ojullien / apache2.4 Goto Github PK

Apache2.4 configuration and site templates

License: Apache License 2.0

ssl vhost-configuration virtual-hosts apache24 reverse-proxy proxy remoteip evasive referrer-policy strict-transport-security

apache2.4's Introduction

Apache2.4 configuration and templates

Apache2.4 personnal configuration and website templates on Debian linux distribution.

Note: I use those templates for my own projects, they contain the features I need.

Requirements

Debian linux distribution: ~9.1
apache: ~2.4.25
- Modules: alias, deflate, dir, env, evasive, expires, filter, headers, http2, include, rewrite, unique_id, ssl_module, proxy_module, proxy_http_module / proxy_http2_module, remoteip_module
openssl: ~1.1.0f

Configuration

I do not modify any Apache2.4 configuration files. I just add new configuration files to override the default Apache2.4 configuration.

When it starts, Apache2.4 includes the module configuration files (/etc/apache2/mods-enabled/*) and, then, the particular configuration snippets (/etc/apache2/conf-enabled/*.conf) which manage global configuration fragments.

Files

zzz-apache2.conf: overrides the main Apache server configuration.
zzz-deflate.conf: overrides the DEFLATE configuration that allows output from your server to be compressed before being sent to the client over the network.
zzz-dir.conf: overrides the default serving directory index files configuration.
zzz-evasive.conf: overrides the default EVASIVE module configuration.
zzz-expires.conf: overrides and extends the default expirations time by type.
zzz-expires-cdn.conf: modern version for caching while using CDN.
zzz-expires-fingerprint.conf: modern version for caching while using fingerprinted URLs.
zzz-headers.conf: adds few HTTP request and response headers customizations.
zzz-log.conf: overrides log configuration.
zzz-mime.conf: adds more mime types.
zzz-mpm_event.conf: overrides the event worker MPM default configuration.
zzz-php7.x-fpm.conf: configure the local php-fpm using proxy.
zzz-proxy.conf: overrides the multi-protocol proxy/gateway server default configuration.
zzz-remoteip.conf: overides remoteip configuration.
zzz-security.conf: overrides and adds more security configuration snippets for the server.
zzz-ssl.conf: SSL configuration.
zzz-status.conf: overrides the status and info modules configurations.

How to setup the Apache2.4 personnal configuration

Copy the configuration files into /etc/apache2/conf-available
Edit the named like zzz-***.conf files and make changes as you need.
Enable the configuration you need using a2enconf zzz-***
Test the configuration using apache2ctl -t
When test is OK, activate the new configuration using systemctl reload apache2

Templates

I wrote theses templates to ease the process of creating named-based virtualhosts.

I do not use the module mod_macro, I only use the built-in Include and Define directives.

Each domain.tld directory contains configuration for HTTP and HTTPS. The domain.tld/include contains the common snippets for HTTP and HTTPS.

The Content Security Policy (CSP) snippets depends on your site and must be tested.

Module mod_http2 must be enable to provides HTTP/2 support in SSL.

Features

_common.conf: contains many files with common snippets.
- access_control directory contains Access control directives for application and static website.
- security directory contains security directives for HSTS and WordPress.
000-default: contains the default virtualhost configuration.
static.tld: contains the name-based vhost configuration for a static website.
app.tld: contains the name-based vhost configuration for a PHP application.
api.tld: contains the name-based vhost configuration for a mixed static website and PHP application.
redirect.tld: contains the configuration for a redirection.
reverseproxy.tld: configuration sample for a reverse proxy.
- remoteip_module, proxy_module and proxy_http_module or/and proxy_http2_module are required.
- conf-available/zzz-expires.conf and conf-available/zzz-headers.conf should not be enabled.
loader.conf: one file to rule them all.

How to setup the site templates

Copy the templates into /etc/apache2/sites-available
Edit the files and make changes as you need.
Edit and update the loader.conf file.
Enable the sites using a2ensite loader
restarts the Apache daemon using apache2ctl graceful

Documentation

I wrote and I use this package for my own projects. And, unfortunately, I do not provide exhaustive documentation. Please read the code and the comments ;)

For instructions on how to use, best practices, templates and other usage information, please visit the Apache2.4 documentation.

