Skip to content

Commit

Permalink
Update domain.conf
Browse files Browse the repository at this point in the history 
Add in additional rewrite rules for Laravel and WordPress single site installations.

Signed-off-by: Max Barrett <[email protected]>
  • Loading branch information
@MaximillianGroup
MaximillianGroup authored Nov 7, 2024
1 parent cbf1496 commit 816eb42
Showing 1 changed file with 157 additions and 82 deletions.
239 changes: 157 additions & 82 deletions domain.conf
View file
Original file line number Diff line number Diff line change
@@ -1,106 +1,181 @@
# Apache Configuration File
# Apache Configuration File for WordPress (multisite) or PHP Application
# Author: MaximillianGroup (Max Barrett) <[email protected]>
# Version 1.0.0
# WordPress Friendly, Cloudflare Origin Certificates, Let's Encrypt, Strong SSL Security
ServerAdmin [email protected]
# WordPress and WordPress Multisite, Cloudflare Origin Certificates, Let's Encrypt, Strong SSL Security
# Contact: [email protected]

# hide the server details
ServerSignature Off
ServerTokens Prod
ServerAdmin [email protected]

# Load necessary modules
# These may already be included in a server .conf
LoadModule ssl_module modules/mod_ssl.so
LoadModule rewrite_module modules/mod_rewrite.so
# Load essential modules
# If already loaded comment these out
LoadModule ssl_module modules/mod_ssl.so # Enables SSL/TLS
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so # Shared memory cache for sessions and stapling
LoadModule rewrite_module modules/mod_rewrite.so # URL rewriting (required for WordPress Multisite)
LoadModule headers_module modules/mod_headers.so # For setting custom headers
LoadModule expires_module modules/mod_expires.so #For browser caching
LoadModule deflate_module modules/mod_deflate.so #For enabling Gzip

# Listen on HTTP and HTTPS ports
# These may already be included in a server .conf
# Tell Apache to Listen (if already set, comment out)
Listen 80
<IfModule mod.ssl>
Listen 443
Listen 443

# Minimize server information disclosure (security best practice)
ServerTokens Prod
ServerSignature Off

# Define your ServerRoot if it's non-standard (uncomment and adjust if needed)
# ServerRoot "/etc/apache2"

# SSL Stapling Configuration (improves SSL/TLS handshake performance)
<IfModule mod_ssl.c>
SSLStaplingCache "shmcb:/var/log/apache2/ssl_stapling(32768)" # Using shared memory cache
</IfModule>

# Added to mitigate CVE-2017-8295 vulnerability
UseCanonicalName On
<VirtualHost>
ServerName sparxstar.com
ServerAlias www.sparxstar.com

DocumentRoot /var/www/html # Your WordPress root directory – ADJUST IF NEEDED

# Logging
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

# ----------------------------------
# HTTP VirtualHost to redirect all traffic to HTTPS
# HTTP VirtualHost (Port 80): Redirects all HTTP traffic to HTTPS
# ----------------------------------
<VirtualHost *:80>
ServerName domain.com
ServerAlias www.domain.com

# Redirect all HTTP requests to HTTPS
# Rewrite to HTTPS ONLY
RewriteEngine On
RewriteRule ^/?(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]
</VirtualHost>
RewriteRule ^/?(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] # Permanent redirect to HTTPS

</VirtualHost>

# ----------------------------------
# HTTPS VirtualHost with SSL configuration
# HTTPS VirtualHost (Port 443): Main configuration for your WordPress Multisite
# ----------------------------------
<VirtualHost *:443>
ServerName domain.com
ServerAlias www.domain.com

# Document root for the site
DocumentRoot /var/www/html

# Enable SSL engine
SSLEngine on

# SSL Certificates from Cloudflare
SSLCertificateFile /etc/ssl/certs/cloudflare_origin.pem
SSLCertificateKeyFile /etc/ssl/private/cloudflare_origin.key
SSLCertificateChainFile /etc/ssl/certs/cloudflare_root.pem
# and Let's Encrypt
SSLCertificateFile /etc/letsencrypt/live/sparxstar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sparxstar.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sparxstar.com/chain.pem

# Strong Ciphers and Enforcing Cipher Order
SSLCipherSuite HIGH:!aNULL:!MD5
SSLHonorCipherOrder on

# Enable OCSP Stapling
SSLUseStapling On
SSLStaplingCache "shmcb:/var/log/apache2/ssl_stapling(32768)"

# Optional: Client Certificate Authentication
# Uncomment the lines below to require a client certificate
# SSLVerifyClient require
# SSLVerifyDepth 1
# SSLCACertificateFile /path/to/ca.crt

# Directory settings for WordPress root directory
<Directory /var/www/html>
# Allows .htaccess to handle Mod Rewrite and other rules
AllowOverride All
Require all granted
</Directory>

# Directory-level restrictions
<Directory /var/www/html/wp-content>
Require all denied
AllowOverride None
</Directory>
<IfModule mod_ssl.c>
SSLEngine on # Enables SSL/TLS for this virtual host

# and Let's Encrypt
SSLCertificateFile /etc/letsencrypt/live/sparxstar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sparxstar.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sparxstar.com/chain.pem

# SSL Certificate Configuration (using Cloudflare origin certificates)
SSLCertificateFile /etc/ssl/certs/cloudflare-origin.pem #Path to your certificate file
SSLCertificateKeyFile /etc/ssl/certs/cloudflare-origin.key # Path to your private key file
SSLCertificateChainFile /etc/ssl/certs/cloudflare-ecc-chain.pem # Path to the chain file, if applicable
# Cloudflare Origin Chain File at
# https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate

# Strong Cipher Suite and Cipher Order (important for security)
SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 # Disables weak ciphers
SSLHonorCipherOrder on # Enforces server's cipher preference

# Enable OCSP Stapling (for faster SSL handshakes)
SSLUseStapling on
</IfModule>

<IfModule mod_headers.c>
# Important Security Headers
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Enforces HTTPS
# Content Security Policy (CSP) – **CUSTOMIZE THIS VERY CAREFULLY** (see notes readme.md)
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' *.sparxstar.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.sparxstar.com; font-src 'self' data:; connect-src 'self'; object-src 'none'; frame-ancestors 'none';"
Header always set X-Frame-Options "DENY" # Prevents clickjacking
Header always set X-Content-Type-Options "nosniff" # Prevents MIME-sniffing attacks
Header always set Referrer-Policy "strict-origin-when-cross-origin" # Controls referrer information
<IfModule>

# Or your root directory – ADJUST IF NEEDED
<Directory /var/www/html>

# Allows .htaccess overrides for these types ONLY – ADJUST IF NEEDED
AllowOverride FileInfo AuthConfig Limit

# Allows access to all. Change if you need more specific access controls.
Require all granted

#Browser caching of static assets
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
# ... other ExpiresByType directives ...
ExpiresDefault "access 2 days" # Default caching time
</IfModule>

#Gzip Compression
<IfModule mod_deflate.c>
<FilesMatch "\.(js|css|html|xml|php)$">
SetOutputFilter DEFLATE
DeflateCompressionLevel 9
</FilesMatch>
</IfModule>

# Restrict php, js and other scripts execution in uploads directory
<Directory /var/www/html/wp-content/uploads>
<FilesMatch "\.(php|js|cgi|as|pl|py|rb|sh)$">
Require all denied
</FilesMatch>
</Directory>

# Protect WordPress Admin Directory (wp-admin) with Basic Authentication
#<Directory /var/www/html/wp-admin>
# AuthType Basic
# AuthName "Restricted Area"
# AuthUserFile /etc/apache2/htpasswd.users
# Require valid-user
#</Directory>
# -------------------------------------------
# WordPress Multisite and other Application Rewrites
# -------------------------------------------
<IfModules mod_rewrites.c>
RewriteEngine On
RewriteBase /

# WORDPRESS STANDARD INSTALLATION (adjust paths if necessary)

RewriteRule ^wp-admin/includes/ - [F,L] # Protect wp-admin includes
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [L]
RewriteRule ^wp-includes/theme-compat/ - [L]

# WORDPRESS SINGLE-SITE SPECIAL INSTALLATIONS (Adjust path and domain/subdomain)

# --- WordPress in a subdirectory ---
#RewriteCond %{REQUEST_URI} ^/blog #adjust path
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^ /blog/index.php [L]

# --- WordPress on a subdomain ---
#RewriteCond %{HTTP_HOST} ^blog\.sparxstar\.com$ [NC]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^ /path/to/wordpress/index.php [L]

# WORDPRESS MULTISITE (Choose ONE and uncomment as needed)

# --- SUBDOMAIN MULTISITE ---
# (If using subdomains, uncomment this section and adjust domain)
#RewriteCond %{HTTP_HOST} ^([^.]+)\.sparxstar\.com$ [NC]
#RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
#RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
#RewriteRule . index.php [L]

# --- SUBDIRECTORY MULTISITE ---
# (If using subdirectories, uncomment this section)
RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
RewriteRule . index.php [L]

# LARAVEL APPLICATION (Adjust path and domain/subdomain)

# --- SUBDOMAIN ---
#RewriteCond %{HTTP_HOST} ^laravel\.sparxstar\.com$ [NC]
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^ /path/to/laravel/public/index.php [L]

# --- SUBDIRECTORY ---
RewriteCond %{REQUEST_URI} ^/laravel
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ /path/to/laravel/public/index.php [L] #adjust path

</IfModules>

# Logging for SSL
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

0 comments on commit 816eb42

Please sign in to comment.