-
Notifications
You must be signed in to change notification settings - Fork 0
/
apache_helper.conf
284 lines (240 loc) · 6.88 KB
/
apache_helper.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
# Leitet HTTP-Anfragen auf HTTPS weiter. Ab dann greift HTTPS und der Browser sollte immer automatisch auf HTTPS gehen.
# Außerdem ist die Weiterleitung hier permanent, also 301.
# Example:
# Use AutoRedirect test.satzweiss.com
#
<Macro AutoRedirect $domain>
<VirtualHost *:80>
ServerName $domain
Include sites-includes/http-base.conf
</VirtualHost>
</Macro>
# Restricts access to that Virtualhost to internal IPs only.
# Add extra internal IPs to: sites-includes/internal-ips.conf
# This file is for development or testing purposes only.
#
# Example:
# Use RestrictInternal
<Macro RestrictInternal>
<Location />
<RequireAny>
# Can connect to itself
Require ip 127.0.0.1
# extra internal ips
Include sites-includes/internal-ips.conf
</RequireAny>
</Location>
</Macro>
# Activate an existing Let's Encrypt certificate by its name.
#
# Example:
# Use LECert test.satzweiss.com
#
<Macro LECert $cert>
Include sites-includes/ssl-base.conf
SSLCertificateFile /etc/letsencrypt/live/$cert/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/$cert/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/$cert/chain.pem
</Macro>
# Give the log files a certain name.
#
# Example:
# Use Log www.satzweiss.com
<Macro Log $name>
CustomLog /var/log/apache2/access_$name.log Combined
ErrorLog /var/log/apache2/error_$name.log
</Macro>
# Leitet jede Domain, die mit www. anfängt, auf die nicht-www-Version weiter
#
# Example:
# Use NoWWW
<Macro NoWWW>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ %{REQUEST_SCHEME}://%1%{REQUEST_URI} [L,NE,R=301]
</Macro>
# Leitet jede Domain, bei der das www. fehlt, auf die www-Version weiter
#
# Example:
# Use ForceWWW
<Macro ForceWWW>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ %{REQUEST_SCHEME}://www.%1%{REQUEST_URI} [L,NE,R=301]
</Macro>
# Ban Google from crawling our site
#
# Example:
# Use NoGoogle
<Macro NoGoogle>
<IfModule mod_headers.c>
Header set X-Robots-Tag noindex
</IfModule>
</Macro>
# Macht den Balancer-Manager unter der URL /balancer-manager verfügbar
#
# Example:
# Use BalancerManager
<Macro BalancerManager>
<Location /balancer-manager>
SetHandler balancer-manager
Require all granted
</Location>
</Macro>
# Leitet die Domain $domain immer zu $target um. Es wird ein temporärer Redirect gemacht.
# Dieses Makro greift nur bei HTTP-Anfragen. Für HTTPS-Anfragen muss AlwaysRedirectSSL
# genutzt werden.
# Pfade werden übernommen, d.h. a.com/pfad wird weitergeleitet auf b.com/pfad.
#
# Anwendungsbeispiel:
# Use AlwaysRedirect 110ecode.com http://satzweiss.com
<Macro AlwaysRedirect $domain $target>
<VirtualHost *:80>
Servername $domain
ServerAdmin [email protected]
<Location "/.well-known">
Require all granted
</Location>
DocumentRoot /var/www/certbot
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} !^/.well-known/(.*)
RewriteRule (.*) $target%{REQUEST_URI} [R=302,L]
