## Stock preamble: DefaultRuntimeDir ${APACHE_RUN_DIR} PidFile ${APACHE_PID_FILE} Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} HostnameLookups Off CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn ## Modules: LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxRequestWorkers 150 MaxConnectionsPerChild 0 # For the Require directives: LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so # SSL support: LoadModule socache_shmcb_module /usr/lib/apache2/modules/mod_socache_shmcb.so LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so SSLRandomSeed startup builtin SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect builtin SSLRandomSeed connect file:/dev/urandom 512 SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000) SSLSessionCacheTimeout 300 # from https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 SSLHonorCipherOrder on SSLCompression off SSLSessionTickets off # Mailman LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so # preferred under multithreaded MPMs: LoadModule cgid_module /usr/lib/apache2/modules/mod_cgid.so ScriptSock ${APACHE_RUN_DIR}/cgisock # the public archive links rely on: LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so # HSTS (for 2 years) LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" # Munin plugins LoadModule status_module /usr/lib/apache2/modules/mod_status.so LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so SetHandler server-status Require local ## ports.conf: Listen 443 ## Stripped-down postamble: Options FollowSymLinks AllowOverride None Require all denied AccessFileName .htaccess Require all denied LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined ## Select snippets from the stock conf-enabled/*.conf # security.conf ServerTokens OS ServerSignature On TraceEnable Off ## Site configuration SSLEngine on SSLCertificateFile /etc/apache2/{{ apache_certificate_stem }}+chain.crt SSLCertificateKeyFile /etc/apache2/{{ apache_certificate_stem }}.key ServerName https://{{ list_domain }} ServerAdmin wferi@niif.hu DocumentRoot /var/www/html # Not a ScriptAlias, because the page text asks to modify the URL for hidden lists: RedirectMatch permanent ^/$ /mailman/listinfo/ ScriptAlias /mailman/ /usr/lib/cgi-bin/mailman/ Alias /pipermail/ /var/lib/mailman/archives/public/ Alias /images/mailman/ /usr/share/images/mailman/ # Referenced by hu/listinfo.html: Alias /illik.html /usr/share/mailman/hu/illik.html Options ExecCGI Require all granted Require all granted Require all granted Require all granted Require all granted