src/apache/.conf

# General config.

User www-data
Group www-data

UseCanonicalName off
ServerName ${CFG_HOST}
ServerAdmin ${CFG_ADMIN_PUBLIC_EMAIL}

# Charset and content types.

AddDefaultCharset utf-8

<IfModule mime_module>
  AddType text/plain txt md
  AddType text/html xhtml html htm

  AddType text/css css
  AddType application/x-javascript js

  AddType image/gif gif
  AddType image/png png
  AddType image/jpeg jpg jpeg jpe
  AddType image/x-icon ico
  AddType image/svg+xml svg

  AddType application/x-shockwave-flash swf

  AddType application/font-otf otf
  AddType application/font-ttf ttf
  AddType application/font-woff woff
  AddType application/vnd.ms-fontobject eot

  AddType application/x-gtar tgz
  AddType application/gzip gz

  AddType application/x-httpd-php php phar
  AddType application/x-httpd-php-source phps

  <IfModule fastcgi_module>
      Action fastcgi-php-fpm /fastcgi.php-fpm virtual
      Alias /fastcgi.php-fpm /var/bootstrap/cgi-bin/fastcgi-external-server.php-fpm
      FastCgiExternalServer /var/bootstrap/cgi-bin/fastcgi-external-server.php-fpm -socket /var/run/php-fpm.sock -idle-timeout 900 -pass-header authorization -pass-header range
      AddHandler fastcgi-php-fpm php phps phar
      <Directory /var/bootstrap/cgi-bin>
      AllowOverride none
      Options followsymlinks
      <IfModule authz_core_module>
        Require env REDIRECT_STATUS
        Options +execcgi
      </IfModule>
      </Directory>
  </IfModule>
</IfModule>

# Client-side cache.

FileETag mtime size

<IfModule expires_module>
  ExpiresActive on
  ExpiresDefault "access plus 5 days"
</IfModule>

# GZIP compression.

<IfModule deflate_module>
  <IfModule filter_module>
    AddOutputFilterByType DEFLATE text/plain text/html
    AddOutputFilterByType DEFLATE text/xml application/xml application/xhtml+xml application/xml-dtd
    AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml image/svg+xml
    AddOutputFilterByType DEFLATE text/css text/javascript application/javascript application/x-javascript
    AddOutputFilterByType DEFLATE font/opentype application/font-otf application/x-font-otf
    AddOutputFilterByType DEFLATE font/truetype application/font-ttf application/x-font-ttf
    <IfModule headers_module>
      <FilesMatch \.(?:js|css|xml|svg|xhtml|html|txt|ttf|otf|gz)$>
        Header append vary: accept-encoding
      </FilesMatch>
    </IfModule>
  </IfModule>
</IfModule>

# Directory indexing.

<IfModule dir_module>
  DirectoryIndex index.html index.php
</IfModule>

# Security hardening.

TraceEnable off
ServerSignature off
ServerTokens productonly
AccessFileName .htaccess

<IfModule headers_module>
  Header unset server
  Header unset x-powered-by
  Header always set x-content-type-options nosniff
</IfModule>

<IfModule authz_core_module>
  <Directory />
    AllowOverride none
    Require all denied
  </Directory>

  <DirectoryMatch ^\.|/\.>
    Require all denied
  </DirectoryMatch>

  <FilesMatch ^\.>
    Require all denied
  </FilesMatch>

  <DirectoryMatch ~/|~$>
    Require all denied
  </DirectoryMatch>

  <FilesMatch ~$>
    Require all denied
  </FilesMatch>

  <DirectoryMatch /[^/]*?\.(?:bak|copy|log|old|tmp)(?:/|$)>
    Require all denied
  </DirectoryMatch>

  <FilesMatch \.(?:bak|copy|log|old|tmp)$>
    Require all denied
  </FilesMatch>

  <FilesMatch ^phpinfo\.php$>
    Require all denied
  </FilesMatch>

  <FilesMatch ^(?:wp\-)?config(?:\.inc)?\.php$>
    Require all denied
  </FilesMatch>

  <DirectoryMatch /(?:uploads|files)(?:/|$)>
    <FilesMatch \.php$>
      Require all denied
    </FilesMatch>
  </DirectoryMatch>

  <DirectoryMatch /(?:includes|vendor)(?:/|$)>
    <FilesMatch \.php$>
      Require all denied
    </FilesMatch>
  </DirectoryMatch>

