samsulmaarif · July 13, 2018 08:13
diff --git a/apache2_myapp.conf b/apache2_myapp.conf
 <VirtualHost *:80>
 	DocumentRoot "/var/www/app/mylaravelapp/public"
 	ServerName mywebapp.com
    ServerAlias www.mywebapp.com
 	DirectoryIndex index.php index.html
    Redirect / https://mywebapp.com

 	<Directory "/var/www/app/mylaravelapp/public">
 	    Options Indexes FollowSymLinks
    	AllowOverride All
    	Require all granted
 	</Directory>

    <FilesMatch "\.php$">
        SetHandler "proxy:fcgi://127.0.0.1:9000/"
    </FilesMatch>

    ErrorLog "${APACHE_LOG_DIR}/mywebapp.com-error.log"
    CustomLog "${APACHE_LOG_DIR}/mywebapp.com-access.log" vhost_combined
 </VirtualHost>

 <IfModule mod_ssl.c>
 	<VirtualHost *:443>
 		ServerAdmin [email protected]

 		DocumentRoot "/var/www/app/mylaravelapp/public"
 		ServerName mywebapp.com
 	    ServerAlias www.mywebapp.com
 		DirectoryIndex index.php index.html

 		<Directory />
 			Options FollowSymLinks
 			AllowOverride None
 		</Directory>

 		<Directory "/var/www/app/mylaravelapp/public">
 			Options -Indexes +FollowSymlinks +MultiViews
 			AllowOverride All
 		</Directory>

 	    <FilesMatch "\.php$">
 	        SetHandler "proxy:fcgi://127.0.0.1:9000/"
 	    </FilesMatch>

 		LogLevel info ssl:warn

 		ErrorLog ${APACHE_LOG_DIR}/mywebapp.com-error.log
 		CustomLog ${APACHE_LOG_DIR}/mywebapp.com-access.log vhost_combined
 		SSLEngine on

 		SSLCertificateFile /etc/letsencrypt/live/mywebapp.com/fullchain.pem
 		SSLCertificateKeyFile /etc/letsencrypt/live/mywebapp.com/privkey.pem
 		SSLProtocol TLSv1.2
 		SSLCompression off
 		SSLProtocol All -SSLv2 -SSLv3
 		SSLHonorCipherOrder on
 		SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
 		#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
 		SSLOpenSSLConfCmd Curves secp384r1
 		SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

 		#SSLUseStapling          on
 		#SSLStaplingResponderTimeout 5
 		#SSLStaplingReturnResponderErrors off
 		#SSLStaplingCache        shmcb:/var/run/ocsp(128000)

 		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

 		#SSLCACertificatePath /etc/ssl/certs/
 		#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

 		#SSLVerifyClient require
 		#SSLVerifyDepth  10

 		SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 		<FilesMatch "\.(cgi|shtml|phtml|php)$">
 				SSLOptions +StdEnvVars
 		</FilesMatch>

 	</VirtualHost>
 </IfModule>
diff --git a/security.conf b/security.conf
 # /etc/apache2/conf-enabled/security.conf
 # Disable access to the entire file system except for the directories that
 # are explicitly allowed later.
 #
 # This currently breaks the configurations that come with some web application
 # Debian packages.
 #
 #<Directory />
 #   AllowOverride None
 #   Require all denied
 #</Directory>


 # Changing the following options will not really affect the security of the
 # server, but might make attacks slightly more difficult in some cases.

 #
 # ServerTokens
 # This directive configures what you return as the Server HTTP response
 # Header. The default is 'Full' which sends information about the OS-Type
 # and compiled in modules.
 # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
 # where Full conveys the most information, and Prod the least.
 #ServerTokens Minimal
 ServerTokens Prod
 #ServerTokens Full

 #
 # Optionally add a line containing the server version and virtual host
 # name to server-generated pages (internal error documents, FTP directory
 # listings, mod_status and mod_info output etc., but not CGI generated
 # documents or custom error documents).
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 #ServerSignature Off
 ServerSignature Off

 #
 # Allow TRACE method
 #
 # Set to "extended" to also reflect the request body (only for testing and
 # diagnostic purposes).
 #
 # Set to one of:  On | Off | extended
 TraceEnable Off
 #TraceEnable On

