Update domain.conf

Added additional server level configuration of SSL

Signed-off-by: Max Barrett <[email protected]>

domain.conf

@@ -23,9 +23,15 @@ Listen 443
 ServerTokens Prod
 ServerSignature Off
 
+SetEnv TZ "UTC"  # Or php_value date.timezone "UTC" if using mod_php
+LimitRequestBody 10240000
+
 # Define your ServerRoot if it's non-standard (uncomment and adjust if needed)
 # ServerRoot "/etc/apache2"
 
+
+
+
 # SSL Stapling Configuration (improves SSL/TLS handshake performance)
 <IfModule mod_ssl.c>
   SSLStaplingCache "shmcb:/var/log/apache2/ssl_stapling(32768)"  # Using shared memory cache
@@ -47,6 +53,8 @@ ServerSignature Off
 # HTTP VirtualHost (Port 80): Redirects all HTTP traffic to HTTPS
 # ----------------------------------
 <VirtualHost *:80>
+    ServerName sparxstar.com  # Repeat ServerName inside this virtualhost
+    ServerAlias www.sparxstar.com
 
     # Rewrite to HTTPS ONLY
     RewriteEngine On
@@ -61,7 +69,7 @@ ServerSignature Off
    <IfModule mod_ssl.c>
         SSLEngine on  # Enables SSL/TLS for this virtual host
 
-         # and Let's Encrypt
+        # and Let's Encrypt
         SSLCertificateFile /etc/letsencrypt/live/sparxstar.com/fullchain.pem
         SSLCertificateKeyFile /etc/letsencrypt/live/sparxstar.com/privkey.pem
         SSLCertificateChainFile /etc/letsencrypt/live/sparxstar.com/chain.pem
@@ -72,26 +80,53 @@ ServerSignature Off
         SSLCertificateChainFile /etc/ssl/certs/cloudflare-ecc-chain.pem  # Path to the chain file, if applicable
         # Cloudflare Origin Chain File at 
         # https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate
-
-        # Strong Cipher Suite and Cipher Order (important for security)
+
+        # CIPHER SUITES - comment out the one not used
+
+        # OPTION 1 - Strong Cipher Suite and Cipher Order (important for security)
         SSLCipherSuite HIGH:!aNULL:!MD5:!RC4  # Disables weak ciphers
-        SSLHonorCipherOrder on  # Enforces server's cipher preference
-
+
+        # OPTION 2 - Stronger Cipher Suite with Future Proofing
+        # Recommended Mozilla Modern Cipher Suite (adjust as needed for compatibility)
+        SSLCipherSuite TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1  # Disable older, insecure protocols
+
+        # BOTH OPTION REQUIRE
+        # Enforces server's cipher preference
+        SSLHonorCipherOrder on  
         # Enable OCSP Stapling (for faster SSL handshakes)
         SSLUseStapling on
     </IfModule>
 
     <IfModule mod_headers.c>
+        # Reinforce HTTPS ONLY - comment out if allowing HTTP connections (NOT RECOMMENDED)
+        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+
+        # Remove and mention of the server
+        Header unset Server
+
+        # Content Security Policy (CSP) – **CUSTOMIZE THIS VERY CAREFULLY** (see notes readme.md)
+        Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' *.sparxstar.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.sparxstar.com; font-src 'self' data:; connect-src 'self'; object-src 'none'; frame-ancestors 'none';"  # Customize!
+
+        # CORS related headers
+        Header set Referrer-Policy "no-referrer, strict-origin-when-cross-origin"  # Good to have this here
+        Header always set Expect-CT "enforce, max-age=0"  # Good to have this as well
+
         # Important Security Headers
         Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"  # Enforces HTTPS
-        # Content Security Policy (CSP) – **CUSTOMIZE THIS VERY CAREFULLY** (see notes readme.md)
-        Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' *.sparxstar.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: *.sparxstar.com; font-src 'self' data:; connect-src 'self'; object-src 'none'; frame-ancestors 'none';" 
         Header always set X-Frame-Options "DENY"  # Prevents clickjacking
         Header always set X-Content-Type-Options "nosniff" # Prevents MIME-sniffing attacks
         Header always set Referrer-Policy "strict-origin-when-cross-origin"  # Controls referrer information
     <IfModule>
 
-    # Or your root directory – ADJUST IF NEEDED
+     <IfModule mod_mime.c>
+        AddDefaultCharset utf-8  
+
+    </IfModule>
+
+    # Root Directory – ADJUST IF NEEDED
+    # Directory configurations for your applications.
+    # Add separate <Directory> blocks for each application with its own AllowOverride settings)
     <Directory /var/www/html>  
 
          # Allows .htaccess overrides for these types ONLY – ADJUST IF NEEDED
@@ -100,82 +135,33 @@ ServerSignature Off
         # Allows access to all. Change if you need more specific access controls.
         Require all granted 
 
