Difference between revisions of "Apache24 Config"

From Davical
Jump to navigationJump to search
(Starting with the basic structure)
 
(Added the (first) example of a working Apache VirtualHost configuration)
 
Line 6: Line 6:
  
 
== Putting it all together ==
 
== Putting it all together ==
 +
 +
=== Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3)) ===
 +
This setup will result in an 'A' rating at [https://www.ssllabs.com/ssltest/analyze.html Qualys' SSL test]:
 +
 +
/etc/apache2/sites-available/davical.conf:
 +
 +
<VirtualHost *:80>
 +
  ServerAdmin          <EMAIL>
 +
  ServerName            <SERVER FQDN>
 +
  ServerAlias          cal.<DOMAIN>
 +
  <IfModule mod_rewrite.c>
 +
    RewriteEngine on
 +
    # Redirect /.well-known URLs
 +
    RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L]
 +
    # Redirect everything else to https (redirect is always executed after rewrite)
 +
    Redirect permanent    / https://cal.<DOMAIN>:8443/
 +
  </IfModule>
 +
</VirtualHost>
 +
 +
<VirtualHost *:8443>
 +
  ServerAdmin          <EMAIL>
 +
  ServerName            <SERVER FQDN>
 +
  Include              inc_security.conf
 +
  DocumentRoot          /usr/local/share/davical/htdocs
 +
  ServerAlias          cal.<DOMAIN>
 +
  LogLevel              warn
 +
  ErrorLog              /var/log/apache2/davical.log
 +
  TransferLog          /dev/null
 +
  DirectoryIndex        /index.php index.php
 +
  <FilesMatch "\.php$">
 +
    SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost"
 +
    CGIPassAuth on
 +
  </FilesMatch>
 +
  <Directory /usr/local/share/davical/htdocs>
 +
    Require all granted
 +
  </Directory>
 +
  <IfModule mod_rewrite.c>
 +
    RewriteEngine      On
 +
    # Not if it's the root URL
 +
    RewriteCond        %{REQUEST_URI} !^/$
 +
    # Not if it is a .php program, script, stylesheet or image
 +
    RewriteCond        %{REQUEST_URI} !\.(php|css|png|gif|js|jpg)
 +
    # Rewrite to caldav.php (generic)
 +
    RewriteRule        ^(.*)$ /caldav.php$1  [NC,L]
 +
    # Rewrite to caldav.php (Apple)
 +
    RewriteRule        ^/principals/users(.*)$ /caldav.php$1  [NC,L]
 +
  </IfModule>
 +
  # Enable HTTP/2
 +
  Protocols h2 h2c http/1.1
 +
  # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working )
 +
  #Header always set Strict-Transport-Security "max-age=15768000"
 +
  SSLEngine on
 +
  SSLCertificateFile /etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem
 +
  SSLCertificateKeyFile /etc/letsencrypt/live/<SERVER FQDN>/privkey.pem
 +
  SSLHonorCipherOrder on
 +
  SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 +
  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 +
  SSLCompression off
 +
  SSLSessionTickets off
 +
  # Enable OCSP Stapling
 +
  SSLUseStapling on
 +
  SSLStaplingResponderTimeout 5
 +
  SSLStaplingReturnResponderErrors off
 +
  <FilesMatch "\.(cgi|shtml|phtml|php)$">
 +
    SSLOptions +StdEnvVars
 +
  </FilesMatch>
 +
  <Directory /usr/lib/cgi-bin>
 +
    SSLOptions +StdEnvVars
 +
  </Directory>
 +
  BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 +
  BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown
 +
</VirtualHost>

Latest revision as of 11:58, 17 July 2020

PHP-fpm v7(+)

Apache 2.4 Modules

Putting it all together

Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3))

This setup will result in an 'A' rating at Qualys' SSL test:

/etc/apache2/sites-available/davical.conf:

<VirtualHost *:80>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 ServerAlias           cal.<DOMAIN>
 <IfModule mod_rewrite.c>
   RewriteEngine on
   # Redirect /.well-known URLs
   RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L]
   # Redirect everything else to https (redirect is always executed after rewrite)
   Redirect permanent    / https://cal.<DOMAIN>:8443/
 </IfModule>
</VirtualHost>
<VirtualHost *:8443>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 Include               inc_security.conf
 DocumentRoot          /usr/local/share/davical/htdocs
 ServerAlias           cal.<DOMAIN>
 LogLevel              warn
 ErrorLog              /var/log/apache2/davical.log
 TransferLog           /dev/null
 DirectoryIndex        /index.php index.php
 <FilesMatch "\.php$">
   SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost"
   CGIPassAuth on
 </FilesMatch>
 <Directory /usr/local/share/davical/htdocs>
   Require all granted
 </Directory>
 <IfModule mod_rewrite.c>
   RewriteEngine       On
   # Not if it's the root URL
   RewriteCond         %{REQUEST_URI} !^/$
   # Not if it is a .php program, script, stylesheet or image
   RewriteCond         %{REQUEST_URI} !\.(php|css|png|gif|js|jpg)
   # Rewrite to caldav.php (generic)
   RewriteRule         ^(.*)$ /caldav.php$1  [NC,L]
   # Rewrite to caldav.php (Apple)
   RewriteRule         ^/principals/users(.*)$ /caldav.php$1  [NC,L]
 </IfModule>
 # Enable HTTP/2
 Protocols			h2 h2c http/1.1
 # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working )
 #Header			always set Strict-Transport-Security "max-age=15768000"
 SSLEngine			on
 SSLCertificateFile	/etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem
 SSLCertificateKeyFile	/etc/letsencrypt/live/<SERVER FQDN>/privkey.pem
 SSLHonorCipherOrder	on
 SSLProtocol		ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLCipherSuite		ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 SSLCompression		off
 SSLSessionTickets		off
 # Enable OCSP Stapling
 SSLUseStapling		on
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
   SSLOptions +StdEnvVars
 </Directory>
 BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown
</VirtualHost>