Created
August 4, 2019 10:00
-
-
Save richpeck/3ea8bc0baac758299efe2ae26c0594c5 to your computer and use it in GitHub Desktop.
Apache Default
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/apache2/sites-available/000-default.conf | |
########################################## | |
########################################## | |
## ## | |
## General Server Setup ## | |
## ## | |
########################################## | |
########################################## | |
## General ## | |
## Originally from Nginx but ported to Apache2 ## | |
## Server Signatures ## | |
## Don't send the apache version number in error pages and Server header ## | |
## http://ask.xmodulo.com/turn-off-server-signature-apache-web-server.html ## | |
ServerSignature Off | |
## Server Tokens | |
## Determines what is dent back with the "Server" header to the HTTP request (prod = 'Apache') ## | |
## https://httpd.apache.org/docs/2.4/mod/core.html#servertokens ## | |
ServerTokens Prod | |
## Headers ## | |
## Allows us to manage the headers returned per HTTP request ## | |
<IfModule mod_headers.c> | |
# config to don't allow the browser to render the page inside an frame or iframe | |
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
Header set X-Frame-Options SAMEORIGIN | |
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
Header set X-Content-Type-Options nosniff | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
Header set X-XSS-Protection "1; mode=block" | |
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), | |
# you can tell the browser that it can only download content from the domains you explicitly allow | |
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
# https://www.owasp.org/index.php/Content_Security_Policy | |
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
# directives for css and js(if you have inline css or js, you will need to keep it too). | |
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analyt$ | |
# Hide X-Powered-By and Server headers, sent by downstream application servers: | |
# Note you need both below as the "always" one doesn't work with Jboss for some reason | |
# https://www.tunetheweb.com/security/http-security-headers/server-header/ | |
Header always unset "X-Powered-By" | |
Header unset "X-Powered-By" | |
</IfModule> | |
########################################## | |
########################################## | |
## ## | |
## GENERAL SETTINGS (ALL SERVERS) ## | |
## ## | |
########################################## | |
########################################## | |
## Passenger ## | |
## Allows us to set serverwide Passenger settings ## | |
<IfModule mod_passenger.c> | |
## PassengerRuby ## | |
## Since we're using rbenv, means we need to specify Ruby ## | |
PassengerRuby /home/deploy/.rbenv/shims/ruby | |
## PassegnerUser ## | |
## Allows us to determine which user should run passenger ## | |
PassengerUser deploy | |
## PassengerEnv ## | |
## Allows us to specify the environment for Passenger ## | |
PassengerAppEnv production | |
## PassengerFriendlyErrorPages ## | |
## Allows us to determine whether to show friendly error pages or not ## | |
PassengerFriendlyErrorPages off | |
</IfModule> | |
########################################## | |
########################################## | |
## Default ## | |
## Used for all non-encrypted HTTP traffic ## | |
<VirtualHost *:80 [::]:80> | |
## GLOBAL Apex to https://WWW ## | |
## Catch-All Using Regex (HTTP) ## | |
## https://www.digitalocean.com/community/tutorials/how-to-redirect-www-to-non-www-with-apache-on-ubuntu-14-04#enable-htaccess-files ## | |
<Directory /var/www> | |
Options Indexes FollowSymLinks MultiViews | |
AllowOverride All | |
Order allow,deny | |
allow from all | |
</Directory> | |
## Rewrite Engine ## | |
## RewriteMap allows us to lowercase ## | |
RewriteEngine On | |
RewriteMap lowercase "int:tolower" | |
## IP to PCFixes.com ## | |
RewriteCond %{HTTP_HOST} ^139\.59\.187\.188$ [OR] | |
RewriteCond %{HTTP_HOST} ^2a03:b0c0:1:d0::c6:1001 | |
RewriteRule ^(.*)$ https://www.pcfixes.com$1 [L,R=301] | |
## HTTP to HTTPS ## | |
RewriteRule ^(.*)$ https://${lowercase:%{SERVER_NAME}}$1 [R=301,L] | |
</VirtualHost> | |
########################################## | |
########################################## | |
## ## | |
## Individual sites in respective files ## | |
## ## | |
########################################## | |
########################################## |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/apache2/sites-available/pcfixes.conf | |
########################################## | |
########################################## | |
## ## | |
## Server Setup For PCFixes.com ## | |
## ## | |
########################################## | |
########################################## | |
## ## | |
## General server setup in default ## | |
## ## | |
########################################## | |
########################################## | |
## Apex Domain ## | |
## HTTPS ## | |
<IfModule mod_ssl.c> | |
<VirtualHost *:443 [::]:443> | |
## Details ## | |
ServerName pcfixes.com | |
## Include ## | |
Include /etc/letsencrypt/options-ssl-apache.conf | |
## SSL ## | |
SSLCertificateFile /etc/letsencrypt/live/www.pcfixes.com/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/www.pcfixes.com/privkey.pem | |
## Action ## | |
RedirectMatch permanent ^/(.*) https://www.pcfixes.com/$1 | |
</VirtualHost> | |
</IfModule> | |
########################################## | |
########################################## | |
## HTTPS ## | |
## WWW ## | |
<IfModule mod_ssl.c> | |
<VirtualHost *:443 [::]:443> | |
## Details ## | |
## Only accept WWW ## | |
ServerName www.pcfixes.com | |
## Root ## | |
DocumentRoot /var/www/pcfixes/public | |
## Include ## | |
Include /etc/letsencrypt/options-ssl-apache.conf | |
## SSL ## | |
SSLCertificateFile /etc/letsencrypt/live/www.pcfixes.com/fullchain.pem | |
SSLCertificateKeyFile /etc/letsencrypt/live/www.pcfixes.com/privkey.pem | |
</VirtualHost> | |
</IfModule> | |
########################################## | |
########################################## |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment