zz-mass-hosting.ssl.template.erb 5.71 KB
Newer Older
1
2
3
4
###
##
#
#  This file is automatically generated from the template located at
5
#  /etc/sympl/apache.d/zz-mass-hosting.ssl.template.erb.
6
7
8
9
10
11
12
13
14
#
#  Feel free to make changes to this file.  If changes are made, then this file
#  will not be updated automatically when the template changes.
#
##
###

<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>> 

15
16
17
18
19
20
21
        #
        # The ServerName has been explicitly set here to the machine's
        # hostname, because that is what it defaults to anyway.  See below
        # where we set the ServerAlias.
        #
        ServerName  <%= hostname %>

22
        <IfModule ssl_module>
23
24
25
                SSLEngine On

                #
26
                # The certificate, key, and intermediate bundle (if needed)
27
                #
28
                <%= ssl_config %>
29
30

                #
31
32
                # Intermediate configuration, taken from 
                # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
33
                #
34
                SSLProtocol             all -SSLv3
Patrick J Cherry's avatar
Patrick J Cherry committed
35
                SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Patrick J Cherry's avatar
Patrick J Cherry committed
36

37
38
39
                SSLHonorCipherOrder     on
                SSLCompression          off

Patrick J Cherry's avatar
Patrick J Cherry committed
40
                # 
41
                # OCSP Stapling
Patrick J Cherry's avatar
Patrick J Cherry committed
42
                #
43
                SSLUseStapling          on
44
45
                SSLStaplingResponderTimeout 5
                SSLStaplingReturnResponderErrors off
Patrick J Cherry's avatar
Patrick J Cherry committed
46
47
48
49
50

                #
                # No HSTS here, as we can't check if this domain is supposed to
                # have enforced HTTPS or not.
                #
51
        </IfModule>
52
53

        #
Patrick J Cherry's avatar
Patrick J Cherry committed
54
55
        #  This is the directory people are redirected to if their site is
        # empty.
56
        #
57
58
        Alias /__sympl/ "/usr/share/sympl/static/"
        <Directory "/usr/share/sympl/static/">
59
                DirectoryIndex index.html
60
                AllowOverride none
61
                Require all granted
62
63
64
65
66
67
68
        </Directory>

        #
        #  And this makes that redirection happen.
        #
        <LocationMatch "^/+$">
                Options -Indexes
69
                ErrorDocument 403 /__sympl/index.html
70
71
72
73
74
75
76
        </LocationMatch>

        #
        #  Allow users to override settings via .htaccess
        #
        <Directory "/srv">
                AllowOverride all
77
                Require all granted
78
		php_flag engine on
79
80
        </Directory>

81
82
83
84
        # There is no PHP security ( preventing access outside public/ ) for
        # sites not individually configured, as the their directory is floating.
        # However, any site created in /srv will have it's own config generated.

85
        <IfModule cgi_module>
86
87
88
89
90
                #
                #  We will allow global CGIs without any effort though.
                #
                AddHandler cgi-script .cgi
        </IfModule>
91
92
93
94
95
96

        #
        #  Disable the "single" name for this server.
        #
        UseCanonicalName        Off

97
        <IfModule rewrite_module>
98
99
100
101
102
103
104
105
                #
                #  Aliases for testing sites prior to DNS migration.
                #
                RewriteEngine On
                RewriteCond %{HTTP_HOST} ^(.*)\.testing\.(.*)$
                RewriteRule ^/(.*)$  /srv/%1/public/htdocs/$1
        </IfModule>

106
        <IfModule vhost_sympl_module>
107
108
109
110
111
112
                #
                # We need a wildcard server alias, so Apache knows to check
                # where when names don't match elsewhere.
                #
                ServerAlias *

113
114
115
116
117
                #
                #  The document root + CGI-directories.
                #
                VirtualDocumentRoot     /srv/%0/public/htdocs/

118
119
		php_admin_value open_basedir /srv/%0/public/

120
                <IfModule cgi_module>
121
122
123
                        VirtualScriptAlias      /srv/%0/public/cgi-bin/
                </IfModule>
        </IfModule>
124

125
126
127
128
129
130
131
132
133
134
135
136
        #
        # Prevent executing anything from a WordPress uploads directory,
        # And block access to any PHP files in that directory.
        #
        <LocationMatch "wp-content/uploads/">
            php_admin_flag engine off
        </LocationMatch>

        <LocationMatch "wp-content/uploads/.*\.php">
            deny from all
        </LocationMatch>

137
138
139
140
141
142
143
144
145
146
147
        #
        # Disable any restrictions or rewrites to /.well-known/acme-challenge
        # This ensures Let's Encrypt can validate domain ownership.
        #
        <Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
                Require all granted
                <IfModule rewrite_module>
                        RewriteEngine off
                </IfModule>
        </Directory>

148
149
150
151
152
        #
        #  We need to log the virtual hostname the incoming request was
        # made against, so that the cron-job in /etc/cron.daily may generate
        # statistics for each domain.
        #
153
        LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" zz_mass_hosting_combined
154
        CustomLog "|| /usr/sbin/sympl-web-logger -l ssl_access.log ${APACHE_LOG_DIR}/zz-mass-hosting.ssl_access.log" zz_mass_hosting_combined
155
        ErrorLog  ${APACHE_LOG_DIR}/zz-mass-hosting.error.log
156
157
</VirtualHost>