Apache24 Config: Difference between revisions

From Davical
Jump to navigationJump to search
(Starting with the basic structure)
 
(Added the (first) example of a working Apache VirtualHost configuration)
 
Line 6: Line 6:


== Putting it all together ==
== Putting it all together ==
=== Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3)) ===
This setup will result in an 'A' rating at [https://www.ssllabs.com/ssltest/analyze.html Qualys' SSL test]:
/etc/apache2/sites-available/davical.conf:
<VirtualHost *:80>
  ServerAdmin          <EMAIL>
  ServerName            <SERVER FQDN>
  ServerAlias          cal.<DOMAIN>
  <IfModule mod_rewrite.c>
    RewriteEngine on
    # Redirect /.well-known URLs
    RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L]
    # Redirect everything else to https (redirect is always executed after rewrite)
    Redirect permanent    / https://cal.<DOMAIN>:8443/
  </IfModule>
</VirtualHost>
<VirtualHost *:8443>
  ServerAdmin          <EMAIL>
  ServerName            <SERVER FQDN>
  Include              inc_security.conf
  DocumentRoot          /usr/local/share/davical/htdocs
  ServerAlias          cal.<DOMAIN>
  LogLevel              warn
  ErrorLog              /var/log/apache2/davical.log
  TransferLog          /dev/null
  DirectoryIndex        /index.php index.php
  <FilesMatch "\.php$">
    SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost"
    CGIPassAuth on
  </FilesMatch>
  <Directory /usr/local/share/davical/htdocs>
    Require all granted
  </Directory>
  <IfModule mod_rewrite.c>
    RewriteEngine      On
    # Not if it's the root URL
    RewriteCond        %{REQUEST_URI} !^/$
    # Not if it is a .php program, script, stylesheet or image
    RewriteCond        %{REQUEST_URI} !\.(php|css|png|gif|js|jpg)
    # Rewrite to caldav.php (generic)
    RewriteRule        ^(.*)$ /caldav.php$1  [NC,L]
    # Rewrite to caldav.php (Apple)
    RewriteRule        ^/principals/users(.*)$ /caldav.php$1  [NC,L]
  </IfModule>
  # Enable HTTP/2
  Protocols h2 h2c http/1.1
  # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working )
  #Header always set Strict-Transport-Security "max-age=15768000"
  SSLEngine on
  SSLCertificateFile /etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/<SERVER FQDN>/privkey.pem
  SSLHonorCipherOrder on
  SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  SSLCompression off
  SSLSessionTickets off
  # Enable OCSP Stapling
  SSLUseStapling on
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors off
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>
  BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
  BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown
</VirtualHost>

Latest revision as of 11:58, 17 July 2020

PHP-fpm v7(+)

Apache 2.4 Modules

Putting it all together

Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3))

This setup will result in an 'A' rating at Qualys' SSL test:

/etc/apache2/sites-available/davical.conf:

<VirtualHost *:80>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 ServerAlias           cal.<DOMAIN>
 <IfModule mod_rewrite.c>
   RewriteEngine on
   # Redirect /.well-known URLs
   RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L]
   # Redirect everything else to https (redirect is always executed after rewrite)
   Redirect permanent    / https://cal.<DOMAIN>:8443/
 </IfModule>
</VirtualHost>
<VirtualHost *:8443>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 Include               inc_security.conf
 DocumentRoot          /usr/local/share/davical/htdocs
 ServerAlias           cal.<DOMAIN>
 LogLevel              warn
 ErrorLog              /var/log/apache2/davical.log
 TransferLog           /dev/null
 DirectoryIndex        /index.php index.php
 <FilesMatch "\.php$">
   SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost"
   CGIPassAuth on
 </FilesMatch>
 <Directory /usr/local/share/davical/htdocs>
   Require all granted
 </Directory>
 <IfModule mod_rewrite.c>
   RewriteEngine       On
   # Not if it's the root URL
   RewriteCond         %{REQUEST_URI} !^/$
   # Not if it is a .php program, script, stylesheet or image
   RewriteCond         %{REQUEST_URI} !\.(php|css|png|gif|js|jpg)
   # Rewrite to caldav.php (generic)
   RewriteRule         ^(.*)$ /caldav.php$1  [NC,L]
   # Rewrite to caldav.php (Apple)
   RewriteRule         ^/principals/users(.*)$ /caldav.php$1  [NC,L]
 </IfModule>
 # Enable HTTP/2
 Protocols			h2 h2c http/1.1
 # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working )
 #Header			always set Strict-Transport-Security "max-age=15768000"
 SSLEngine			on
 SSLCertificateFile	/etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem
 SSLCertificateKeyFile	/etc/letsencrypt/live/<SERVER FQDN>/privkey.pem
 SSLHonorCipherOrder	on
 SSLProtocol		ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLCipherSuite		ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 SSLCompression		off
 SSLSessionTickets		off
 # Enable OCSP Stapling
 SSLUseStapling		on
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
   SSLOptions +StdEnvVars
 </Directory>
 BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown
</VirtualHost>