From 39c0abf5dacf04b14469521dadc7c8e35f50deff Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Thu, 16 Nov 2023 14:46:53 +0100
Subject: [PATCH] =?UTF-8?q?sync=20default=20conf=20avec=20notre=20r=C3=B4l?=
 =?UTF-8?q?e=20Ansible?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 HowtoApache.md | 41 ++++++++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/HowtoApache.md b/HowtoApache.md
index 5ab7d884..b2459ee5 100644
--- a/HowtoApache.md
+++ b/HowtoApache.md
@@ -127,16 +127,47 @@ MaxRequestWorkers 250
 StartServers 50
 MinSpareServers 20
 MaxSpareServers 30
-MaxRequestsPerChild 100
+MaxConnectionsPerChild 100
 
+LimitUIDRange       0 6000
+LimitGIDRange       0 6000
+
+<IfModule mod_ssl.c>
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
+</IfModule>
+
+<IfModule status_module>
+    ExtendedStatus On
+    <IfModule proxy_module>
+        ProxyStatus On
+    </IfModule>
+</IfModule>
+
+# Go away bad bots (define "bad bots" in zzz-evolinux-custom.conf)
 <If "reqenv('GoAway') -eq 1">
   Require all denied
 </If>
 
-<IfModule mod_ssl.c>
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
-</IfModule>
+<DirectoryMatch "/\.git">
+    # We don't want to let the client know a file exist on the server,
+    # so we return 404 "Not found" instead of 403 "Forbidden".
+    Redirect 404
+</DirectoryMatch>
+
+# File names starting with
+<FilesMatch "^\.(git|env)">
+    Redirect 404
+</FilesMatch>
+
+# File names ending with
+<FilesMatch "\.(inc|bak)$">
+    Redirect 404
+</FilesMatch>
+
+<LocationMatch "^/evolinux_fpm_status-.*">
+    Require all denied
+</LocationMatch>
 ~~~
 
 et nos optimisations spécifiques dans `/etc/apache2/conf-available/zzz-evolinux-custom.conf` :