diff --git a/apache/templates/evolinux-default.conf.j2 b/apache/templates/evolinux-default.conf.j2
index 8a5259f5..2c8f3971 100644
--- a/apache/templates/evolinux-default.conf.j2
+++ b/apache/templates/evolinux-default.conf.j2
@@ -2,10 +2,19 @@
ServerName {{ ansible_fqdn }}
ServerAdmin webmaster@localhost
+ DocumentRoot /var/www/
+
RewriteEngine on
- RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
- # RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
+ # Redirect to HTTPS, execpt for munin, because some plugins
+ # can't handle HTTPS! :(
+ RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
+ RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
+
+
+ Require ip 127.0.0.1
+
+
@@ -17,31 +26,39 @@
SSLEngine on
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
- # SSLProtocol all -SSLv2 -SSLv3
+ # We override these 2 Directory directives setted in apache2.conf.
+ # We want no access except from allowed IP address.
+
+ Options -Indexes
+ Require all denied
+ Include /etc/apache2/private_ipaddr_whitelist.conf
+
- Options +Indexes +FollowSymLinks +MultiViews
- AllowOverride None
-
+ Options -Indexes
+ Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf
+ # Munin. We need to set Directory directive as Alias take precedence.
Alias /munin /var/cache/munin/www
-
- Options +Indexes +FollowSymLinks +MultiViews
- AllowOverride None
-
+
+ Options -Indexes
+ Require all denied
+ Include /etc/apache2/private_ipaddr_whitelist.conf
+
+
+ Options -Indexes
+ Require all denied
Include /etc/apache2/private_ipaddr_whitelist.conf
-
- Include /etc/apache2/private_ipaddr_whitelist.conf
-
-
+ # For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
-
- AllowOverride None
+
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+ Require all denied
+ Include /etc/apache2/private_ipaddr_whitelist.conf
ErrorDocument 403 {{ apache_default_redirect_url }}
@@ -54,7 +71,7 @@
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
- deny from all
+ Require all denied