forked from h5bp/server-configs-apache
-
Notifications
You must be signed in to change notification settings - Fork 0
/
httpd.conf
173 lines (147 loc) · 6.55 KB
/
httpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# Configuration File - Apache Server Configs
# https://httpd.apache.org/docs/current/
# Sets the top of the directory tree under which the server's configuration,
# error, and log files are kept.
# Do not add a slash at the end of the directory path.
# If you point ServerRoot at a non-local disk, be sure to specify a local disk
# on the Mutex directive, if file-based mutexes are used.
# If you wish to share the same ServerRoot for multiple httpd daemons, you will
# need to change at least PidFile.
# https://httpd.apache.org/docs/current/mod/core.html#serverroot
ServerRoot "/usr/local/apache2"
# Loads Dynamic Shared Object (DSO), httpd modules.
# https://httpd.apache.org/docs/current/mod/mod_so.html#loadmodule
LoadModule mpm_event_module modules/mod_mpm_event.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule mime_module modules/mod_mime.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule http2_module modules/mod_http2.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule dir_module modules/mod_dir.so
LoadModule rewrite_module modules/mod_rewrite.so
# Enables Systemd module when available.
# Required on some operating systems.
# <IfFile modules/mod_systemd.so>
# LoadModule systemd_module modules/mod_systemd.so
# </IfFile>
<IfModule mod_unixd.c>
# Run as a unique, less privileged user for security reasons.
# User/Group: The name (or #number) of the user/group to run httpd as.
# Default: User #-1, Group #-1
# https://httpd.apache.org/docs/current/mod/mod_unixd.html
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
User www-data
Group www-data
</IfModule>
# Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default.
# https://httpd.apache.org/docs/current/mod/mpm_common.html#listen
# https://httpd.apache.org/docs/current/bind.html
Listen 80
Listen 443
# Sets The location of the error log file.
# If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
# Default: logs/error_log
# https://httpd.apache.org/docs/current/mod/core.html#errorlog
ErrorLog logs/error.log
# Minimum level of messages to be logged to the ErrorLog.
# Default: warn
# https://httpd.apache.org/docs/current/mod/core.html#loglevel
LogLevel warn
<IfModule mod_log_config.c>
# Defines NCSA Combined Log Format.
# https://httpd.apache.org/docs/current/mod/mod_log_config.html#logformat
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined
# The location and format of the access logfile.
# If you *do* define per-<VirtualHost> access logfiles, transactions will
# be logged therein and *not* in this file.
# https://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog
CustomLog logs/access.log combined
</IfModule>
# Optimize TLS by caching session parameters.
# By enabling a cache, we tell the client to re-use the already negotiated
# state. This cuts down on the number of expensive TLS handshakes.
# https://httpd.apache.org/docs/current/mod/mod_socache_shmcb.html
<IfModule mod_socache_shmcb.c>
# https://httpd.apache.org/docs/current/mod/mod_ssl.html#SSLSessionCache
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_gcache_data(10485760)"
# https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessioncachetimeout
SSLSessionCacheTimeout 86400
</IfModule>
# Prevent Apache from sending its version number, the description of the
# generic OS-type or information about its compiled-in modules in the "Server"
# response header.
# https://httpd.apache.org/docs/current/mod/core.html#servertokens
ServerTokens Prod
Include h5bp/security/server_software_information.conf
# Prevent Apache from responding to `TRACE` HTTP request.
# The TRACE method, while seemingly harmless, can be successfully
# leveraged in some scenarios to steal legitimate users' credentials.
# https://httpd.apache.org/docs/current/mod/core.html#traceenable
TraceEnable Off
# Enable HTTP/2 protocol
# Default: http/1.1
# https://httpd.apache.org/docs/current/mod/core.html#protocols
<IfModule mod_http2.c>
Protocols h2 http/1.1
</IfModule>
# Blocks access to files that can expose sensitive information.
Include h5bp/security/file_access.conf
<IfModule mod_authz_core.c>
<LocationMatch "(^|/)\.(?!well-known/)">
Require all denied
</LocationMatch>
</IfModule>
# Prevent multiviews errors.
Include h5bp/errors/error_prevention.conf
# Prevent unexpected file accesses and external configuration execution.
# https://httpd.apache.org/docs/current/misc/security_tips.html#systemsettings
# https://httpd.apache.org/docs/current/mod/core.html#allowoverride
# https://httpd.apache.org/docs/current/mod/mod_authz_core.html#require
<Directory "/">
AllowOverride None
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
</Directory>
<IfModule mod_mime.c>
# TypesConfig points to the file containing the list of mappings from
# filename extension to MIME-type.
TypesConfig conf/mime.types
</IfModule>
# Specify MIME types for files.
Include h5bp/media_types/media_types.conf
# Set character encodings.
Include h5bp/media_types/character_encodings.conf
# On systems that support it, memory-mapping or the sendfile syscall may be
# used to deliver files.
# This usually improves server performance, but must be turned off when serving
# from networked-mounted filesystems or if support for these functions is
# otherwise broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
# https://httpd.apache.org/docs/current/mod/core.html#enablemmap
# https://httpd.apache.org/docs/current/mod/core.html#enablesendfile
EnableMMAP Off
EnableSendfile On
# Enable gzip compression.
Include h5bp/web_performance/compression.conf
# Enable ETags validation.
Include h5bp/web_performance/etags.conf
# Specify file cache expiration.
Include h5bp/web_performance/cache_expiration.conf
# Enable rewrite engine.
Include h5bp/rewrites/rewrite_engine.conf
# Include VirtualHost files in the vhosts folder.
# VirtualHost configuration files should be placed in the vhosts folder.
# The configurations should be disabled by prefixing files with a dot.
Include vhosts/*.conf