From 3763cc0783b1fb91055e82560c7dd3f480fcd270 Mon Sep 17 00:00:00 2001
From: Alex Cabal <alex@alexcabal.com>
Date: Wed, 2 Jul 2025 17:02:40 -0500
Subject: [PATCH] Update Apache configuration to modern SSL standards

---
 config/apache/standardebooks.org.conf  | 21 ++++++++-------------
 config/apache/standardebooks.test.conf | 21 ++++++++-------------
 2 files changed, 16 insertions(+), 26 deletions(-)

diff --git a/config/apache/standardebooks.org.conf b/config/apache/standardebooks.org.conf
index 9b998107..34440d8c 100644
--- a/config/apache/standardebooks.org.conf
+++ b/config/apache/standardebooks.org.conf
@@ -36,17 +36,12 @@ FileETag	All
 RequestHeader	edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
 Header		edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
 
-# SSL hardening; see <https://mozilla.github.io/server-side-tls/ssl-config-generator/>.
-SSLProtocol				all -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite				ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-SSLHonorCipherOrder			on
-SSLCompression				off
+# SSL hardening; see <https://ssl-config.mozilla.org/>.
+SSLProtocol				-all +TLSv1.2 +TLSv1.3
+SSLOpenSSLConfCmd			Curves X25519:prime256v1:secp384r1
+SSLCipherSuite				ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+SSLHonorCipherOrder			off
 SSLSessionTickets			off
-SSLStaplingCache			shmcb:/var/run/ocsp(128000)
-# SSL Stapling should be off for testing to prevent errors in log files, and on for live.
-SSLUseStapling				on
-SSLStaplingResponderTimeout		5
-SSLStaplingReturnResponderErrors	off
 
 Define domain standardebooks.org
 Define web_root /standardebooks.org/web
@@ -129,7 +124,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 	RewriteCond %{HTTP_HOST}	^www\.(.+) [NC]
 	RewriteRule ^			https://%1%{REQUEST_URI} [R=301,L]
 
-	# PHP-FPM configuration
+	# PHP-FPM configuration.
 	# See <https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784>.
 
 	# Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`.
@@ -158,7 +153,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 
 	# In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`.
 	# Rewrite POST `/some/url` -> POST `/some/url/post.php`.
- 	RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
+	RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
 	RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f
 	RewriteRule ^([^\.]+)$				$1/%1.php [L]
 
@@ -178,7 +173,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 	RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
 	RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
 	RewriteRule ^(.+)$							$1.php [QSA]
-	# End PHP-FPM configuration
+	# End PHP-FPM configuration.
 
 	# Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request.
 	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f
diff --git a/config/apache/standardebooks.test.conf b/config/apache/standardebooks.test.conf
index 04c1bc0f..f3113730 100644
--- a/config/apache/standardebooks.test.conf
+++ b/config/apache/standardebooks.test.conf
@@ -36,17 +36,12 @@ FileETag	All
 RequestHeader	edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
 Header		edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
 
-# SSL hardening; see https://mozilla.github.io/server-side-tls/ssl-config-generator/
-SSLProtocol				all -SSLv3 -TLSv1 -TLSv1.1
-SSLCipherSuite				ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
-SSLHonorCipherOrder			on
-SSLCompression				off
+# SSL hardening; see <https://ssl-config.mozilla.org/>.
+SSLProtocol				-all +TLSv1.2 +TLSv1.3
+SSLOpenSSLConfCmd			Curves X25519:prime256v1:secp384r1
+SSLCipherSuite				ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
+SSLHonorCipherOrder			off
 SSLSessionTickets			off
-SSLStaplingCache			shmcb:/var/run/ocsp(128000)
-# SSL Stapling should be off for testing to prevent errors in log files, and on for live.
-SSLUseStapling				on
-SSLStaplingResponderTimeout		5
-SSLStaplingReturnResponderErrors	off
 
 Define domain standardebooks.test
 Define web_root /standardebooks.org/web
@@ -111,7 +106,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 	RewriteCond %{HTTP_HOST}	^www\.(.+) [NC]
 	RewriteRule ^			https://%1%{REQUEST_URI} [R=301,L]
 
-	# PHP-FPM configuration
+	# PHP-FPM configuration.
 	# See <https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784>.
 
 	# Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`.
@@ -140,7 +135,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 
 	# In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`.
 	# Rewrite POST `/some/url` -> POST `/some/url/post.php`.
- 	RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
+	RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
 	RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f
 	RewriteRule ^([^\.]+)$				$1/%1.php [L]
 
@@ -160,7 +155,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
 	RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
 	RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
 	RewriteRule ^(.+)$							$1.php [QSA]
-	# End PHP-FPM configuration
+	# End PHP-FPM configuration.
 
 	# Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request.
 	RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f