  <DirectoryMatch /(?:mu\-plugins)(?:/|$)>
    <FilesMatch \.php$>
      Require all denied
    </FilesMatch>
  </DirectoryMatch>
</IfModule>

# Performance tuning.

HostnameLookups off

<Directory />
  EnableMMAP on
  EnableSendfile on
</Directory>

<IfModule mpm_event_module>
  Timeout 300

  ThreadLimit 25
  ThreadsPerChild 25
  MinSpareThreads 25
  MaxSpareThreads 75

  StartServers 2
  ServerLimit 32
  MaxRequestWorkers 768
  # See: <http://jas.xyz/1JsnkjZ>
  # These are altered dynamically by the bootstrap/installer.
  # See: `/bootstrap/src/bin/set-resource-limits`.

  MaxConnectionsPerChild 10000

  KeepAlive on
  MaxKeepAliveRequests 1000
  KeepAliveTimeout 5
</IfModule>

# SSL configuration.

<IfModule ssl_module>
  SSLCompression off

  SSLUseStapling on
  SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stpcache(512000)

  SSLSessionCacheTimeout 86400
  SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)

  SSLCertificateKeyFile /etc/bootstrap/ssl/official-private-key.pem
  SSLCertificateFile /etc/bootstrap/ssl/official-crt.pem
  SSLCertificateChainFile /etc/bootstrap/ssl/official-chain.pem

  # Diffie Hellman; requires Apache v2.4.8 or higher.
  #SSLOpenSSLConfCmd DHParameters /etc/bootstrap/ssl/dhparam.pem

  SSLHonorCipherOrder on
  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
  Header always set strict-transport-security "max-age=31536000; includeSubdomains; preload"
  SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
</IfModule>

# Allow access.

<IfModule authz_core_module>
  <Directory /app/src>
    AllowOverride all
    Options followsymlinks
    Require all granted
  </Directory>

  <Directory /bootstrap/src/html>
    Options none
    AllowOverride none
    Require all granted
  </Directory>
</IfModule>

# Virtual hosts.

<IfModule ssl_module>
  <IfModule rewrite_module>
    <VirtualHost *:80>
      SSLEngine off
      RewriteEngine on
      RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    </VirtualHost>

    <VirtualHost *:443>
      SSLEngine on
      RewriteEngine on
      DocumentRoot /app/src

      RewriteCond /app/.maintenance -f [OR]
        RewriteCond /app/.~maintenance -f
      RewriteCond %{REQUEST_URI} !^/\-\-\-errors/503(?:/|$)
      RewriteCond %{HTTP_COOKIE} "!maintenance_bypass\=${CFG_MAINTENANCE_BYPASS_KEY}"
    	RewriteRule ^ - [R=503,L]

      RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
    	RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]

      ErrorDocument 404 /---errors/404/index.html
      ErrorDocument 503 /---errors/503/index.html

      Alias /---errors/404/ /bootstrap/src/html/errors/404/default/
      Alias /---errors/503/ /bootstrap/src/html/errors/503/default/
      Alias /---coming-soon/ /bootstrap/src/html/coming-soon/default/
    </VirtualHost>
  </IfModule>
</IfModule>

# Web-based server tools.

<IfModule auth_basic_module>
  <IfModule authn_file_module>
    <IfModule alias_module>
      Alias /---tools /bootstrap/src/tools
    </IfModule>

    <Directory /bootstrap/src/tools>
      AllowOverride all
      Options followsymlinks

      AuthType basic
      Require valid-user
      AuthBasicProvider file
      AuthName "Administrative Tools"
      AuthUserFile /etc/bootstrap/passwds/.tools

      <IfModule rewrite_module>
        RewriteRule ^/\-\-\-tools - [L]
      </IfModule>
    </Directory>

    <IfModule status_module>
      <Location /---tools/apache-status>
        SetHandler server-status
      </Location>
    </IfModule>

    <IfModule info_module>
      <Location /---tools/apache-info>
        SetHandler server-info
      </Location>
    </IfModule>

    <IfModule mime_module>
      <IfModule fastcgi_module>
        <Location /---tools/fpm-status.php>
          SetHandler fastcgi-php-fpm
        </Location>
      </IfModule>
    </IfModule>
  </IfModule>
</IfModule>