Apache24 Config

From Davical
Jump to navigationJump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

PHP-fpm v7(+)

Apache 2.4 Modules

Putting it all together

Example 1 (Debian 10 Buster (Apache 2.4.38 + PHP-FPM 7.3))

This setup will result in an 'A' rating at Qualys' SSL test:

/etc/apache2/sites-available/davical.conf: 

<VirtualHost *:80>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 ServerAlias           cal.<DOMAIN>
 <IfModule mod_rewrite.c>
   RewriteEngine on
   # Redirect /.well-known URLs
   RewriteRule /.well-known(.*)$ /caldav.php/.well-known$1 [NC,L]
   # Redirect everything else to https (redirect is always executed after rewrite)
   Redirect permanent    / https://cal.<DOMAIN>:8443/
 </IfModule>
</VirtualHost>

<VirtualHost *:8443>
 ServerAdmin           <EMAIL>
 ServerName            <SERVER FQDN>
 Include               inc_security.conf
 DocumentRoot          /usr/local/share/davical/htdocs
 ServerAlias           cal.<DOMAIN>
 LogLevel              warn
 ErrorLog              /var/log/apache2/davical.log
 TransferLog           /dev/null
 DirectoryIndex        /index.php index.php
 <FilesMatch "\.php$">
   SetHandler "proxy:unix:/run/php-fpm.davical.sock|fcgi://localhost"
   CGIPassAuth on
 </FilesMatch>
 <Directory /usr/local/share/davical/htdocs>
   Require all granted
 </Directory>
 <IfModule mod_rewrite.c>
   RewriteEngine       On
   # Not if it's the root URL
   RewriteCond         %{REQUEST_URI} !^/$
   # Not if it is a .php program, script, stylesheet or image
   RewriteCond         %{REQUEST_URI} !\.(php|css|png|gif|js|jpg)
   # Rewrite to caldav.php (generic)
   RewriteRule         ^(.*)$ /caldav.php$1  [NC,L]
   # Rewrite to caldav.php (Apple)
   RewriteRule         ^/principals/users(.*)$ /caldav.php$1  [NC,L]
 </IfModule>
 # Enable HTTP/2
 Protocols			h2 h2c http/1.1
 # Enable HSTS (15768000 seconds = 6 months - only enable this once you are sure SSL is working )
 #Header			always set Strict-Transport-Security "max-age=15768000"
 SSLEngine			on
 SSLCertificateFile	/etc/letsencrypt/live/<SERVER FQDN>/fullchain.pem
 SSLCertificateKeyFile	/etc/letsencrypt/live/<SERVER FQDN>/privkey.pem
 SSLHonorCipherOrder	on
 SSLProtocol		ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
 SSLCipherSuite		ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
 SSLCompression		off
 SSLSessionTickets		off
 # Enable OCSP Stapling
 SSLUseStapling		on
 SSLStaplingResponderTimeout 5
 SSLStaplingReturnResponderErrors off
 <FilesMatch "\.(cgi|shtml|phtml|php)$">
   SSLOptions +StdEnvVars
 </FilesMatch>
 <Directory /usr/lib/cgi-bin>
   SSLOptions +StdEnvVars
 </Directory>
 BrowserMatch "MSIE [1-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
 BrowserMatch "MSIE [6-99]" ssl-unclean-shutdown
</VirtualHost>
Retrieved from "https://wiki.davical.org/index.php?title=Apache24_Config&oldid=3812"