Last active
January 29, 2018 14:20
-
-
Save martin-denizet/11080033 to your computer and use it in GitHub Desktop.
Apache configuration for http://martin-denizet.com/install-redmine-2-5-x-with-git-and-subversion-on-debian-with-apache2-rvm-and-passenger/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Redirection of port 80 to port 443 | |
| <virtualhost *:80> | |
| ServerName redmine.domain.com | |
| KeepAlive Off | |
| RewriteEngine On | |
| #RewriteCond %{HTTP_HOST} ^[^\./]+\.[^\./]+$ | |
| RewriteRule ^/(.*)$ https://%{HTTP_HOST}/$1 [R=301,L] | |
| <IfModule mod_header.c> | |
| ## Enable Strict Transport: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security | |
| Header add Strict-Transport-Security "max-age=15768000" | |
| </IfModule> | |
| </virtualhost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| NameVirtualHost *:443 | |
| ServerName redmine.domain.com | |
| <VirtualHost *:443> | |
| ServerAdmin admin@domain.com | |
| ServerName redmine.domain.com:443 | |
| # Enable SSL with Perfect Forward Secrecy | |
| SSLEngine on | |
| SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1 | |
| SSLCompression off | |
| SSLHonorCipherOrder on | |
| SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" | |
| SSLCertificateFile /etc/apache2/ssl/redmine.crt | |
| SSLCertificateKeyFile /etc/apache2/ssl/redmine.key | |
| <IfModule mod_header.c> | |
| ## Enable Strict Transport: http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security | |
| Header add Strict-Transport-Security "max-age=15768000" | |
| </IfModule> | |
| ## SSL Stapling, more at: https://www.insecure.ws/2013/10/11/ssltls-configuration-for-apache-mod_ssl/ | |
| # SSLUseStapling on | |
| # SSLStaplingResponderTimeout 5 | |
| # SSLStaplingReturnResponderErrors off | |
| # SSLStaplingCache shmcb:/var/run/ocsp(128000) | |
| DocumentRoot /opt/redmine/current/public/ | |
| ## Passenger Configuration | |
| ## Details at http://www.modrails.com/documentation/Users%20guide%20Apache.html | |
| PassengerMinInstances 6 | |
| PassengerMaxPoolSize 20 | |
| RailsBaseURI / | |
| PassengerAppRoot /opt/redmine/current | |
| # Speeds up spawn time tremendously -- if your app is compatible. | |
| # RMagick seems to be incompatible with smart spawning | |
| RailsSpawnMethod smart | |
| # Keep the application instances alive longer. Default is 300 (seconds) | |
| PassengerPoolIdleTime 1000 | |
| # Keep the spawners alive, which speeds up spawning a new Application | |
| # listener after a period of inactivity at the expense of memory. | |
| RailsAppSpawnerIdleTime 3600 | |
| # Additionally keep a copy of the Rails framework in memory. If you're | |
| # using multiple apps on the same version of Rails, this will speed up | |
| # the creation of new RailsAppSpawners. This isn't necessary if you're | |
| # only running one or 2 applications, or if your applications use | |
| # different versions of Rails. | |
| PassengerMaxPreloaderIdleTime 0 | |
| # Just in case you're leaking memory, restart a listener | |
| # after processing 5000 requests | |
| PassengerMaxRequests 5000 | |
| # only check for restart.txt et al up to once every 5 seconds, | |
| # instead of once per processed request | |
| PassengerStatThrottleRate 5 | |
| # If user switching support is enabled, then Phusion Passenger will by default run the web application as the owner if the file config/environment.rb (for Rails apps) or config.ru (for Rack apps). This option allows you to override that behavior and explicitly set a user to run the web application as, regardless of the ownership of environment.rb/config.ru. | |
| PassengerUser www-data | |
| PassengerGroup www-data | |
