Apache24 Config
From Davical
PHP-fpm v7(+)
Apache 2.4 Modules
Putting it all together
Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3))
This setup will result in an 'A' rating at Qualys' SSL test:
/etc/apache2/sites-available/davical.conf:
<VirtualHost *:80> ServerAdmin <EMAIL> ServerName <SERVER FQDN> ServerAlias cal.<DOMAIN> <IfModule mod_rewrite.c> RewriteEngine on # Redirect /.well-known URLs RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L] # Redirect everything else to https (redirect is always executed after rewrite) Redirect permanent / https://cal.<DOMAIN>:8443/ </IfModule> </VirtualHost>
<VirtualHost *:8443> ServerAdmin <EMAIL> ServerName <SERVER FQDN> Include inc_security.conf DocumentRoot /usr/local/share/davical/htdocs ServerAlias cal.<DOMAIN> LogLevel warn ErrorLog /var/log/apache2/davical.log TransferLog /dev/null DirectoryIndex /index.php index.php <FilesMatch "\.php$"> SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost" CGIPassAuth on </FilesMatch> <Directory /usr/local/share/davical/htdocs> Require all granted </Directory> <IfModule mod_rewrite.c> RewriteEngine On # Not if it's the root URL RewriteCond %{REQUEST_URI} !^/$ # Not if it is a .php program, script, stylesheet or image RewriteCond %{REQUEST_URI} !\.(php|css|png|gif|js|jpg) # Rewrite to caldav.php (generic) RewriteRule ^(.*)$ /caldav.php$1 [NC,L] # Rewrite to caldav.php (Apple) RewriteRule ^/principals/users(.*)$ /caldav.php$1 [NC,L] </IfModule> # Enable HTTP/2 Protocols h2 h2c http/1.1 # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working ) #Header always set Strict-Transport-Security "max-age=15768000" SSLEngine on SSLCertificateFile /etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<SERVER FQDN>/privkey.pem SSLHonorCipherOrder on SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS SSLCompression off SSLSessionTickets off # Enable OCSP Stapling SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown </VirtualHost>