</VirtualHost>
</Macro>
# Das gleiche wie AlwaysRedirect, allerdings werden auch HTTPS-Anfragen erfasst. Dafür
# ist die Angabe des Zertifikats notwendig.
#
# Anwendungsbeispiel:
# Use AlwaysRedirectSSL 110ecode.com http://satzweiss.com 110ecode.com
<Macro AlwaysRedirectSSL $domain $target $lecert>
Use AlwaysRedirect $domain $target
<VirtualHost *:443>
Servername $domain
ServerAdmin [email protected]
Use LECert $lecert
RewriteEngine On
RewriteCond %{HTTPS} on
RewriteRule (.*) $target%{REQUEST_URI} [R=302,L]
</VirtualHost>
</Macro>
# Binds a Plone site with a certain name to a pre defined load balancer
#
# Example:
# <Proxy balancer://lb>
# BalancerMember http://127.0.0.1:8080
# </Proxy>
# Use Plone myplonesite balancer://lb
#
<Macro Plone $balancer $sitename>
<IfModule mod_proxy.c>
ProxyVia on
ProxyTimeout 1800
# prevent the webserver from beeing used as proxy
<LocationMatch "^[^/]">
Require all denied
</LocationMatch>
<IfModule mod_rewrite.c>
RewriteEngine on
AllowEncodedSlashes NoDecode
RewriteCond %{REQUEST_URI} !^/balancer-manager(.*)
RewriteRule ^/(.*) $balancer/VirtualHostBase/%{REQUEST_SCHEME}/%{HTTP_HOST}:%{SERVER_PORT}/$sitename/VirtualHostRoot/$1 [P,L]
</IfModule>
</IfModule>
</Macro>
<Macro PloneRoot $balancer>
Use Plone $balancer /
</Macro>
# Shorthand for a development Plone site.
# Only works if the certificate name is the same as the domain.
#
# Example:
# Use SSLPloneDevShort db.dev.bfd.satzweiss.info http://10.100.20.145:8080 bfd-db
<Macro SSLPloneDevShort $domain $backend $sitename>
Use SWAutoRedirect $domain
<VirtualHost *:443>
ServerName $domain
Use Log $domain
Use NoGoogle
Use BalancerManager
#Use RestrictInternal
Use LECert $domain
Use Plone $backend $sitename
</VirtualHost>
</Macro>
# Shorthand for the admin client of a Plone site.
# Only works if the certificate name is the same as the domain.
# Only accessible from Satzweiss Intranet
#
# Example:
# Use SSLPloneAdmin admin.prod.barf.satzweiss.info http://10.100.20.160:8183 /
<Macro SSLPloneAdmin $domain $backend $sitename>
Use SWAutoRedirect $domain
<VirtualHost *:443>
ServerName $domain
Use Log $domain
Use NoGoogle
Use BalancerManager
Use RestrictInternal
Use LECert $domain
Use Plone $backend $sitename
</VirtualHost>
</Macro>
<Macro RawProxy $url>
# This sends the original IP address to the backend as a special header
RemoteIPHeader X-Forwarded-For
# This allows forward and backward slashes in a query string
AllowEncodedSlashes NoDecode
# This sends the original host name to the backend
ProxyPreserveHost On
ProxyPass / $url nocanon
ProxyPassReverse / $url
</Macro>
<Macro RawProxySSL $url>
SSLProxyEngine on
# This is very insecure for backends we do not trust. Use with care!
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
Use RawProxy $url
</Macro>
# Anwendungsbeispiel:
# Use PHPSock /home/matomo/www/matomo php-fpm-matomo.sock
#
<Macro PHPSock $directory $socket>
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
<If "-f %{SCRIPT_FILENAME}">
SetHandler "proxy:unix:/run/php/$socket|fcgi://localhost"
</If>
</FilesMatch>
<FilesMatch ".+\.phps$">
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
Require all denied
</FilesMatch>
<Directory "$directory">
Options +FollowSymLinks
AllowOverride All
Require all granted
Allow from all
<IfModule mod_dav.c>
Dav off
</IfModule>
</Directory>
</Macro>
# Anwendungsbeispiel:
# Use PHPAliasSock /matomo /home/matomo/www/matomo php-fpm-matomo.sock
#
<Macro PHPAliasSock $alias $directory $socket>
Alias $alias $directory
Use PHPHandler $socket $directory
RewriteRule ^$alias(/.*)?$ "-" [L]
</Macro>