A better default vhost for Apache.
This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias.
This commit is contained in:
parent
2aff6b94c6
commit
92f699b84c
|
@ -2,10 +2,19 @@
|
|||
ServerName {{ ansible_fqdn }}
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
DocumentRoot /var/www/
|
||||
|
||||
RewriteEngine on
|
||||
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
|
||||
# RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
||||
# Redirect to HTTPS, execpt for munin, because some plugins
|
||||
# can't handle HTTPS! :(
|
||||
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
|
||||
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
||||
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
||||
|
||||
<Location /munin_opcache.php>
|
||||
Require ip 127.0.0.1
|
||||
</Location>
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:443>
|
||||
|
@ -17,31 +26,39 @@
|
|||
SSLEngine on
|
||||
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
|
||||
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
|
||||
# SSLProtocol all -SSLv2 -SSLv3
|
||||
|
||||
# We override these 2 Directory directives setted in apache2.conf.
|
||||
# We want no access except from allowed IP address.
|
||||
<Directory />
|
||||
Options -Indexes
|
||||
Require all denied
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
<Directory /var/www/>
|
||||
Options +Indexes +FollowSymLinks +MultiViews
|
||||
AllowOverride None
|
||||
|
||||
Options -Indexes
|
||||
Require all denied
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
# Munin. We need to set Directory directive as Alias take precedence.
|
||||
Alias /munin /var/cache/munin/www
|
||||
<Directory /var/cache/munin/www/>
|
||||
Options +Indexes +FollowSymLinks +MultiViews
|
||||
AllowOverride None
|
||||
|
||||
<Directory /var/cache/munin/>
|
||||
Options -Indexes
|
||||
Require all denied
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
<Directory /usr/lib/munin/cgi/>
|
||||
Options -Indexes
|
||||
Require all denied
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
<Location /munin_opcache.php>
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Location>
|
||||
|
||||
# For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
|
||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||
<Directory "/usr/lib/cgi-bin">
|
||||
AllowOverride None
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||
Require all denied
|
||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||
</Directory>
|
||||
|
||||
ErrorDocument 403 {{ apache_default_redirect_url }}
|
||||
|
@ -54,7 +71,7 @@
|
|||
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
|
||||
|
||||
<Files ~ "\.(inc|bak)$">
|
||||
deny from all
|
||||
Require all denied
|
||||
</Files>
|
||||
|
||||
</VirtualHost>
|
||||
|
|
Loading…
Reference in a new issue