restrictions are disabled.
% else
  # Restrict PHP from leaving the public directory.
  #   and set a unique php_tmp/ and php_sessions/ directories.
  php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
  php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
  php_admin_value session.save_path <%=domain_directory%>/php_sessions/

  # Prevent executing anything from a WordPress uploads directory,
  #   and block access to any PHP files in that directory.
  <LocationMatch "wp-content/uploads/">
     php_admin_flag engine off
  </LocationMatch>
  <LocationMatch "wp-content/uploads/.*\.php">
     deny from all
  </LocationMatch>
% end

  # Set the DocumentRoot
  DocumentRoot <%= htdocs_directory %>/

  <IfModule cgi_module>
    # General CGI Handling
    ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
    <Location /cgi-bin>
      Options +ExecCGI
    </Location>
  </IfModule>

  # Disable indexes by default on the top-level.
  <LocationMatch "^/+$">
    Options -Indexes
  </LocationMatch>

  # Disable any restrictions or rewrites to /.well-known/acme-challenge
  #   This ensures Let's Encrypt can validate domain ownership.
  <Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
    Require all granted
    <IfModule rewrite_module>
      RewriteEngine off
    </IfModule>
  </Directory>
% end
  # Write logs directly.
  ErrorLog   "<%= domain.log_dir %>/error.log"
  CustomLog  "<%= domain.log_dir %>/access.log" combined

  # Read the directory /srv/<%= domain %>/config/apache.d for any other Apache  
  # configuration files.
  IncludeOptional /srv/<%= domain %>/[c]onfig/[a]pache.d/*.conf
  # Ensure these are valid as they will break Apache if they are incorrect!

</VirtualHost>

# Vim Defaults: //vim: ts=2:tw=78: et: