forked from evolix/ansible-roles
A better default vhost for Apache.
This is my proposal to a better vhost. I added comments to understand the tricky behavior of Directory directive when using Alias or ScriptAlias.
This commit is contained in:
parent
2aff6b94c6
commit
92f699b84c
|
@ -2,10 +2,19 @@
|
||||||
ServerName {{ ansible_fqdn }}
|
ServerName {{ ansible_fqdn }}
|
||||||
ServerAdmin webmaster@localhost
|
ServerAdmin webmaster@localhost
|
||||||
|
|
||||||
|
DocumentRoot /var/www/
|
||||||
|
|
||||||
RewriteEngine on
|
RewriteEngine on
|
||||||
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC]
|
# Redirect to HTTPS, execpt for munin, because some plugins
|
||||||
# RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
# can't handle HTTPS! :(
|
||||||
|
RewriteCond %{REQUEST_URI} !^/server-status.*$ [NC] [OR]
|
||||||
|
RewriteCond %{REQUEST_URI} !^/munin_opcache.php$ [NC]
|
||||||
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
RewriteRule ^/(.*) https://{{ ansible_fqdn }}/$1 [L,R=permanent]
|
||||||
|
|
||||||
|
<Location /munin_opcache.php>
|
||||||
|
Require ip 127.0.0.1
|
||||||
|
</Location>
|
||||||
|
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
<VirtualHost *:443>
|
<VirtualHost *:443>
|
||||||
|
@ -17,31 +26,39 @@
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
|
SSLCertificateFile {{ apache_evolinux_default_ssl_cert }}
|
||||||
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
|
SSLCertificateKeyFile {{ apache_evolinux_default_ssl_key }}
|
||||||
# SSLProtocol all -SSLv2 -SSLv3
|
|
||||||
|
|
||||||
|
# We override these 2 Directory directives setted in apache2.conf.
|
||||||
|
# We want no access except from allowed IP address.
|
||||||
|
<Directory />
|
||||||
|
Options -Indexes
|
||||||
|
Require all denied
|
||||||
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
|
</Directory>
|
||||||
<Directory /var/www/>
|
<Directory /var/www/>
|
||||||
Options +Indexes +FollowSymLinks +MultiViews
|
Options -Indexes
|
||||||
AllowOverride None
|
Require all denied
|
||||||
|
|
||||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
# Munin. We need to set Directory directive as Alias take precedence.
|
||||||
Alias /munin /var/cache/munin/www
|
Alias /munin /var/cache/munin/www
|
||||||
<Directory /var/cache/munin/www/>
|
<Directory /var/cache/munin/>
|
||||||
Options +Indexes +FollowSymLinks +MultiViews
|
Options -Indexes
|
||||||
AllowOverride None
|
Require all denied
|
||||||
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
|
</Directory>
|
||||||
|
<Directory /usr/lib/munin/cgi/>
|
||||||
|
Options -Indexes
|
||||||
|
Require all denied
|
||||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Location /munin_opcache.php>
|
# For CGI Scripts. We need to set Directory directive as ScriptAlias take precedence.
|
||||||
Include /etc/apache2/private_ipaddr_whitelist.conf
|
|
||||||
</Location>
|
|
||||||
|
|
||||||
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
||||||
<Directory "/usr/lib/cgi-bin">
|
<Directory /usr/lib/cgi-bin>
|
||||||
AllowOverride None
|
|
||||||
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
||||||
|
Require all denied
|
||||||
|
Include /etc/apache2/private_ipaddr_whitelist.conf
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
ErrorDocument 403 {{ apache_default_redirect_url }}
|
ErrorDocument 403 {{ apache_default_redirect_url }}
|
||||||
|
@ -54,7 +71,7 @@
|
||||||
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
|
IncludeOptional /etc/apache2/conf-available/phpmyadmin*
|
||||||
|
|
||||||
<Files ~ "\.(inc|bak)$">
|
<Files ~ "\.(inc|bak)$">
|
||||||
deny from all
|
Require all denied
|
||||||
</Files>
|
</Files>
|
||||||
|
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
Loading…
Reference in a new issue