Contributing

Thanks you for taking the time to contribute. Please fork the repository and make changes as you'd like.

As I use these configuration and templates for my own projects, it contains only the features I need. But If you have any ideas, just open an issue and tell me what you think. Pull requests are also warmly welcome.

If you encounter any bugs in the configuration or templates, please open an issue.

Be sure to include a title and clear description,as much relevant information as possible, and a code sample or an executable test case demonstrating the expected behavior that is not occurring.

License

Apache2.4 configuration and templates are open-source and are licensed under the Apache-2.0 License.

apache2.4's People

Contributors

Stargazers

Watchers

apache2.4's Issues

Remove unneeded HTTP X-XSS-Protection Header

This protection is largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline').

Read this MDN's article

HSTS preloading should be Opt-In

do not include the preload directive by default.

The preload directive will have long-term consequences. If the HTTPS configuration is wrong, broken or we don't want to use HTTPS anymore, we will experience problems.

Update ssl configuration

Drop SSLv3

Serving pre-compressed content

Since mod_deflate/mod-brotli re-compresses content each time a request is made, some performance benefit can be derived by pre-compressing the content and telling mod_deflate/mod-brotli to serve them without re-compressing them.

Read the Apache's documentation about mod_deflate

Read the Apache's documentation about mod-brotli

The 'Expires' header should not be used, 'Cache-Control' should be preferred.

The expires header is legacy and is overruled by cache-control.
Check out:

Google Prevent unnecessary network requests with the HTTP Cache article
MDN's HTTP Expires header article
MDN's HTTP Cache-Control header article

Escape dot in security/wordpress.conf

wordpress.conf

Add HTTP Permissions-Policy header

The HTTP Permissions-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

Read the MDN's article

mime type: application/x-httpd-php

In reverse proxy case, the result of a parsed php file is served as application/x-httpd-php (and so downloadable) instead of text/html.

in the zzz-mime.conf the line AddType application/x-httpd-php .php .phtml must be commented.
This line is useful for mod_php and not php-fpm (as we use mod_proxy_fcgi)

The 'X-Frame-Options' header should not be used

A similar effect, with more consistent support and stronger checks, can be achieved with the 'Content-Security-Policy' header and 'frame-ancestors' directive.

The HSTS directive is always set even in non ssl case

The HTTP Strict Transport Security directives should not be in the server conf but in the ssl vhost.

Configure Etag

Use ETag header to help you revalidate expired cache resources more efficiently.

mod_http2 doesn't support the mod_logio module (which provide the %O format),

mod_http2 doesn't support the mod_logio module (which provide the %O format).
May use the %B format instead.

Compress content via Brotli

Google have developed a newer algorithm called Brotli that can be used in place of gzip.

Read Apache's documentation

Add the Referrer-Policy HTTP header.

The Referrer-Policy HTTP header controls how much referrer information (sent via the Referer header) should be included with requests.

Read the MDN's article

HSTS preload directives are not valid.

Bugs

The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000.
HTTP redirects to www first http://app.tld (HTTP) should immediately redirect to https://app.tld (HTTPS) before adding the www subdomain. Right now, the first redirect is to https://www.app.tld/. The extra redirect is required to ensure that any browser which supports HSTS will record the HSTS entry for the top level domain, not just the subdomain.

Information

In order to be accepted to the HSTS preload list, the site must satisfy the following set of requirements:

Serve a valid certificate.
Redirect from HTTP to HTTPS on the same host, if you are listening on port 80.
Serve all subdomains over HTTPS.
- In particular, you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.
Serve an HSTS header on the base domain for HTTPS requests:
- The max-age must be at least 31536000 seconds (1 year).
- The includeSubDomains directive must be specified.
- The preload directive must be specified.
- If you are serving an additional redirect from your HTTPS site, that redirect must still have the HSTS header (rather than the page it redirects to).

%{X-PROXY-UNIQUE-ID}e is empty

Case: backend server behind a reverse proxy server

%{X-PROXY-UNIQUE-ID}e is empty because X-PROXY-UNIQUE-ID is not an environment variable. It is an header line. So use %{X-PROXY-UNIQUE-ID}i instead .

File conf-available/zzz-log.conf