Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
# Redirection of port 80 to port 443
<virtualhost *:80>
ServerName redmine.domain.com
KeepAlive Off
RewriteEngine On
#RewriteCond %{HTTP_HOST} ^[^\./]+\.[^\./]+$
RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
<IfModule mod_header.c>
## Enable Strict Transport: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Header add Strict-Transport-Security "max-age=15768000"
</IfModule>
</virtualhost>
NameVirtualHost *:443
ServerName redmine.domain.com
<VirtualHost *:443>
ServerAdmin admin@domain.com
ServerName redmine.domain.com:443
# Enable SSL with Perfect Forward Secrecy
SSLEngine on
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
SSLCertificateFile /etc/apache2/ssl/redmine.crt
SSLCertificateKeyFile /etc/apache2/ssl/redmine.key
<IfModule mod_header.c>
## Enable Strict Transport: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
Header add Strict-Transport-Security "max-age=15768000"
</IfModule>
## SSL Stapling, more at: https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/
# SSLUseStapling on
# SSLStaplingResponderTimeout 5
# SSLStaplingReturnResponderErrors off
# SSLStaplingCache shmcb:/var/run/ocsp(128000)
DocumentRoot /opt/redmine/current/public/
## Passenger Configuration
## Details at http://www.modrails.com/documentation/Users%20guide%20Apache.html
PassengerMinInstances 6
PassengerMaxPoolSize 20
RailsBaseURI /
PassengerAppRoot /opt/redmine/current
# Speeds up spawn time tremendously -- if your app is compatible.
# RMagick seems to be incompatible with smart spawning
RailsSpawnMethod smart
# Keep the application instances alive longer. Default is 300 (seconds)
PassengerPoolIdleTime 1000
# Keep the spawners alive, which speeds up spawning a new Application
# listener after a period of inactivity at the expense of memory.
RailsAppSpawnerIdleTime 3600
# Additionally keep a copy of the Rails framework in memory. If you're
# using multiple apps on the same version of Rails, this will speed up
# the creation of new RailsAppSpawners. This isn't necessary if you're
# only running one or 2 applications, or if your applications use
# different versions of Rails.
PassengerMaxPreloaderIdleTime 0
# Just in case you're leaking memory, restart a listener
# after processing 5000 requests
PassengerMaxRequests 5000
# only check for restart.txt et al up to once every 5 seconds,
# instead of once per processed request
PassengerStatThrottleRate 5
# If user switching support is enabled, then Phusion Passenger will by default run the web application as the owner if the file config/environment.rb (for Rails apps) or config.ru (for Rack apps). This option allows you to override that behavior and explicitly set a user to run the web application as, regardless of the ownership of environment.rb/config.ru.
PassengerUser www-data
PassengerGroup www-data
# By default, Phusion Passenger does not start any application instances until said web application is first accessed. The result is that the first visitor of said web application might experience a small delay as Phusion Passenger is starting the web application on demand. If that is undesirable, then this directive can be used to pre-started application instances during Apache startup.
PassengerPreStart https://localhost
<Directory /opt/redmine/current/public/>
Options Indexes FollowSymLinks -MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
#/svn location for users
PerlLoadModule Apache2::Redmine
<Location /svn>
DAV svn
SVNParentPath "/opt/redmine/repos/svn"
Order deny,allow
Deny from all
Satisfy any
PerlAccessHandler Apache2::Authn::Redmine::access_handler
PerlAuthenHandler Apache2::Authn::Redmine::authen_handler
AuthType Basic
AuthName "redmine SVN Repository"
#read-only access
<Limit GET PROPFIND OPTIONS REPORT>
Require valid-user
Allow from 127.0.1.1
Satisfy any
</Limit>
# write access
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require valid-user
</LimitExcept>
## for mysql
RedmineDSN "DBI:mysql:database=redmine;host=localhost"
RedmineDbUser "redmine"
RedmineDbPass "my_password"
#Possible security tweaks:
#Order deny,allow
#Allow from localhost
#Allow from my_domain.com
#Deny from all
</Location>
# /git location for users
# Git Smart HTTP configuration
#From the Remine.pm patch file for git-smart-http:
SetEnv GIT_PROJECT_ROOT /opt/redmine/repos/git/
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/lib/git-core/git-http-backend/
PerlLoadModule Apache2::Redmine
<Location /git>
Order allow,deny
## Sample configuration
# Allow from 192.168.15.0/24 #Retrict Git access to local network
Satisfy all
AuthType Basic
AuthName "git repositories"
Require valid-user
PerlAccessHandler Apache2::Authn::Redmine::access_handler
PerlAuthenHandler Apache2::Authn::Redmine::authen_handler
## for mysql
RedmineDSN "DBI:mysql:database=redmine;host=localhost"
RedmineDbUser "redmine"
RedmineDbPass "my_password"
RedmineGitSmartHttp yes
</Location>
<Location /sys>
Order deny,allow
Allow from 127.0.1.1
#Allow from localhost
Deny from all
</Location>
AddOutputFilter DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
ErrorLog ${APACHE_LOG_DIR}/redmine.error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/redmine.access.log combined
ServerSignature Off
</VirtualHost>
Owner

martin-denizet commented May 20, 2014

Adds support for HSTS and SSL stapling (commented)

Please see: https://bugzilla.redhat.com/show_bug.cgi?id=1034984

I can NOT use +TLSv1.2 +TLSv1.1 +TLSv1. I changed it to 'All', which is a shortcut. Probably adding only version 2 & 3.

jobhh commented Feb 2, 2017 edited

I suggest adding an IfVersion to the Directory sections of this Apache configuration, otherwise it won't load in newer versions of Apache.

For example:

<Directory /opt/redmine/current/public/>
    Options +Indexes +FollowSymLinks -MultiViews
    AllowOverride All
    <IfVersion < 2.3 >
       Order allow,deny
       Allow from all
    </IfVersion>
    <IfVersion >= 2.3>
       Require all granted
    </IfVersion>
</Directory>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment