diff --git a/domain.conf b/domain.conf index 7224c86..2a79161 100644 --- a/domain.conf +++ b/domain.conf @@ -1,106 +1,181 @@ -# Apache Configuration File +# Apache Configuration File for WordPress (multisite) or PHP Application # Author: MaximillianGroup (Max Barrett) # Version 1.0.0 -# WordPress Friendly, Cloudflare Origin Certificates, Let's Encrypt, Strong SSL Security -ServerAdmin support@maximilliangroup.us +# WordPress and WordPress Multisite, Cloudflare Origin Certificates, Let's Encrypt, Strong SSL Security +# Contact: support@maximilliangroup.us -# hide the server details -ServerSignature Off -ServerTokens Prod +ServerAdmin webmaster@maximilliangroup.us -# Load necessary modules -# These may already be included in a server .conf -LoadModule ssl_module modules/mod_ssl.so -LoadModule rewrite_module modules/mod_rewrite.so +# Load essential modules +# If already loaded comment these out +LoadModule ssl_module modules/mod_ssl.so # Enables SSL/TLS +LoadModule socache_shmcb_module modules/mod_socache_shmcb.so # Shared memory cache for sessions and stapling +LoadModule rewrite_module modules/mod_rewrite.so # URL rewriting (required for WordPress Multisite) +LoadModule headers_module modules/mod_headers.so # For setting custom headers +LoadModule expires_module modules/mod_expires.so #For browser caching +LoadModule deflate_module modules/mod_deflate.so #For enabling Gzip -# Listen on HTTP and HTTPS ports -# These may already be included in a server .conf +# Tell Apache to Listen (if already set, comment out) Listen 80 - - Listen 443 +Listen 443 + +# Minimize server information disclosure (security best practice) +ServerTokens Prod +ServerSignature Off + +# Define your ServerRoot if it's non-standard (uncomment and adjust if needed) +# ServerRoot "/etc/apache2" + +# SSL Stapling Configuration (improves SSL/TLS handshake performance) + + SSLStaplingCache "shmcb:/var/log/apache2/ssl_stapling(32768)" # Using shared memory cache -# Added to mitigate CVE-2017-8295 vulnerability -UseCanonicalName On + + ServerName sparxstar.com + ServerAlias www.sparxstar.com + + DocumentRoot /var/www/html # Your WordPress root directory – ADJUST IF NEEDED + + # Logging + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # ---------------------------------- -# HTTP VirtualHost to redirect all traffic to HTTPS +# HTTP VirtualHost (Port 80): Redirects all HTTP traffic to HTTPS # ---------------------------------- - ServerName domain.com - ServerAlias www.domain.com - # Redirect all HTTP requests to HTTPS + # Rewrite to HTTPS ONLY RewriteEngine On - RewriteRule ^/?(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] - + RewriteRule ^/?(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] # Permanent redirect to HTTPS + # ---------------------------------- -# HTTPS VirtualHost with SSL configuration +# HTTPS VirtualHost (Port 443): Main configuration for your WordPress Multisite # ---------------------------------- - ServerName domain.com - ServerAlias www.domain.com - - # Document root for the site - DocumentRoot /var/www/html - - # Enable SSL engine - SSLEngine on - - # SSL Certificates from Cloudflare - SSLCertificateFile /etc/ssl/certs/cloudflare_origin.pem - SSLCertificateKeyFile /etc/ssl/private/cloudflare_origin.key - SSLCertificateChainFile /etc/ssl/certs/cloudflare_root.pem - # and Let's Encrypt - SSLCertificateFile /etc/letsencrypt/live/sparxstar.com/fullchain.pem - SSLCertificateKeyFile /etc/letsencrypt/live/sparxstar.com/privkey.pem - SSLCertificateChainFile /etc/letsencrypt/live/sparxstar.com/chain.pem - - # Strong Ciphers and Enforcing Cipher Order - SSLCipherSuite HIGH:!aNULL:!MD5 - SSLHonorCipherOrder on - - # Enable OCSP Stapling - SSLUseStapling On - SSLStaplingCache "shmcb:/var/log/apache2/ssl_stapling(32768)" - - # Optional: Client Certificate Authentication - # Uncomment the lines below to require a client certificate - # SSLVerifyClient require - # SSLVerifyDepth 1 - # SSLCACertificateFile /path/to/ca.crt - - # Directory settings for WordPress root directory - - # Allows .htaccess to handle Mod Rewrite and other rules - AllowOverride All - Require all granted - - - # Directory-level restrictions - - Require all denied - AllowOverride None - + + SSLEngine on # Enables SSL/TLS for this virtual host + + # and Let's Encrypt + SSLCertificateFile /etc/letsencrypt/live/sparxstar.