From 51e1dde2aa5c31b01f77479fe3fc86dffd2c8f29 Mon Sep 17 00:00:00 2001
From: Marius Burkard <m.burkard@pixcept.de>
Date: Fri, 12 Feb 2016 11:06:02 -0500
Subject: [PATCH] Merge branch 'master' into 'stable-3.1'
---
server/conf/vhost.conf.master | 70 +++++++++++++++++++++++++++++++----
1 files changed, 62 insertions(+), 8 deletions(-)
diff --git a/server/conf/vhost.conf.master b/server/conf/vhost.conf.master
index a65f1d2..23144aa 100644
--- a/server/conf/vhost.conf.master
+++ b/server/conf/vhost.conf.master
@@ -1,3 +1,4 @@
+<tmpl_hook name='apache2_vhost:header'>
<Directory {tmpl_var name='web_basedir'}/{tmpl_var name='domain'}>
AllowOverride None
@@ -9,8 +10,9 @@
</tmpl_if>
</Directory>
-<tmpl_loop name="vhosts">
+<tmpl_loop name='vhosts'>
<VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}>
+<tmpl_hook name='apache2_vhost:vhost_header'>
<tmpl_if name='php' op='==' value='suphp'>
DocumentRoot <tmpl_var name='web_document_root'>
</tmpl_else>
@@ -51,12 +53,23 @@
<IfModule mod_ssl.c>
<tmpl_if name='ssl_enabled'>
- SSLEngine on
+ SSLEngine on
+ SSLProtocol All -SSLv2 -SSLv3
+ SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+ SSLHonorCipherOrder on
+ <IfModule mod_headers.c>
+ Header always add Strict-Transport-Security "max-age=15768000"
+ </IfModule>
SSLCertificateFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt
SSLCertificateKeyFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key
<tmpl_if name='has_bundle_cert'>
<tmpl_if name='apache_version' op='<' value='2.4.8' format='version'>
SSLCertificateChainFile <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.bundle
+ </tmpl_if>
+ <tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
+ SSLUseStapling on
+ SSLStaplingResponderTimeout 5
+ SSLStaplingReturnResponderErrors off
</tmpl_if>
</tmpl_if>
</tmpl_if>
@@ -203,6 +216,9 @@
<tmpl_if name='php' op='==' value='mod'>
# mod_php enabled
AddType application/x-httpd-php .php .php3 .php4 .php5
+ SetEnv TMP <tmpl_var name='document_root'>/tmp
+ SetEnv TMPDIR <tmpl_var name='document_root'>/tmp
+ SetEnv TEMP <tmpl_var name='document_root'>/tmp
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -fwebmaster@<tmpl_var name='domain'>"
php_admin_value upload_tmp_dir <tmpl_var name='document_root'>/tmp
php_admin_value session.save_path <tmpl_var name='document_root'>/tmp
@@ -231,9 +247,16 @@
# php as cgi enabled
ScriptAlias /php5-cgi <tmpl_var name='cgi_starter_path'><tmpl_var name='cgi_starter_script'>
Action php5-cgi /php5-cgi
- <FilesMatch "\.php[345]?$">
- SetHandler php5-cgi
- </FilesMatch>
+ <Directory {tmpl_var name='web_document_root_www'}>
+ <FilesMatch "\.php[345]?$">
+ SetHandler php5-cgi
+ </FilesMatch>
+ </Directory>
+ <Directory {tmpl_var name='web_document_root'}>
+ <FilesMatch "\.php[345]?$">
+ SetHandler php5-cgi
+ </FilesMatch>
+ </Directory>
<Directory {tmpl_var name='cgi_starter_path'}>
<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
Require all granted
@@ -328,6 +351,9 @@
Alias /php5-fcgi {tmpl_var name='document_root'}/cgi-bin/php5-fcgi-{tmpl_var name='ip_address'}-{tmpl_var name='port'}-{tmpl_var name='domain'}
<tmpl_if name='use_tcp'>
FastCgiExternalServer {tmpl_var name='document_root'}/cgi-bin/php5-fcgi-{tmpl_var name='ip_address'}-{tmpl_var name='port'}-{tmpl_var name='domain'} -idle-timeout 300 -host 127.0.0.1:<tmpl_var name='fpm_port'> -pass-header Authorization
