Apache24 Config: Difference between revisions
From Davical
Jump to navigationJump to search
(Starting with the basic structure) |
(Added the (first) example of a working Apache VirtualHost configuration) |
||
Line 6: | Line 6: | ||
== Putting it all together == | == Putting it all together == | ||
=== Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3)) === | |||
This setup will result in an 'A' rating at [https://www.ssllabs.com/ssltest/analyze.html Qualys' SSL test]: | |||
/etc/apache2/sites-available/davical.conf: | |||
<VirtualHost *:80> | |||
ServerAdmin <EMAIL> | |||
ServerName <SERVER FQDN> | |||
ServerAlias cal.<DOMAIN> | |||
<IfModule mod_rewrite.c> | |||
RewriteEngine on | |||
# Redirect /.well-known URLs | |||
RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L] | |||
# Redirect everything else to https (redirect is always executed after rewrite) | |||
Redirect permanent / https://cal.<DOMAIN>:8443/ | |||
</IfModule> | |||
</VirtualHost> | |||
<VirtualHost *:8443> | |||
ServerAdmin <EMAIL> | |||
ServerName <SERVER FQDN> | |||
Include inc_security.conf | |||
DocumentRoot /usr/local/share/davical/htdocs | |||
ServerAlias cal.<DOMAIN> | |||
LogLevel warn | |||
ErrorLog /var/log/apache2/davical.log | |||
TransferLog /dev/null | |||
DirectoryIndex /index.php index.php | |||
<FilesMatch "\.php$"> | |||
SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost" | |||
CGIPassAuth on | |||
</FilesMatch> | |||
<Directory /usr/local/share/davical/htdocs> | |||
Require all granted | |||
</Directory> | |||
<IfModule mod_rewrite.c> | |||
RewriteEngine On | |||
# Not if it's the root URL | |||
RewriteCond %{REQUEST_URI} !^/$ | |||
# Not if it is a .php program, script, stylesheet or image | |||
RewriteCond %{REQUEST_URI} !\.(php|css|png|gif|js|jpg) | |||
# Rewrite to caldav.php (generic) | |||
RewriteRule ^(.*)$ /caldav.php$1 [NC,L] | |||
# Rewrite to caldav.php (Apple) | |||
RewriteRule ^/principals/users(.*)$ /caldav.php$1 [NC,L] | |||
</IfModule> | |||
# Enable HTTP/2 | |||
Protocols h2 h2c http/1.1 | |||
# Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working ) | |||
#Header always set Strict-Transport-Security "max-age=15768000" | |||
SSLEngine on | |||
SSLCertificateFile /etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem | |||
SSLCertificateKeyFile /etc/letsencrypt/live/<SERVER FQDN>/privkey.pem | |||
SSLHonorCipherOrder on | |||
SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | |||
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS | |||
SSLCompression off | |||
SSLSessionTickets off | |||
# Enable OCSP Stapling | |||
SSLUseStapling on | |||
SSLStaplingResponderTimeout 5 | |||
SSLStaplingReturnResponderErrors off | |||
<FilesMatch "\.(cgi|shtml|phtml|php)$"> | |||
SSLOptions +StdEnvVars | |||
</FilesMatch> | |||
<Directory /usr/lib/cgi-bin> | |||
SSLOptions +StdEnvVars | |||
</Directory> | |||
BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 | |||
BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown | |||
</VirtualHost> |
Latest revision as of 12:58, 17 July 2020
PHP-fpm v7(+)
Apache 2.4 Modules
Putting it all together
Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3))
This setup will result in an 'A' rating at Qualys' SSL test:
/etc/apache2/sites-available/davical.conf:
<VirtualHost *:80> ServerAdmin <EMAIL> ServerName <SERVER FQDN> ServerAlias cal.<DOMAIN> <IfModule mod_rewrite.c> RewriteEngine on # Redirect /.well-known URLs RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L] # Redirect everything else to https (redirect is always executed after rewrite) Redirect permanent / https://cal.<DOMAIN>:8443/ </IfModule> </VirtualHost>
<VirtualHost *:8443> ServerAdmin <EMAIL> ServerName <SERVER FQDN> Include inc_security.conf DocumentRoot /usr/local/share/davical/htdocs ServerAlias cal.<DOMAIN> LogLevel warn ErrorLog /var/log/apache2/davical.log TransferLog /dev/null DirectoryIndex /index.php index.php <FilesMatch "\.php$"> SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost" CGIPassAuth on </FilesMatch> <Directory /usr/local/share/davical/htdocs> Require all granted </Directory> <IfModule mod_rewrite.c> RewriteEngine On # Not if it's the root URL RewriteCond %{REQUEST_URI} !^/$ # Not if it is a .php program, script, stylesheet or image RewriteCond %{REQUEST_URI} !\.(php|css|png|gif|js|jpg) # Rewrite to caldav.php (generic) RewriteRule ^(.*)$ /caldav.php$1 [NC,L] # Rewrite to caldav.php (Apple) RewriteRule ^/principals/users(.*)$ /caldav.php$1 [NC,L] </IfModule> # Enable HTTP/2 Protocols h2 h2c http/1.1 # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working ) #Header always set Strict-Transport-Security "max-age=15768000" SSLEngine on SSLCertificateFile /etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<SERVER FQDN>/privkey.pem SSLHonorCipherOrder on SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLCompression off SSLSessionTickets off # Enable OCSP Stapling SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown </VirtualHost>