Last active
September 23, 2015 13:33
-
-
Save hazcod/471d63ab17c584bc4e87 to your computer and use it in GitHub Desktop.
Hardening configuration for apache2/httpd with webdav server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
address="vps.tv" | |
sudo apt-get install -y apache2 | |
sudo mkdir /var/log/httpd | |
sudo a2enmod headers | |
sudo a2enmod dav | |
sudo a2enmod dav_fs | |
sudo a2enmod rewrite | |
sudo a2enmod ssl | |
sudo a2enmod auth_digest | |
sudo a2enmod proxy | |
sudo a2enmod proxy_http | |
openssl req \ | |
-new \ | |
-newkey rsa:4096 \ | |
-days 7300 \ | |
-nodes \ | |
-x509 \ | |
-subj "/C=BE/ST=Vlaams-Brabant/L=Diegem/O=D00MED inc./OU=IT Services/CN=$address" \ | |
-keyout /etc/apache2/server.key \ | |
-out /etc/apache2/server.crt \ | |
-sha256 | |
sudo rm /etc/apache2/sites-enabled/* | |
sudo rm /etc/apache2/sites-available/* | |
cat > /etc/apache2/sites-available/default.conf << EOF | |
User www-data | |
Group www-data | |
ServerSignature Off | |
ServerTokens Prod | |
ServerName gunther.tv | |
<VirtualHost *:80> | |
# This VirtualHost redirects everything to HTTPS on port 443. | |
RewriteEngine On | |
RewriteCond %{HTTPS} off | |
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} | |
</VirtualHost> | |
<VirtualHost *:443> | |
Options -Includes -ExecCGI | |
RewriteEngine On | |
RewriteCond %{THE_REQUEST} !HTTP/1.1$ | |
RewriteRule .* - [F] | |
LimitRequestBody 512000 | |
SSLEngine On | |
SSLCertificateFile /etc/apache2/server.crt | |
SSLCertificateKeyFile /etc/apache2/server.key | |
SSLProtocol +TLSv1.2 | |
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" | |
Header always set X-Frame-Options DENY | |
FileETag None | |
TraceEnable off | |
Header edit Set-Cookie ^(.*)$ ;HttpOnly;Secure | |
Header set X-XSS-Protection "1; mode=block" | |
Timeout 60 | |
ProxyRequests Off | |
ProxyPreserveHost On | |
<Directory /> | |
Order deny,allow | |
deny from all | |
</Directory> | |
<Location /request> | |
# PLEX REQUESTS | |
ProxyPass http://127.0.0.1:3000/ | |
ProxyPassReverse http://127.0.0.1:3000/ | |
</Location> | |
Alias /dav /mnt/storage/media | |
Alias /pwatch /var/www/plexwatch | |
<Location /dav> | |
# WEBDAV | |
Options Indexes | |
DAV On | |
AuthType Digest | |
AuthName "Media" | |
AuthDigestProvider file | |
AuthUserFile /etc/apache2/dav.auth | |
Require valid-user | |
</Location> | |
<Location /sonarr> | |
# SONARR | |
ProxyPass http://127.0.0.1:8989/ | |
ProxyPassReverse http://127.0.0.1:8989/ | |
</Location> | |
<Location /couch> | |
# COUCHPOTATO | |
ProxyPass http://127.0.0.1:5050/ | |
ProxyPassReverse http://127.0.0.1:5050/ | |
</Location> | |
<Location /sab> | |
# SABNZBD | |
ProxyPass http://127.0.0.1:9090/ | |
ProxyPassReverse http://127.0.0.1:9090/ | |
</Location> | |
<Location /pwatch> | |
AuthType Digest | |
AuthName "pwatch" | |
AuthDigestProvider file | |
AuthUserFile /etc/apache2/pwatch.auth | |
Require valid-user | |
</Location> | |
# PLEX | |
RewriteEngine on | |
RewriteCond %{REQUEST_URI} !^/web | |
RewriteCond %{HTTP:X-Plex-Device} ^$ | |
RewriteRule ^/$ /web/ [R,L] | |
ProxyPass / http://127.0.0.1:32400/ | |
ProxyPassReverse / http://127.0.0.1:32400/ | |
ErrorLog /var/log/httpd/error.log | |
CustomLog /var/log/httpd/access-log "%h %l %u %t \"%r\" %>s %b" | |
ErrorDocument 404 "Page not found." | |
ErrorDocument 500 "Sorry, our script crashed. Oh dear.. " | |
ErrorDocument 401 "You do not have access." | |
</VirtualHost> | |
EOF | |
sudo a2ensite default | |
sudo service apache2 restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment