samsulmaarif/apache2_myapp.conf

## apache2_myapp.conf
<VirtualHost *:80>
	DocumentRoot "/var/www/app/mylaravelapp/public"
	ServerName mywebapp.com
    ServerAlias www.mywebapp.com
	DirectoryIndex index.php index.html
    Redirect / https://mywebapp.com

	<Directory "/var/www/app/mylaravelapp/public">
	    Options Indexes FollowSymLinks
    	AllowOverride All
    	Require all granted
	</Directory>

    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>

    ErrorLog "${APACHE_LOG_DIR}/mywebapp.com-error.log"
    CustomLog "${APACHE_LOG_DIR}/mywebapp.com-access.log" vhost_combined
</VirtualHost>

<IfModule mod_ssl.c>
	<VirtualHost *:443>
		ServerAdmin samsul@dot-indonesia.com

		DocumentRoot "/var/www/app/mylaravelapp/public"
		ServerName mywebapp.com
	    ServerAlias www.mywebapp.com
		DirectoryIndex index.php index.html

		<Directory />
			Options FollowSymLinks
			AllowOverride None
		</Directory>

		<Directory "/var/www/app/mylaravelapp/public">
			Options -Indexes +FollowSymlinks +MultiViews
			AllowOverride All
		</Directory>

	    <FilesMatch "\.php$">
	        SetHandler "proxy:fcgi://127.0.0.1:9000/"
	    </FilesMatch>

		LogLevel info ssl:warn

		ErrorLog ${APACHE_LOG_DIR}/mywebapp.com-error.log
		CustomLog ${APACHE_LOG_DIR}/mywebapp.com-access.log vhost_combined
		SSLEngine on

		SSLCertificateFile /etc/letsencrypt/live/mywebapp.com/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/mywebapp.com/privkey.pem
		SSLProtocol TLSv1.2
		SSLCompression off
		SSLProtocol All -SSLv2 -SSLv3
		SSLHonorCipherOrder on
		SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
 		#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
		SSLOpenSSLConfCmd Curves secp384r1
		SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

		#SSLUseStapling          on
		#SSLStaplingResponderTimeout 5
		#SSLStaplingReturnResponderErrors off
		#SSLStaplingCache        shmcb:/var/run/ocsp(128000)

		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

		#SSLCACertificatePath /etc/ssl/certs/
		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

		#SSLVerifyClient require
		#SSLVerifyDepth  10

		SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>

	</VirtualHost>
</IfModule>

## security.conf
# /etc/apache2/conf-enabled/security.conf
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
#   AllowOverride None
#   Require all denied
#</Directory>


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#ServerTokens Minimal
ServerTokens Prod
#ServerTokens Full

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#ServerSignature Off
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
TraceEnable Off
#TraceEnable On

#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
#   Require all denied
#</DirectoryMatch>

#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"

#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"

Header set Strict-Transport-Security: "max-age=63072000; includeSubdomains; preload;"
Header set X-Frame-Options: "SAMEORIGIN"
Header set X-Content-Type-Options: "nosniff"
Header set X-XSS-Protection: "1; mode=block"
Header set Referrer-Policy: "origin"
	<VirtualHost *:80>
	DocumentRoot "/var/www/app/mylaravelapp/public"
	ServerName mywebapp.com
	ServerAlias www.mywebapp.com
	DirectoryIndex index.php index.html
	Redirect / https://mywebapp.com

	<Directory "/var/www/app/mylaravelapp/public">
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
	</Directory>

	<FilesMatch "\.php$">
	SetHandler "proxy:fcgi://127.0.0.1:9000/"
	</FilesMatch>

	ErrorLog "${APACHE_LOG_DIR}/mywebapp.com-error.log"
	CustomLog "${APACHE_LOG_DIR}/mywebapp.com-access.log" vhost_combined
	</VirtualHost>

	<IfModule mod_ssl.c>
	<VirtualHost *:443>
	ServerAdmin samsul@dot-indonesia.com

	DocumentRoot "/var/www/app/mylaravelapp/public"
	ServerName mywebapp.com
	ServerAlias www.mywebapp.com
	DirectoryIndex index.php index.html

	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>

	<Directory "/var/www/app/mylaravelapp/public">
	Options -Indexes +FollowSymlinks +MultiViews
	AllowOverride All
	</Directory>

	<FilesMatch "\.php$">
	SetHandler "proxy:fcgi://127.0.0.1:9000/"
	</FilesMatch>

	LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/mywebapp.com-error.log
	CustomLog ${APACHE_LOG_DIR}/mywebapp.com-access.log vhost_combined
	SSLEngine on

	SSLCertificateFile /etc/letsencrypt/live/mywebapp.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/mywebapp.com/privkey.pem
	SSLProtocol TLSv1.2
	SSLCompression off
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder on
	SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
	#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
	SSLOpenSSLConfCmd Curves secp384r1
	SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

	#SSLUseStapling on
	#SSLStaplingResponderTimeout 5
	#SSLStaplingReturnResponderErrors off
	#SSLStaplingCache shmcb:/var/run/ocsp(128000)

	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	#SSLCACertificatePath /etc/ssl/certs/
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

	#SSLVerifyClient require
	#SSLVerifyDepth 10

	SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
	SSLOptions +StdEnvVars
	</FilesMatch>

	</VirtualHost>
	</IfModule>
	# /etc/apache2/conf-enabled/security.conf
	# Disable access to the entire file system except for the directories that
	# are explicitly allowed later.
	#
	# This currently breaks the configurations that come with some web application
	# Debian packages.
	#
	#<Directory />
	# AllowOverride None
	# Require all denied
	#</Directory>


	# Changing the following options will not really affect the security of the
	# server, but might make attacks slightly more difficult in some cases.

	#
	# ServerTokens
	# This directive configures what you return as the Server HTTP response
	# Header. The default is 'Full' which sends information about the OS-Type
	# and compiled in modules.
	# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod
	# where Full conveys the most information, and Prod the least.
	#ServerTokens Minimal
	ServerTokens Prod
	#ServerTokens Full

	#
	# Optionally add a line containing the server version and virtual host
	# name to server-generated pages (internal error documents, FTP directory
	# listings, mod_status and mod_info output etc., but not CGI generated
	# documents or custom error documents).
	# Set to "EMail" to also include a mailto: link to the ServerAdmin.
	# Set to one of: On \| Off \| EMail
	#ServerSignature Off
	ServerSignature Off

	#
	# Allow TRACE method
	#
	# Set to "extended" to also reflect the request body (only for testing and
	# diagnostic purposes).
	#
	# Set to one of: On \| Off \| extended
	TraceEnable Off
	#TraceEnable On

	#
	# Forbid access to version control directories
	#
	# If you use version control systems in your document root, you should
	# probably deny access to their directories. For example, for subversion:
	#
	#<DirectoryMatch "/\.svn">
	# Require all denied
	#</DirectoryMatch>

	#
	# Setting this header will prevent MSIE from interpreting files as something
	# else than declared by the content type in the HTTP headers.
	# Requires mod_headers to be enabled.
	#
	#Header set X-Content-Type-Options: "nosniff"

	#
	# Setting this header will prevent other sites from embedding pages from this
	# site as frames. This defends against clickjacking attacks.
	# Requires mod_headers to be enabled.
	#
	#Header set X-Frame-Options: "sameorigin"

	Header set Strict-Transport-Security: "max-age=63072000; includeSubdomains; preload;"
	Header set X-Frame-Options: "SAMEORIGIN"
	Header set X-Content-Type-Options: "nosniff"
	Header set X-XSS-Protection: "1; mode=block"
	Header set Referrer-Policy: "origin"