Apache24 Config

From Davical
Revision as of 11:58, 17 July 2020 by Vvh (talk | contribs) (Added the (first) example of a working Apache VirtualHost configuration)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

PHP-fpm v7(+)

Apache 2.4 Modules

Putting it all together

Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3))

This setup will result in an 'A' rating at Qualys' SSL test:

/etc/apache2/sites-available/davical.conf:

<VirtualHost *:80>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 ServerAlias           cal.<DOMAIN>
 <IfModule mod_rewrite.c>
   RewriteEngine on
   # Redirect /.well-known URLs
   RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L]
   # Redirect everything else to https (redirect is always executed after rewrite)
   Redirect permanent    / https://cal.<DOMAIN>:8443/
 </IfModule>
</VirtualHost>
<VirtualHost *:8443>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 Include               inc_security.conf
 DocumentRoot          /usr/local/share/davical/htdocs
 ServerAlias           cal.<DOMAIN>
 LogLevel              warn
 ErrorLog              /var/log/apache2/davical.log
 TransferLog           /dev/null
 DirectoryIndex        /index.php index.php
 <FilesMatch "\.php$">
   SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost"
   CGIPassAuth on
 </FilesMatch>
 <Directory /usr/local/share/davical/htdocs>
   Require all granted
 </Directory>
 <IfModule mod_rewrite.c>
   RewriteEngine       On
   # Not if it's the root URL
   RewriteCond         %{REQUEST_URI} !^/$
   # Not if it is a .php program, script, stylesheet or image
   RewriteCond         %{REQUEST_URI} !\.(php|css|png|gif|js|jpg)
   # Rewrite to caldav.php (generic)
   RewriteRule         ^(.*)$ /caldav.php$1  [NC,L]
   # Rewrite to caldav.php (Apple)
   RewriteRule         ^/principals/users(.*)$ /caldav.php$1  [NC,L]
 </IfModule>
 # Enable HTTP/2
 Protocols			h2 h2c http/1.1
 # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working )
 #Header			always set Strict-Transport-Security "max-age=15768000"
 SSLEngine			on
 SSLCertificateFile	/etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem
 SSLCertificateKeyFile	/etc/letsencrypt/live/<SERVER FQDN>/privkey.pem
 SSLHonorCipherOrder	on
 SSLProtocol		ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLCipherSuite		ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 SSLCompression		off
 SSLSessionTickets		off
 # Enable OCSP Stapling
 SSLUseStapling		on
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
   SSLOptions +StdEnvVars
 </Directory>
 BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown
</VirtualHost>