zz-mass-hosting.ssl.template.erb

###
##
#
#  This file is automatically generated from the template located at
#  /etc/sympl/apache.d/zz-mass-hosting.ssl.template.erb.
#
#  Feel free to make changes to this file.  If changes are made, then this file
#  will not be updated automatically when the template changes.
#
##
###

<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>> 

        #
        # The ServerName has been explicitly set here to the machine's
        # hostname, because that is what it defaults to anyway.  See below
        # where we set the ServerAlias.
        #
        ServerName  <%= hostname %>

        <IfModule ssl_module>
                SSLEngine On

                #
                # The certificate, key, and intermediate bundle (if needed)
                #
                <%= ssl_config %>

                #
                # Intermediate configuration, taken from 
                # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
                #
                SSLProtocol             all -SSLv3
                SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

                SSLHonorCipherOrder     on
                SSLCompression          off

                # 
                # OCSP Stapling
                #
                SSLUseStapling          on
                SSLStaplingResponderTimeout 5
                SSLStaplingReturnResponderErrors off

                #
                # No HSTS here, as we can't check if this domain is supposed to
                # have enforced HTTPS or not.
                #
        </IfModule>

        #
        #  This is the directory people are redirected to if their site is
        # empty.
        #
        Alias /__sympl/ "/usr/share/sympl/static/"
        <Directory "/usr/share/sympl/static/">
                DirectoryIndex index.html
                AllowOverride none
                Require all granted
        </Directory>

        #
        #  And this makes that redirection happen.
        #
        <LocationMatch "^/+$">
                Options -Indexes
                ErrorDocument 403 /__sympl/index.html
        </LocationMatch>

        #
        #  Allow users to override settings via .htaccess
        #
        <Directory "/srv">
                AllowOverride all
                Require all granted
		php_flag engine on
        </Directory>

        # There is no PHP security ( preventing access outside public/ ) for
        # sites not individually configured, as the their directory is floating.
        # However, any site created in /srv will have it's own config generated.

        <IfModule cgi_module>
                #
                #  We will allow global CGIs without any effort though.
                #
                AddHandler cgi-script .cgi
        </IfModule>

        #
        #  Disable the "single" name for this server.
        #
        UseCanonicalName        Off

        <IfModule rewrite_module>
                #
                #  Aliases for testing sites prior to DNS migration.
                #
                RewriteEngine On
                RewriteCond %{HTTP_HOST} ^(.*)\.testing\.(.*)$
                RewriteRule ^/(.*)$  /srv/%1/public/htdocs/$1
        </IfModule>

        <IfModule vhost_sympl_module>
                #
                # We need a wildcard server alias, so Apache knows to check
                # where when names don't match elsewhere.
                #
                ServerAlias *

                #
                #  The document root + CGI-directories.
                #
                VirtualDocumentRoot     /srv/%0/public/htdocs/

		php_admin_value open_basedir /srv/%0/public/

                <IfModule cgi_module>
                        VirtualScriptAlias      /srv/%0/public/cgi-bin/
                </IfModule>
        </IfModule>

        #
        # Prevent executing anything from a WordPress uploads directory,
        # And block access to any PHP files in that directory.
        #
        <LocationMatch "wp-content/uploads/">
            php_admin_flag engine off
        </LocationMatch>

        <LocationMatch "wp-content/uploads/.*\.php">
            deny from all
        </LocationMatch>

        #
        # Disable any restrictions or rewrites to /.well-known/acme-challenge
        # This ensures Let's Encrypt can validate domain ownership.
        #
        <Directory /srv/*/public/htdocs/.well-known/acme-challenge/ >
                Require all granted
                <IfModule rewrite_module>
                        RewriteEngine off
                </IfModule>
        </Directory>

        #
        #  We need to log the virtual hostname the incoming request was
        # made against, so that the cron-job in /etc/cron.daily may generate
        # statistics for each domain.
        #
        LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" zz_mass_hosting_combined
        CustomLog "|| /usr/sbin/sympl-web-logger -l ssl_access.log ${APACHE_LOG_DIR}/zz-mass-hosting.ssl_access.log" zz_mass_hosting_combined
        ErrorLog  ${APACHE_LOG_DIR}/zz-mass-hosting.error.log
</VirtualHost>