-
Notifications
You must be signed in to change notification settings - Fork 4
/
.conf
307 lines (240 loc) · 7.89 KB
/
.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
# General config.
User www-data
Group www-data
UseCanonicalName off
ServerName ${CFG_HOST}
ServerAdmin ${CFG_ADMIN_PUBLIC_EMAIL}
# Charset and content types.
AddDefaultCharset utf-8
<IfModule mime_module>
AddType text/plain txt md
AddType text/html xhtml html htm
AddType text/css css
AddType application/x-javascript js
AddType image/gif gif
AddType image/png png
AddType image/jpeg jpg jpeg jpe
AddType image/x-icon ico
AddType image/svg+xml svg
AddType application/x-shockwave-flash swf
AddType application/font-otf otf
AddType application/font-ttf ttf
AddType application/font-woff woff
AddType application/vnd.ms-fontobject eot
AddType application/x-gtar tgz
AddType application/gzip gz
AddType application/x-httpd-php php phar
AddType application/x-httpd-php-source phps
<IfModule fastcgi_module>
Action fastcgi-php-fpm /fastcgi.php-fpm virtual
Alias /fastcgi.php-fpm /var/bootstrap/cgi-bin/fastcgi-external-server.php-fpm
FastCgiExternalServer /var/bootstrap/cgi-bin/fastcgi-external-server.php-fpm -socket /var/run/php-fpm.sock -idle-timeout 900 -pass-header authorization -pass-header range
AddHandler fastcgi-php-fpm php phps phar
<Directory /var/bootstrap/cgi-bin>
AllowOverride none
Options followsymlinks
<IfModule authz_core_module>
Require env REDIRECT_STATUS
Options +execcgi
</IfModule>
</Directory>
</IfModule>
</IfModule>
# Client-side cache.
FileETag mtime size
<IfModule expires_module>
ExpiresActive on
ExpiresDefault "access plus 5 days"
</IfModule>
# GZIP compression.
<IfModule deflate_module>
<IfModule filter_module>
AddOutputFilterByType DEFLATE text/plain text/html
AddOutputFilterByType DEFLATE text/xml application/xml application/xhtml+xml application/xml-dtd
AddOutputFilterByType DEFLATE application/rdf+xml application/rss+xml application/atom+xml image/svg+xml
AddOutputFilterByType DEFLATE text/css text/javascript application/javascript application/x-javascript
AddOutputFilterByType DEFLATE font/opentype application/font-otf application/x-font-otf
AddOutputFilterByType DEFLATE font/truetype application/font-ttf application/x-font-ttf
