# generated 2023-08-21, Mozilla Guideline v5.7, Apache 2.4.41, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=intermediate&openssl=1.1.1k&guideline=5.7
# this configuration requires mod_ssl, mod_socache_shmcb, mod_rewrite, and mod_headers
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
SSLEngine on
# enable HTTP/2, if available
Protocols h2 http/1.1
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
Header always set Strict-Transport-Security "max-age=63072000"
ServerAdmin webmaster@localhost
DocumentRoot /var/www/kivitendo-erp
AddHandler fcgid-script .fpl
FcgidMaxRequestLen 10485760
FcgidIOTimeout 32000
AliasMatch ^/[^/]+\.pl /var/www/kivitendo-erp/dispatcher.fpl
Alias [^/] /var/www/kivitendo-erp/
# disallow access to .git or config for all cases
Require all denied
SSLRequireSSL
Options ExecCGI Includes FollowSymlinks
AllowOverride All
Require all granted
{% if use_basic_auth == true %}
AuthUserFile /etc/apache2/.htpasswd
AuthName "Please authenticate"
AuthType Basic
Require valid-user
{% endif %}
Order Deny,Allow
Deny from All
SSLCertificateFile {{ ssl.CertFile }}
SSLCertificateKeyFile {{ ssl.CertKey }}
SSLCertificateChainFile {{ ssl.ChainFile }}
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet