standardebooks/web
1
0
Fork 0
mirror of https://github.com/standardebooks/web.git synced 2025-07-05 06:10:36 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update Apache configuration to modern SSL standards

Browse source
This commit is contained in:
Alex Cabal 2025-07-02 17:02:40 -05:00
parent 41c3dc8449
commit 3763cc0783
2 changed files with 16 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

21
config/apache/standardebooks.org.conf
View file

@ -36,17 +36,12 @@ FileETag All
RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\"" RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\"" Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
# SSL hardening; see <https://mozilla.github.io/server-side-tls/ssl-config-generator/>. # SSL hardening; see <https://ssl-config.mozilla.org/>.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLCompression off SSLHonorCipherOrder off
SSLSessionTickets off SSLSessionTickets off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
# SSL Stapling should be off for testing to prevent errors in log files, and on for live.
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Define domain standardebooks.org Define domain standardebooks.org
Define web_root /standardebooks.org/web Define web_root /standardebooks.org/web
@ -129,7 +124,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC] RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L] RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
# PHP-FPM configuration # PHP-FPM configuration.
# See <https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784>. # See <https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784>.
# Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`. # Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`.
@ -158,7 +153,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
# In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`. # In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`.
# Rewrite POST `/some/url` -> POST `/some/url/post.php`. # Rewrite POST `/some/url` -> POST `/some/url/post.php`.
RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/" RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f
RewriteRule ^([^\.]+)$ $1/%1.php [L] RewriteRule ^([^\.]+)$ $1/%1.php [L]
@ -178,7 +173,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
RewriteRule ^(.+)$ $1.php [QSA] RewriteRule ^(.+)$ $1.php [QSA]
# End PHP-FPM configuration # End PHP-FPM configuration.
# Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request. # Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request.
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f

21
config/apache/standardebooks.test.conf
View file

@ -36,17 +36,12 @@ FileETag All
RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\"" RequestHeader edit "If-None-Match" "^\"(.*)-gzip\"$" "\"$1\""
Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\"" Header edit "ETag" "^\"(.*[^g][^z][^i][^p])\"$" "\"$1-gzip\""
# SSL hardening; see https://mozilla.github.io/server-side-tls/ssl-config-generator/ # SSL hardening; see <https://ssl-config.mozilla.org/>.
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLOpenSSLConfCmd Curves X25519:prime256v1:secp384r1
SSLHonorCipherOrder on SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLCompression off SSLHonorCipherOrder off
SSLSessionTickets off SSLSessionTickets off
SSLStaplingCache shmcb:/var/run/ocsp(128000)
# SSL Stapling should be off for testing to prevent errors in log files, and on for live.
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
Define domain standardebooks.test Define domain standardebooks.test
Define web_root /standardebooks.org/web Define web_root /standardebooks.org/web
@ -111,7 +106,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{HTTP_HOST} ^www\.(.+) [NC] RewriteCond %{HTTP_HOST} ^www\.(.+) [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L] RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
# PHP-FPM configuration # PHP-FPM configuration.
# See <https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784>. # See <https://serverfault.com/questions/450628/apache-2-4-php-fpm-proxypassmatch/510784>.
# Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`. # Required for FPM to receive POST data sent with `Transfer-Encoding: chunked`.
@ -140,7 +135,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
# In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`. # In `RewriteCond`, `RewriteRule` gets evaluated *before `RewriteCond`, so `$1` refers to the first match in `RewriteRule`.
# Rewrite POST `/some/url` -> POST `/some/url/post.php`. # Rewrite POST `/some/url` -> POST `/some/url/post.php`.
RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/" RewriteCond expr "tolower(%{REQUEST_METHOD}) =~ /^(post|delete|put)$/"
RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f RewriteCond %{DOCUMENT_ROOT}/$1/%1.php -f
RewriteRule ^([^\.]+)$ $1/%1.php [L] RewriteRule ^([^\.]+)$ $1/%1.php [L]
@ -160,7 +155,7 @@ Define conf_rewrite_root ${web_root}/config/apache/rewrites
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI} !-d
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_URI}.php -f
RewriteRule ^(.+)$ $1.php [QSA] RewriteRule ^(.+)$ $1.php [QSA]
# End PHP-FPM configuration # End PHP-FPM configuration.
# Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request. # Received: `/filename` and `/filename.xml` exists in filesystem -> rewrite to `/filename.xml` and continue request.
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f RewriteCond %{DOCUMENT_ROOT}%{REQUEST_FILENAME}.xml -f