+ <IfModule mod_proxy_fcgi.c>
+ ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ fcgi://127.0.0.1:<tmpl_var name='fpm_port'><tmpl_var name='web_document_root'>/$1
+ </IfModule>
</tmpl_if>
<tmpl_if name='use_socket'>
FastCgiExternalServer {tmpl_var name='document_root'}/cgi-bin/php5-fcgi-{tmpl_var name='ip_address'}-{tmpl_var name='port'}-{tmpl_var name='domain'} -idle-timeout 300 -socket <tmpl_var name='fpm_socket'> -pass-header Authorization
@@ -369,25 +395,41 @@
<tmpl_if name="rewrite_enabled">
RewriteEngine on
+<tmpl_if name='apache_version' op='>' value='2.2' format='version'>
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
+ RewriteRule ^ - [END]
+</tmpl_if>
<tmpl_if name='seo_redirect_enabled'>
RewriteCond %{HTTP_HOST} <tmpl_var name='seo_redirect_operator'>^<tmpl_var name='seo_redirect_origin_domain'>$ [NC]
- RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='seo_redirect_target_domain'>$1 [R=301,L]
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
+ RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='seo_redirect_target_domain'>$1 [R=301,NE,L]
</tmpl_if>
<tmpl_loop name="alias_seo_redirects">
RewriteCond %{HTTP_HOST} <tmpl_var name='alias_seo_redirect_operator'>^<tmpl_var name='alias_seo_redirect_origin_domain'>$ [NC]
- RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='alias_seo_redirect_target_domain'>$1 [R=301,L]
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
+ RewriteRule ^(.*)$ http<tmpl_if name='ssl_enabled'>s</tmpl_if>://<tmpl_var name='alias_seo_redirect_target_domain'>$1 [R=301,NE,L]
</tmpl_loop>
<tmpl_loop name="redirects">
RewriteCond %{HTTP_HOST} <tmpl_var name='rewrite_domain'>$ [NC]
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
<tmpl_if name="rewrite_is_url" op="==" value="n">
RewriteCond %{REQUEST_URI} !^/webdav/
RewriteCond %{REQUEST_URI} !^/php5-fcgi/
RewriteCond %{REQUEST_URI} !^<tmpl_var name='rewrite_target'>
</tmpl_if>
- RewriteRule ^/(.*)$ <tmpl_var name='rewrite_target'><tmpl_if name="rewrite_add_path" op="==" value="y">$1</tmpl_if> <tmpl_if name='rewrite_type' value=''><tmpl_if name="rewrite_is_url" op="==" value="n">[PT]</tmpl_if></tmpl_else><tmpl_var name='rewrite_type'></tmpl_if>
+ RewriteRule ^/(.*)$ <tmpl_var name='rewrite_target'><tmpl_if name="rewrite_add_path" op="==" value="y">$1</tmpl_if> <tmpl_var name='rewrite_type'>
</tmpl_loop>
+<tmpl_if name='ssl_enabled'>
+<tmpl_else>
+<tmpl_if name='rewrite_to_https' op='==' value='y'>
+ RewriteCond %{HTTPS} off
+ <tmpl_if name='apache_version' op='<' value='2.4' format='version'>RewriteCond %{REQUEST_URI} !^/\.well-known/acme-challenge/</tmpl_if>
+ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+</tmpl_if>
+</tmpl_if>
</tmpl_if>
# add support for apache mpm_itk
@@ -414,5 +456,17 @@
</IfModule>
<tmpl_var name='apache_directives'>
+<tmpl_hook name='apache2_vhost:vhost_footer'>
</VirtualHost>
+
+<tmpl_if name='apache_version' op='>=' value='2.4' format='version'>
+<tmpl_if name='ssl_enabled'>
+<IfModule mod_ssl.c>
+ SSLStaplingCache shmcb:/var/run/ocsp(128000)
+</IfModule>
+</tmpl_if>
+</tmpl_if>
+
</tmpl_loop>
+
+<tmpl_hook name='apache2_vhost:footer'>
--
Gitblit v1.9.1