| # By default, Phusion Passenger does not start any application instances until said web application is first accessed. The result is that the first visitor of said web application might experience a small delay as Phusion Passenger is starting the web application on demand. If that is undesirable, then this directive can be used to pre-started application instances during Apache startup. | |
| PassengerPreStart https://localhost | |
| <Directory /opt/redmine/current/public/> | |
| Options Indexes FollowSymLinks -MultiViews | |
| AllowOverride All | |
| Order allow,deny | |
| allow from all | |
| </Directory> | |
| #/svn location for users | |
| PerlLoadModule Apache2::Redmine | |
| <Location /svn> | |
| DAV svn | |
| SVNParentPath "/opt/redmine/repos/svn" | |
| Order deny,allow | |
| Deny from all | |
| Satisfy any | |
| PerlAccessHandler Apache2::Authn::Redmine::access_handler | |
| PerlAuthenHandler Apache2::Authn::Redmine::authen_handler | |
| AuthType Basic | |
| AuthName "redmine SVN Repository" | |
| #read-only access | |
| <Limit GET PROPFIND OPTIONS REPORT> | |
| Require valid-user | |
| Allow from 127.0.1.1 | |
| Satisfy any | |
| </Limit> | |
| # write access | |
| <LimitExcept GET PROPFIND OPTIONS REPORT> | |
| Require valid-user | |
| </LimitExcept> | |
| ## for mysql | |
| RedmineDSN "DBI:mysql:database=redmine;host=localhost" | |
| RedmineDbUser "redmine" | |
| RedmineDbPass "my_password" | |
| #Possible security tweaks: | |
| #Order deny,allow | |
| #Allow from localhost | |
| #Allow from my_domain.com | |
| #Deny from all | |
| </Location> | |
| # /git location for users | |
| # Git Smart HTTP configuration | |
| #From the Remine.pm patch file for git-smart-http: | |
| SetEnv GIT_PROJECT_ROOT /opt/redmine/repos/git/ | |
| SetEnv GIT_HTTP_EXPORT_ALL | |
| ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ | |
| PerlLoadModule Apache2::Redmine | |
| <Location /git> | |
| Order allow,deny | |
| ## Sample configuration | |
| # Allow from 192.168.15.0/24 #Retrict Git access to local network | |
| Satisfy all | |
| AuthType Basic | |
| AuthName "git repositories" | |
| Require valid-user | |
| PerlAccessHandler Apache2::Authn::Redmine::access_handler | |
| PerlAuthenHandler Apache2::Authn::Redmine::authen_handler | |
| ## for mysql | |
| RedmineDSN "DBI:mysql:database=redmine;host=localhost" | |
| RedmineDbUser "redmine" | |
| RedmineDbPass "my_password" | |
| RedmineGitSmartHttp yes | |
| </Location> | |
| <Location /sys> | |
| Order deny,allow | |
| Allow from 127.0.1.1 | |
| #Allow from localhost | |
| Deny from all | |
| </Location> | |
| AddOutputFilter DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css | |
| BrowserMatch ^Mozilla/4 gzip-only-text/html | |
| BrowserMatch ^Mozilla/4.0[678] no-gzip | |
| BrowserMatch \bMSIE !no-gzip !gzip-only-text/html | |
| ErrorLog ${APACHE_LOG_DIR}/redmine.error.log | |
| LogLevel warn | |
| CustomLog ${APACHE_LOG_DIR}/redmine.access.log combined | |
| ServerSignature Off | |
| </VirtualHost> |
Please see: https://bugzilla.redhat.com/show_bug.cgi?id=1034984
I can NOT use +TLSv1.2 +TLSv1.1 +TLSv1. I changed it to 'All', which is a shortcut. Probably adding only version 2 & 3.
I suggest adding an IfVersion to the Directory sections of this Apache configuration, otherwise it won't load in newer versions of Apache.
For example:
<Directory /opt/redmine/current/public/>
Options +Indexes +FollowSymLinks -MultiViews
AllowOverride All
<IfVersion < 2.3 >
Order allow,deny
Allow from all
</IfVersion>
<IfVersion >= 2.3>
Require all granted
</IfVersion>
</Directory>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Adds support for HSTS and SSL stapling (commented)