BI_Maintenance/superx-ansible/config-files/apache/ssl/default-ssl.conf

# generated 2023-08-21, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.7

# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

<VirtualHost *:443>
    SSLEngine on

    # enable HTTP/2, if available
    Protocols h2 http/1.1

    # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
    Header always set Strict-Transport-Security "max-age=63072000"

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/kivitendo-erp

        AddHandler fcgid-script .fpl
                FcgidMaxRequestLen 10485760
                FcgidIOTimeout 32000
        AliasMatch ^/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fpl
        Alias [^/]       /var/www/kivitendo-erp/


        # disallow access to  .git or config for all cases
        <DirectoryMatch "(\.git|config)/">
                        Require all denied
        </DirectoryMatch>

        <Directory /var/www/kivitendo-erp>
                SSLRequireSSL
                Options ExecCGI Includes FollowSymlinks
                AllowOverride All
                Require all granted
        </Directory>

{% if use_basic_auth == true %}
		<Location "/*">
			AuthUserFile /etc/apache2/.htpasswd
			AuthName "Please authenticate"
			AuthType Basic
			Require valid-user
		</Location>

{% endif %}
        <DirectoryMatch /var/www/kivitendo-erp/users>
                Order Deny,Allow
                Deny from All
        </DirectoryMatch>

		SSLCertificateFile {{ ssl.CertFile }}
		SSLCertificateKeyFile {{ ssl.CertKey }}
		SSLCertificateChainFile {{ ssl.ChainFile }}
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

# intermediate configuration
SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder     off
SSLSessionTickets       off

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
Ansible Script Install supeerx on Ubuntu 2022.04 #1 3 weeks ago			`# generated 2023-08-21, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration`
			`# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.7`

			`# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers`
			`<VirtualHost *:80>`
			`RewriteEngine On`
			`RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/`
			`RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]`
			`</VirtualHost>`

			`<VirtualHost *:443>`
			`SSLEngine on`

			`# enable HTTP/2, if available`
			`Protocols h2 http/1.1`

			`# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)`
			`Header always set Strict-Transport-Security "max-age=63072000"`

			`ServerAdmin webmaster@localhost`
			`DocumentRoot /var/www/kivitendo-erp`

			`AddHandler fcgid-script .fpl`
			`FcgidMaxRequestLen 10485760`
			`FcgidIOTimeout 32000`
			`AliasMatch ^/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fpl`
			`Alias [^/] /var/www/kivitendo-erp/`


			`# disallow access to .git or config for all cases`
			`<DirectoryMatch "(\.git\|config)/">`
			`Require all denied`
			`</DirectoryMatch>`

			`<Directory /var/www/kivitendo-erp>`
			`SSLRequireSSL`
			`Options ExecCGI Includes FollowSymlinks`
			`AllowOverride All`
			`Require all granted`
			`</Directory>`

			`{% if use_basic_auth == true %}`
			`<Location "/*">`
			`AuthUserFile /etc/apache2/.htpasswd`
			`AuthName "Please authenticate"`
			`AuthType Basic`
			`Require valid-user`
			`</Location>`

			`{% endif %}`
			`<DirectoryMatch /var/www/kivitendo-erp/users>`
			`Order Deny,Allow`
			`Deny from All`
			`</DirectoryMatch>`

			`SSLCertificateFile {{ ssl.CertFile }}`
			`SSLCertificateKeyFile {{ ssl.CertKey }}`
			`SSLCertificateChainFile {{ ssl.ChainFile }}`
			`ErrorLog ${APACHE_LOG_DIR}/error.log`
			`CustomLog ${APACHE_LOG_DIR}/access.log combined`
			`</VirtualHost>`

			`# intermediate configuration`
			`SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1`
			`SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305`
			`SSLHonorCipherOrder off`
			`SSLSessionTickets off`

			`SSLUseStapling On`
			`SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"`

			`# vim: syntax=apache ts=4 sw=4 sts=4 sr noet`