-      #Browser caching of static assets
-      <IfModule mod_expires.c> 
-          ExpiresActive On
-          ExpiresByType image/jpg "access 1 year"
-          # ... other ExpiresByType directives ...
-          ExpiresDefault "access 2 days" # Default caching time
-      </IfModule>
-
-       #Gzip Compression
-       <IfModule mod_deflate.c>
-            <FilesMatch "\.(js|css|html|xml|php)$">
-                SetOutputFilter DEFLATE
-                DeflateCompressionLevel 9
-            </FilesMatch>
+        #Browser caching of static assets
+        <IfModule mod_expires.c> 
+            ExpiresActive On
+            ExpiresByType image/jpg "access 1 year"
+            # ... other ExpiresByType directives ...
+            ExpiresDefault "access 2 days" # Default caching time
         </IfModule>
+
+         #Gzip Compression
+         <IfModule mod_deflate.c>
+              <FilesMatch "\.(js|css|html|xml|php)$">
+                  SetOutputFilter DEFLATE
+                  DeflateCompressionLevel 9
+              </FilesMatch>
+          </IfModule>
+
+          # File Access Restrictions (can  be in .htaccess here)
+          <FilesMatch "\.((md|exe|sh|bak|inc|pot|po|mo|log|sql|htaccess|htpasswd|ini|phps|fla|psd|log|sh|env|
+                          settings\.php|security\.php
+                          wp-config\.php|config\.php|db\.php|db-config\.php|debug\.log|install\.php|license\.txt|readme\.txt|
+                          wp-content/uploads/|\.git|upload\.php|options\.php|themes|plugins|backup|
+                          \.(php[3-7]?|phtml|sql|bak|sqlite|yml|conf|conf\.php|ini|tpl|tmp|log|
+                          |key|pem|p12|crt|)$">
+              Require all denied
+          </FilesMatch>
 
-    </Directory>
 
-    # -------------------------------------------
-    # WordPress Multisite and other Application Rewrites
-    # -------------------------------------------
-    <IfModules mod_rewrites.c>
-        RewriteEngine On
-        RewriteBase /
-
-        # WORDPRESS STANDARD INSTALLATION  (adjust paths if necessary)
-
-        RewriteRule ^wp-admin/includes/ - [F,L]  # Protect wp-admin includes
-        RewriteRule !^wp-includes/ - [S=3]
-        RewriteRule ^wp-includes/[^/]+\.php$ - [L]
-        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [L]
-        RewriteRule ^wp-includes/theme-compat/ - [L]
-
-        # WORDPRESS SINGLE-SITE SPECIAL INSTALLATIONS (Adjust path and domain/subdomain)
-
-            # --- WordPress in a subdirectory ---
-            #RewriteCond %{REQUEST_URI} ^/blog #adjust path
-            #RewriteCond %{REQUEST_FILENAME} !-f
-            #RewriteCond %{REQUEST_FILENAME} !-d
-            #RewriteRule ^ /blog/index.php [L]
-
-            # --- WordPress on a subdomain ---
-            #RewriteCond %{HTTP_HOST} ^blog\.sparxstar\.com$ [NC]
-            #RewriteCond %{REQUEST_FILENAME} !-f
-            #RewriteCond %{REQUEST_FILENAME} !-d
-            #RewriteRule ^ /path/to/wordpress/index.php [L]
-
-        # WORDPRESS MULTISITE (Choose ONE and uncomment as needed)
-
-            # --- SUBDOMAIN MULTISITE ---
-            #  (If using subdomains, uncomment this section and adjust domain)
-            #RewriteCond %{HTTP_HOST} ^([^.]+)\.sparxstar\.com$ [NC]
-            #RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
-            #RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
-            #RewriteRule . index.php [L]
-
-            # --- SUBDIRECTORY MULTISITE ---
-            # (If using subdirectories, uncomment this section)
-            RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]
-            RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]
-            RewriteRule . index.php [L]
-
-        # LARAVEL APPLICATION (Adjust path and domain/subdomain)
-
-            # --- SUBDOMAIN ---
-            #RewriteCond %{HTTP_HOST} ^laravel\.sparxstar\.com$ [NC]
-            #RewriteCond %{REQUEST_FILENAME} !-f
-            #RewriteCond %{REQUEST_FILENAME} !-d
-            #RewriteRule ^ /path/to/laravel/public/index.php [L]
-
-            # --- SUBDIRECTORY ---
-            RewriteCond %{REQUEST_URI} ^/laravel
-            RewriteCond %{REQUEST_FILENAME} !-f
-            RewriteCond %{REQUEST_FILENAME} !-d
-            RewriteRule ^ /path/to/laravel/public/index.php [L] #adjust path
-
-    </IfModules>
+    </Directory>
 
 </VirtualHost>