Commit 9d09d54f authored by Paul Cammish's avatar Paul Cammish
Browse files

Updated templates

parent b4444fa1
......@@ -35,6 +35,12 @@ EOF
fi
fi
# Add a blowfish secter value to the phpmyadmin config if there isn't already one set
if [ ! grep -c 'blowfish_secret' /etc/phpmyadmin/config.sympl.inc.php > /dev/null ]; then
echo "$cfg['blowfish_secret'] = '` date +%s | sha256sum | base64 | head -c 64 `';" >> /etc/phpmyadmin/config.sympl.inc.php
fi
#
# Restart apache2
#
......
......@@ -10,120 +10,122 @@
##
###
# Vim Defaults: //vim: ts=2:tw=78: et:
<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>
#
# Put our server name
#
ServerName <%= domain %>
#
# This is the testing alias.
#
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory people are redirected to if their site is
# empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
#
# Allow users to override settings via .htaccess
# and enables PHP in htdocs/.
#
<Directory <%= htdocs_directory %>/ >
AllowOverride all
Require all granted
php_flag engine on
</Directory>
#
# Put our server name
#
ServerName <%= domain %>
#
# This is the testing alias.
#
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory people are redirected to if their site is
# empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
#
# Allow users to override settings via .htaccess
# and enables PHP in htdocs/.
#
<Directory <%= htdocs_directory %>/ >
AllowOverride all
Require all granted
</Directory>
% if php_security_disabled?
#
# Set unique tmp/ and sessions/ directories
#
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.safe_path <%=domain_directory%>/php_sessions/
#
# Set unique tmp/ and sessions/ directories
#
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
% else
#
# Restrict PHP directories
# Restricts PHP from leaving the public directory.
# Also sets a unique tmp directory and sessions directory.
#
php_admin_value open_basedir <%=domain_directory%>/public/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.safe_path <%=domain_directory%>/php_sessions/
#
# Prevent executing anything from a WordPress uploads directory,
# And block access to any PHP files in that directory.
#
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
</LocationMatch>
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
</LocationMatch>
% end
#
# Restricts PHP from leaving the public directory.
# Also sets unique tmp and sessions directories.
#
php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
#
# Prevent executing anything from a WordPress uploads directory,
# And block access to any PHP files in that directory.
#
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
</LocationMatch>
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
</LocationMatch>
#
# The document root
#
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default on the top-level.
#
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
ErrorLog "<%= domain.log_dir %>/error.log"
CustomLog "<%= domain.log_dir %>/access.log" combined
% end
#
# The document root
#
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default on the top-level.
#
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
ErrorLog "<%= domain.log_dir %>/error.log"
CustomLog "<%= domain.log_dir %>/access.log" combined
</VirtualHost>
......@@ -12,316 +12,312 @@
<VirtualHost <%= ips.collect{|ip| ip+":443"}.join(" ") %>>
#
# Put our server name
#
ServerName <%= domain %>
#
# This is the testing alias.
#
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory of the error page people are
# redirected to if their site is empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
<IfModule ssl_module>
SSLEngine On
#
# The certificate, key, and intermediate bundle (if needed)
#
<%= ssl_config %>
#
# Intermediate configuration, taken from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
#
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
#
# OCSP Stapling
#
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
#
# Put our server name
#
ServerName <%= domain %>
#
# This is the testing alias.
#
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory of the error page people are
# redirected to if their site is empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
<IfModule ssl_module>
SSLEngine On
#
# The certificate, key, and intermediate bundle (if needed)
#
<%= ssl_config %>
#
# Intermediate configuration, taken from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=apache-2.4.10&openssl=1.0.1k&hsts=yes&profile=intermediate
#
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off
#
# OCSP Stapling
#
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
% if hsts_enabled?