<IfModule headers_module>
<FilesMatch \.(?:js|css|xml|svg|xhtml|html|txt|ttf|otf|gz)$>
Header append vary: accept-encoding
</FilesMatch>
</IfModule>
</IfModule>
</IfModule>
# Directory indexing.
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
# Security hardening.
TraceEnable off
ServerSignature off
ServerTokens productonly
AccessFileName .htaccess
<IfModule headers_module>
Header unset server
Header unset x-powered-by
Header always set x-content-type-options nosniff
</IfModule>
<IfModule authz_core_module>
<Directory />
AllowOverride none
Require all denied
</Directory>
<DirectoryMatch ^\.|/\.>
Require all denied
</DirectoryMatch>
<FilesMatch ^\.>
Require all denied
</FilesMatch>
<DirectoryMatch ~/|~$>
Require all denied
</DirectoryMatch>
<FilesMatch ~$>
Require all denied
</FilesMatch>
<DirectoryMatch /[^/]*?\.(?:bak|copy|log|old|tmp)(?:/|$)>
Require all denied
</DirectoryMatch>
<FilesMatch \.(?:bak|copy|log|old|tmp)$>
Require all denied
</FilesMatch>
<FilesMatch ^phpinfo\.php$>
Require all denied
</FilesMatch>
<FilesMatch ^(?:wp\-)?config(?:\.inc)?\.php$>
Require all denied
</FilesMatch>
<DirectoryMatch /(?:uploads|files)(?:/|$)>
<FilesMatch \.php$>
Require all denied
</FilesMatch>
</DirectoryMatch>
<DirectoryMatch /(?:includes|vendor)(?:/|$)>
<FilesMatch \.php$>
Require all denied
</FilesMatch>
</DirectoryMatch>
<DirectoryMatch /(?:mu\-plugins)(?:/|$)>
<FilesMatch \.php$>
Require all denied
</FilesMatch>
</DirectoryMatch>
</IfModule>
# Performance tuning.
HostnameLookups off
<Directory />
EnableMMAP on
EnableSendfile on
</Directory>
<IfModule mpm_event_module>
Timeout 300
ThreadLimit 25
ThreadsPerChild 25
MinSpareThreads 25
MaxSpareThreads 75
StartServers 2
ServerLimit 32
MaxRequestWorkers 768
# See: <http://jas.xyz/1JsnkjZ>
# These are altered dynamically by the bootstrap/installer.
# See: `/bootstrap/src/bin/set-resource-limits`.
MaxConnectionsPerChild 10000
KeepAlive on
MaxKeepAliveRequests 1000
KeepAliveTimeout 5
</IfModule>
# SSL configuration.
<IfModule ssl_module>
SSLCompression off
SSLUseStapling on
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stpcache(512000)
SSLSessionCacheTimeout 86400
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLCertificateKeyFile /etc/bootstrap/ssl/official-private-key.pem
SSLCertificateFile /etc/bootstrap/ssl/official-crt.pem
SSLCertificateChainFile /etc/bootstrap/ssl/official-chain.pem
# Diffie Hellman; requires Apache v2.4.8 or higher.
#SSLOpenSSLConfCmd DHParameters /etc/bootstrap/ssl/dhparam.pem
SSLHonorCipherOrder on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
Header always set strict-transport-security "max-age=31536000; includeSubdomains; preload"
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
</IfModule>
# Allow access.
<IfModule authz_core_module>
<Directory /app/src>
AllowOverride all
Options followsymlinks
Require all granted
</Directory>
<Directory /bootstrap/src/html>
Options none
AllowOverride none
Require all granted
</Directory>
</IfModule>
# Virtual hosts.
<IfModule ssl_module>
<IfModule rewrite_module>
<VirtualHost *:80>
SSLEngine off
RewriteEngine on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
RewriteEngine on
DocumentRoot /app/src
RewriteCond /app/.maintenance -f [OR]
RewriteCond /app/.~maintenance -f
RewriteCond %{REQUEST_URI} !^/\-\-\-errors/503(?:/|$)
RewriteCond %{HTTP_COOKIE} "!maintenance_bypass\=${CFG_MAINTENANCE_BYPASS_KEY}"
RewriteRule ^ - [R=503,L]
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
ErrorDocument 404 /---errors/404/index.html
ErrorDocument 503 /---errors/503/index.html
Alias /---errors/404/ /bootstrap/src/html/errors/404/default/
Alias /---errors/503/ /bootstrap/src/html/errors/503/default/
Alias /---coming-soon/ /bootstrap/src/html/coming-soon/default/
</VirtualHost>
</IfModule>
</IfModule>
# Web-based server tools.
<IfModule auth_basic_module>
<IfModule authn_file_module>
<IfModule alias_module>
Alias /---tools /bootstrap/src/tools
</IfModule>
<Directory /bootstrap/src/tools>
AllowOverride all
Options followsymlinks
AuthType basic
Require valid-user
AuthBasicProvider file
AuthName "Administrative Tools"
AuthUserFile /etc/bootstrap/passwds/.tools
<IfModule rewrite_module>
RewriteRule ^/\-\-\-tools - [L]
</IfModule>
</Directory>
<IfModule status_module>
<Location /---tools/apache-status>
SetHandler server-status
</Location>
</IfModule>
<IfModule info_module>
<Location /---tools/apache-info>
SetHandler server-info
</Location>
</IfModule>
<IfModule mime_module>
<IfModule fastcgi_module>
<Location /---tools/fpm-status.php>
SetHandler fastcgi-php-fpm
</Location>
</IfModule>
</IfModule>
</IfModule>
</IfModule>