apache2.conf 3.75 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
## Stock preamble:

DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
CustomLog ${APACHE_LOG_DIR}/access.log combined
ErrorLog  ${APACHE_LOG_DIR}/error.log
LogLevel warn

## Modules:

LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so
StartServers              2
MinSpareThreads          25
MaxSpareThreads          75
ThreadLimit              64
ThreadsPerChild          25
MaxRequestWorkers       150
MaxConnectionsPerChild    0

# For the Require directives:
LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so

# SSL support:
LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
SSLSessionCache         shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout  300
# from https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html:
SSLProtocol         all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite      ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression      off
SSLSessionTickets   off

46
47
# Mailman
LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so
48
49
50
# preferred under multithreaded MPMs:
LoadModule cgid_module /usr/lib/apache2/modules/mod_cgid.so
ScriptSock ${APACHE_RUN_DIR}/cgisock
51
52
53
# the public archive links rely on:
LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so

54
55
56
57
# HSTS (for 2 years)
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

58
59
60
61
62
63
64
65
# Munin plugins
LoadModule status_module /usr/lib/apache2/modules/mod_status.so
LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so
<Location /server-status>
    SetHandler server-status
    Require local
</Location>

66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
## ports.conf:
Listen 443

## Stripped-down postamble:

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>

AccessFileName .htaccess
<FilesMatch "^\.ht">
    Require all denied
</FilesMatch>

LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

## Select snippets from the stock conf-enabled/*.conf

# security.conf
ServerTokens OS
ServerSignature On
TraceEnable Off

## Site configuration

SSLEngine on
SSLCertificateFile    /etc/apache2/{{ apache_certificate_stem }}+chain.crt
SSLCertificateKeyFile /etc/apache2/{{ apache_certificate_stem }}.key

97
ServerName https://{{ list_domain }}
98
99
ServerAdmin wferi@niif.hu
DocumentRoot /var/www/html
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

# Not a ScriptAlias, because the page text asks to modify the URL for hidden lists:
RedirectMatch permanent ^/$ /mailman/listinfo/
ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/
Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/
# Referenced by hu/listinfo.html:
Alias /illik.html /usr/share/mailman/hu/illik.html

<Directory /usr/lib/cgi-bin/mailman>
    Options ExecCGI
    Require all granted
</Directory>
<Directory /usr/share/images/mailman>
    Require all granted
</Directory>
<Directory /var/lib/mailman/archives/public/>
    Require all granted
</Directory>
<Directory /usr/share/mailman/hu>
    <Files illik.html>
        Require all granted
    </Files>
</Directory>
<Directory /var/www/html>
    <Files favicon.ico>
        Require all granted
    </Files>
</Directory>