<IfModule headers_module>
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
</IfModule>
<IfModule headers_module>
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
Header always set Strict-Transport-Security "max-age=15768000"
</IfModule>
% end
</IfModule>
#
# Enabling PHP for phpMyAdmin
#
<Directory /usr/share/phpmyadmin >
php_admin_value open_basedir /usr/share/phpmyadmin
php_flag engine on
</Directory>
#
# Allow users to override settings via .htaccess
# and eanble PHP in
#
<Directory <%=domain_directory%>/public/ >
AllowOverride all
Require all granted
php_flag engine on
</Directory>
</IfModule>
#
# Enabling PHP for phpMyAdmin
#
<Directory /usr/share/phpmyadmin >
php_admin_value open_basedir /usr/share/phpmyadmin:/usr/share/php:/etc/phpmyadmin:<%=domain_directory%>/php_tmp/
</Directory>
#
# Allow users to override settings via .htaccess
#
<Directory <%=domain_directory%>/public/ >
AllowOverride all
Require all granted
</Directory>
% if php_security_disabled?
#
# Sets a unique php_tmp/ and php_sessions/ directory for the site.
#
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.safe_path <%=domain_directory%>/php_sessions/
#
# Sets a unique php_tmp/ and php_sessions/ directory for the site.
#
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
#
# WARNING: Further PHP restrictions are disabled.
#
% else
#
# Restrict PHP directories
# Restricts PHP from leaving the public directory.
# Also sets a unique php_tmp directory and php_sessions directory.
#
php_admin_value open_basedir <%=domain_directory%>/public/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.safe_path <%=domain_directory%>/php_sessions/
#
# Prevent executing anything from a WordPress uploads directory,
# And block access to any PHP files in that directory.
#
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
</LocationMatch>
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
</LocationMatch>
#
# Restricts PHP from leaving the public directory.
# Also sets a unique php_tmp/ and php_sessions/ directories.
#
php_admin_value open_basedir <%=domain_directory%>/public/:<%=domain_directory%>/php_tmp/:<%=domain_directory%>/php_sessions/
php_admin_value upload_tmp_dir <%=domain_directory%>/php_tmp/
php_admin_value session.save_path <%=domain_directory%>/php_sessions/
# Prevent executing anything from a WordPress uploads directory,
<LocationMatch "wp-content/uploads/">
php_admin_flag engine off
</LocationMatch>
# And block access to any PHP files in that directory.
<LocationMatch "wp-content/uploads/.*\.php">
deny from all
</LocationMatch>
% end
#
# The document root
#
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default on the top-level.
#
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
ErrorLog "<%= domain.log_dir %>/ssl_error.log"
CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
#
# The document root
#
DocumentRoot <%= htdocs_directory %>/
<IfModule cgi_module>
#
# General CGI Handling
#
ScriptAlias /cgi-bin/ <%= cgibin_directory %>/
<Location /cgi-bin>
Options +ExecCGI
</Location>
</IfModule>
#
# Disable indexes by default on the top-level.
#
<LocationMatch "^/+$">
Options -Indexes
</LocationMatch>
#
# Disable any restrictions or rewrites to /.well-known/acme-challenge
# This ensures Let's Encrypt can validate domain ownership.
#
<Directory <%= htdocs_directory %>/.well-known/acme-challenge/ >
Require all granted
<IfModule rewrite_module>
RewriteEngine off
</IfModule>
</Directory>
#
# Write logs
#
ErrorLog "<%= domain.log_dir %>/ssl_error.log"
CustomLog "<%= domain.log_dir %>/ssl_access.log" combined
</VirtualHost>
<VirtualHost <%= ips.collect{|ip| ip+":80"}.join(" ") %>>
#
# Put our server name
#
ServerName <%= domain %>
#
# This is the testing alias.
#
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory of the error page people are
# redirected to if their site is empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
#
# Put our server name
#
ServerName <%= domain %>
#
# This is the testing alias.
#
ServerAlias <%= domain %>.testing.<%= hostname() %>
#
# And server alias in place
#
<%= server_aliases %>
#
# This is the directory of the error page people are
# redirected to if their site is empty.
#
Alias /__sympl/ "/usr/share/sympl/static/"
<Directory "/usr/share/sympl/static/">
DirectoryIndex index.html
AllowOverride none
Require all granted
</Directory>
#
# And this makes that redirection happen.
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
</LocationMatch>
% if mandatory_ssl?
#
# ssl-only is enabled - sending all traffic to https://
#
<IfModule rewrite_module>
#
# This redirects all accesses to the HTTPS version of the site.