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/sparxstar.com/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/sparxstar.com/chain.pem + + # SSL Certificate Configuration (using Cloudflare origin certificates) + SSLCertificateFile /etc/ssl/certs/cloudflare-origin.pem #Path to your certificate file + SSLCertificateKeyFile /etc/ssl/certs/cloudflare-origin.key # Path to your private key file + SSLCertificateChainFile /etc/ssl/certs/cloudflare-ecc-chain.pem # Path to the chain file, if applicable + # Cloudflare Origin Chain File at + # https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate + + # Strong Cipher Suite and Cipher Order (important for security) + SSLCipherSuite HIGH:!aNULL:!MD5:!RC4 # Disables weak ciphers + SSLHonorCipherOrder on # Enforces server's cipher preference + + # Enable OCSP Stapling (for faster SSL handshakes) + SSLUseStapling on + + + + # Important Security Headers + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # Enforces HTTPS + # Content Security Policy (CSP) – **CUSTOMIZE THIS VERY CAREFULLY** (see notes readme.md) + Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' *.sparxstar.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.sparxstar.com; font-src 'self' data:; connect-src 'self'; object-src 'none'; frame-ancestors 'none';" + Header always set X-Frame-Options "DENY" # Prevents clickjacking + Header always set X-Content-Type-Options "nosniff" # Prevents MIME-sniffing attacks + Header always set Referrer-Policy "strict-origin-when-cross-origin" # Controls referrer information + + + # Or your root directory – ADJUST IF NEEDED + + + # Allows .htaccess overrides for these types ONLY – ADJUST IF NEEDED + AllowOverride FileInfo AuthConfig Limit + + # Allows access to all. Change if you need more specific access controls. + Require all granted + + #Browser caching of static assets + + ExpiresActive On + ExpiresByType image/jpg "access 1 year" + # ... other ExpiresByType directives ... + ExpiresDefault "access 2 days" # Default caching time + + + #Gzip Compression + + + SetOutputFilter DEFLATE + DeflateCompressionLevel 9 + + - # Restrict php, js and other scripts execution in uploads directory - - - Require all denied - - # Protect WordPress Admin Directory (wp-admin) with Basic Authentication - # - # AuthType Basic - # AuthName "Restricted Area" - # AuthUserFile /etc/apache2/htpasswd.users - # Require valid-user - # + # ------------------------------------------- + # WordPress Multisite and other Application Rewrites + # ------------------------------------------- + + RewriteEngine On + RewriteBase / + + # WORDPRESS STANDARD INSTALLATION (adjust paths if necessary) + + RewriteRule ^wp-admin/includes/ - [F,L] # Protect wp-admin includes + RewriteRule !^wp-includes/ - [S=3] + RewriteRule ^wp-includes/[^/]+\.php$ - [L] + RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [L] + RewriteRule ^wp-includes/theme-compat/ - [L] + + # WORDPRESS SINGLE-SITE SPECIAL INSTALLATIONS (Adjust path and domain/subdomain) + + # --- WordPress in a subdirectory --- + #RewriteCond %{REQUEST_URI} ^/blog #adjust path + #RewriteCond %{REQUEST_FILENAME} !-f + #RewriteCond %{REQUEST_FILENAME} !-d + #RewriteRule ^ /blog/index.php [L] + + # --- WordPress on a subdomain --- + #RewriteCond %{HTTP_HOST} ^blog\.sparxstar\.com$ [NC] + #RewriteCond %{REQUEST_FILENAME} !-f + #RewriteCond %{REQUEST_FILENAME} !-d + #RewriteRule ^ /path/to/wordpress/index.php [L] + + # WORDPRESS MULTISITE (Choose ONE and uncomment as needed) + + # --- SUBDOMAIN MULTISITE --- + # (If using subdomains, uncomment this section and adjust domain) + #RewriteCond %{HTTP_HOST} ^([^.]+)\.sparxstar\.com$ [NC] + #RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L] + #RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L] + #RewriteRule . index.php [L] + + # --- SUBDIRECTORY MULTISITE --- + # (If using subdirectories, uncomment this section) + RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L] + RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L] + RewriteRule . index.php [L] + + # LARAVEL APPLICATION (Adjust path and domain/subdomain) + + # --- SUBDOMAIN --- + #RewriteCond %{HTTP_HOST} ^laravel\.sparxstar\.com$ [NC] + #RewriteCond %{REQUEST_FILENAME} !-f + #RewriteCond %{REQUEST_FILENAME} !-d + #RewriteRule ^ /path/to/laravel/public/index.php [L] + + # --- SUBDIRECTORY --- + RewriteCond %{REQUEST_URI} ^/laravel + RewriteCond %{REQUEST_FILENAME} !-f + RewriteCond %{REQUEST_FILENAME} !-d + RewriteRule ^ /path/to/laravel/public/index.php [L] #adjust path + + - # Logging for SSL - ErrorLog ${APACHE_LOG_DIR}/error.log - CustomLog ${APACHE_LOG_DIR}/access.log combined