jpylypiw/apache.md

## apache.md

      
    Raw
  

              apache.md
            
          
    Apache Configuration Examples

Generically Redirect HTTP TO HTTPS
<VirtualHost *:80>
        RewriteEngine On
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

Redirect to FQDN
<VirtualHost *:443>
        ServerName myserver
        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/cert.crt
        SSLCertificateKeyFile /etc/ssl/private/key.key
        SSLCACertificateFile /etc/ssl/certs/ca.pem
        RewriteEngine On
        RewriteRule ^/(.*)$ https://myserver.fqdn.com/$1 [R,L]
</VirtualHost>

Set Server-Admin Mail Address
ServerAdmin mymail@mydomain.com

Set Expires Header
<IfModule mod_expires.c>
 ExpiresActive On
 ExpiresByType text/css "access plus 1 month"
 ExpiresByType text/html "access plus 0 seconds"

 ExpiresByType text/x-javascript "access plus 1 month"
 ExpiresByType text/javascript "access plus 1 month"
 ExpiresByType application/javascript "access plus 1 month"

 ExpiresByType image/gif "access plus 1 month"
 ExpiresByType image/jpeg "access plus 1 month"
 ExpiresByType image/jpg "access plus 1 month"
 ExpiresByType image/png "access plus 1 month"
 ExpiresByType image/x-icon "access plus 1 month"

 ExpiresByType application/x-font-woff "access plus 1 month"
 ExpiresByType application/font-woff "access plus 1 month"

 ExpiresDefault "access plus 7 days"
</IfModule>

Header Security and Cache-Control
<ifmodule mod_headers.c>
  Header unset Cache-Control
  Header unset Server
  Header unset X-Powered-By

  Header set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set X-Xss-Protection "1; mode=block"

 <filesmatch "\\.(ico|jpe?g|png|gif|swf)\\$">
  Header set Cache-Control "max-age=2592000, public"
 </filesmatch>
 <filesmatch "\\.(css)\\$">
  Header set Cache-Control "max-age=604800, public"
 </filesmatch>
 <filesmatch "\\.(js)\\$">
  Header set Cache-Control "max-age=604800, public"
 </filesmatch>
</ifmodule>

Gzip Compression
<IfModule mod_deflate.c>
 AddOutputFilterByType DEFLATE text/plain
 AddOutputFilterByType DEFLATE text/html
 AddOutputFilterByType DEFLATE text/xml
 AddOutputFilterByType DEFLATE text/css
 AddOutputFilterByType DEFLATE text/javascript
 AddOutputFilterByType DEFLATE application/xml
 AddOutputFilterByType DEFLATE application/xhtml+xml
 AddOutputFilterByType DEFLATE application/rss+xml
 AddOutputFilterByType DEFLATE application/atom_xml
 AddOutputFilterByType DEFLATE application/javascript
 AddOutputFilterByType DEFLATE application/x-javascript
 AddOutputFilterByType DEFLATE application/x-shockwave-flash
 AddOutputFilterByType DEFLATE application/json
</IfModule>

SSL Super Strong Security Settings
Please consider activating HSTS. If you do, your complete domain will be listed for HSTS preloading. There is no change to get it deleted from the HSTS Preload list!
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Header always set X-Frame-Options DENY
# Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets Off

HTTPS Website
<VirtualHost *:443>
        ServerName myserver.fqdn.com
        ServerAdmin mymail@mydomain.com

        DocumentRoot /var/www/html/
        <Directory /var/www/html/>
                AllowOverride All
                Require all granted
        </Directory>

        LogLevel warn
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on
        SSLCertificateFile /etc/ssl/certs/cert.crt
        SSLCertificateKeyFile /etc/ssl/private/key.key
        SSLCACertificateFile /etc/ssl/certs/ca.pem
</VirtualHost>