A better default vhost for Apache.

This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias.
2017-07-18 17:05:47 +02:00 · 2017-07-18 17:05:47 +02:00 · 92f699b84c
parent 2aff6b94c6
commit 92f699b84c
1 changed files with 34 additions and 17 deletions
--- a/apache/templates/evolinux-default.conf.j2
+++ b/apache/templates/evolinux-default.conf.j2
@ -2,10 +2,19 @@
    ServerName {{ ansible_fqdn }}
    ServerAdmin webmaster@localhost

+    DocumentRoot /var/www/
+
    RewriteEngine on
-    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
-    # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
+    # Redirect to HTTPS, execpt for munin, because some plugins
+    # can't handle HTTPS! :(
+    RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
+    RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
    RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
+
+    <Location /munin_opcache.php>
+        Require ip 127.0.0.1
+    </Location>
+
 </VirtualHost>

 <VirtualHost *:443>
@ -17,31 +26,39 @@
    SSLEngine on
    SSLCertificateFile    {{ apache_evolinux_default_ssl_cert }}
    SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
-    # SSLProtocol all -SSLv2 -SSLv3

+    # We override these 2 Directory directives setted in apache2.conf.
+    # We want no access except from allowed IP address.
+    <Directory />
+        Options -Indexes
+        Require all denied
+        Include /etc/apache2/private_ipaddr_whitelist.conf
+    </Directory>
    <Directory /var/www/>
-        Options +Indexes +FollowSymLinks +MultiViews
-        AllowOverride None
-
+        Options -Indexes
+        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

+    # Munin. We need to set Directory directive as Alias take precedence.
    Alias /munin /var/cache/munin/www
-    <Directory /var/cache/munin/www/>
-        Options +Indexes +FollowSymLinks +MultiViews
-        AllowOverride None
-
+    <Directory /var/cache/munin/>
+        Options -Indexes
+        Require all denied
+        Include /etc/apache2/private_ipaddr_whitelist.conf
+    </Directory>
+    <Directory /usr/lib/munin/cgi/>
+        Options -Indexes
+        Require all denied
        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

-    <Location /munin_opcache.php>
-        Include /etc/apache2/private_ipaddr_whitelist.conf
-    </Location>
-
+    # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
-    <Directory "/usr/lib/cgi-bin">
-        AllowOverride None
+    <Directory /usr/lib/cgi-bin>
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+        Require all denied
+        Include /etc/apache2/private_ipaddr_whitelist.conf
    </Directory>

    ErrorDocument 403 {{ apache_default_redirect_url }}
@ -54,7 +71,7 @@
    IncludeOptional /etc/apache2/conf-available/phpmyadmin*

    <Files ~ "\.(inc|bak)$">
-        deny from all
+        Require all denied
    </Files>

 </VirtualHost>