dusnm/apache-wordpress.conf

## apache-wordpress.conf
<IfModule mod_ssl.c>
        <VirtualHost *:443>
		# Basic config
                ServerName example.org
                ServerAdmin webmaster@example.org

                DirectoryIndex index.php index.html /index.php
		# This is a directory where wordpress is installed.
		# Depending on the operating system, either http or www-data
		# must have ownership and r,w permissions.
		# The directory configuration MUST NOT contain a trailing slash.
                DocumentRoot /var/www/example.org

                LogLevel info ssl:warn

                ErrorLog ${APACHE_LOG_DIR}/example.org-error.log
                CustomLog ${APACHE_LOG_DIR}/example.org-access.log combined

		# Rewrite module rules for wordpress
                <IfModule mod_rewrite.c>
                        Options +FollowSymlinks
                        RewriteEngine On

			# The rewrite rules are specific for this directory.
			# The directory configuration MUST NOT contain a trailing slash.
                        <Directory /var/www/example.org>
                                RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
                                RewriteBase /
                                RewriteRule ^index\.php$ - [L]
                                RewriteCond %{REQUEST_FILENAME} !-f
                                RewriteCond %{REQUEST_FILENAME} !-d
                                RewriteRule . /index.php [L]
                        </Directory>
                </IfModule>

		# Security headers
                <IfModule mod_headers.c>
			# Only transmit traffic over TLS.
                        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
			# XSS mitigation.
                        Header always set X-Frame-Options "DENY"
                        Header always set X-Content-Type-Options "nosniff"
			# I choose to disable the Referrer header completely, for privacy.
                        Header set Referrer-Policy "no-refferer"
			# All of these JavaScript APIs are disabled for security.
                        Header set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
                </IfModule>

		# Certificate and chain.
		# You can use certbot to aquire these.
                SSLCertificateFile /path/to/fullchain.pem
                SSLCertificateKeyFile /path/to/privkey.pem

		# This is included with certbot.
                Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
	<IfModule mod_ssl.c>
	<VirtualHost *:443>
	# Basic config
	ServerName example.org
	ServerAdmin webmaster@example.org

	DirectoryIndex index.php index.html /index.php
	# This is a directory where wordpress is installed.
	# Depending on the operating system, either http or www-data
	# must have ownership and r,w permissions.
	# The directory configuration MUST NOT contain a trailing slash.
	DocumentRoot /var/www/example.org

	LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/example.org-error.log
	CustomLog ${APACHE_LOG_DIR}/example.org-access.log combined

	# Rewrite module rules for wordpress
	<IfModule mod_rewrite.c>
	Options +FollowSymlinks
	RewriteEngine On

	# The rewrite rules are specific for this directory.
	# The directory configuration MUST NOT contain a trailing slash.
	<Directory /var/www/example.org>
	RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
	RewriteBase /
	RewriteRule ^index\.php$ - [L]
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule . /index.php [L]
	</Directory>
	</IfModule>

	# Security headers
	<IfModule mod_headers.c>
	# Only transmit traffic over TLS.
	Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
	# XSS mitigation.
	Header always set X-Frame-Options "DENY"
	Header always set X-Content-Type-Options "nosniff"
	# I choose to disable the Referrer header completely, for privacy.
	Header set Referrer-Policy "no-refferer"
	# All of these JavaScript APIs are disabled for security.
	Header set Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()"
	</IfModule>

	# Certificate and chain.
	# You can use certbot to aquire these.
	SSLCertificateFile /path/to/fullchain.pem
	SSLCertificateKeyFile /path/to/privkey.pem

	# This is included with certbot.
	Include /etc/letsencrypt/options-ssl-apache.conf
	</VirtualHost>
	</IfModule>
	# vim: syntax=apache ts=4 sw=4 sts=4 sr noet