 #
 # Forbid access to version control directories
 #
 # If you use version control systems in your document root, you should
 # probably deny access to their directories. For example, for subversion:
 #
 #<DirectoryMatch "/\.svn">
 #   Require all denied
 #</DirectoryMatch>

 #
 # Setting this header will prevent MSIE from interpreting files as something
 # else than declared by the content type in the HTTP headers.
 # Requires mod_headers to be enabled.
 #
 #Header set X-Content-Type-Options: "nosniff"

 #
 # Setting this header will prevent other sites from embedding pages from this
 # site as frames. This defends against clickjacking attacks.
 # Requires mod_headers to be enabled.
 #
 #Header set X-Frame-Options: "sameorigin"

 Header set Strict-Transport-Security: "max-age=63072000; includeSubdomains; preload;"
 Header set X-Frame-Options: "SAMEORIGIN"
 Header set X-Content-Type-Options: "nosniff"
 Header set X-XSS-Protection: "1; mode=block"
 Header set Referrer-Policy: "origin"
	<VirtualHost *:80>
	DocumentRoot "/var/www/app/mylaravelapp/public"
	ServerName mywebapp.com
	ServerAlias www.mywebapp.com
	DirectoryIndex index.php index.html
	Redirect / https://mywebapp.com

	<Directory "/var/www/app/mylaravelapp/public">
	Options Indexes FollowSymLinks
	AllowOverride All
	Require all granted
	</Directory>

	<FilesMatch "\.php$">
	SetHandler "proxy:fcgi://127.0.0.1:9000/"
	</FilesMatch>

	ErrorLog "${APACHE_LOG_DIR}/mywebapp.com-error.log"
	CustomLog "${APACHE_LOG_DIR}/mywebapp.com-access.log" vhost_combined
	</VirtualHost>

	<IfModule mod_ssl.c>
	<VirtualHost *:443>
	ServerAdmin [email protected]

	DocumentRoot "/var/www/app/mylaravelapp/public"
	ServerName mywebapp.com
	ServerAlias www.mywebapp.com
	DirectoryIndex index.php index.html

	<Directory />
	Options FollowSymLinks
	AllowOverride None
	</Directory>

	<Directory "/var/www/app/mylaravelapp/public">
	Options -Indexes +FollowSymlinks +MultiViews
	AllowOverride All
	</Directory>

	<FilesMatch "\.php$">
	SetHandler "proxy:fcgi://127.0.0.1:9000/"
	</FilesMatch>

	LogLevel info ssl:warn

	ErrorLog ${APACHE_LOG_DIR}/mywebapp.com-error.log
	CustomLog ${APACHE_LOG_DIR}/mywebapp.com-access.log vhost_combined
	SSLEngine on

	SSLCertificateFile /etc/letsencrypt/live/mywebapp.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/mywebapp.com/privkey.pem
	SSLProtocol TLSv1.2
	SSLCompression off
	SSLProtocol All -SSLv2 -SSLv3
	SSLHonorCipherOrder on
	SSLCipherSUite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !CAMELLIA !SEED !3DES !RC4 !aNULL !eNULL !LOW !MD5 !EXP !PSK !SRP !DSS"
	#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
	SSLOpenSSLConfCmd Curves secp384r1
	SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

	#SSLUseStapling on
	#SSLStaplingResponderTimeout 5
	#SSLStaplingReturnResponderErrors off
	#SSLStaplingCache shmcb:/var/run/ocsp(128000)

	#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

	#SSLCACertificatePath /etc/ssl/certs/
	#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

	#SSLVerifyClient require
	#SSLVerifyDepth 10

	SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
	<FilesMatch "\.(cgi\|shtml\|phtml\|php)$">
	SSLOptions +StdEnvVars
	</FilesMatch>

	</VirtualHost>
	</IfModule>
	# /etc/apache2/conf-enabled/security.conf
	# Disable access to the entire file system except for the directories that
	# are explicitly allowed later.
	#
	# This currently breaks the configurations that come with some web application
	# Debian packages.
	#
	#<Directory />
	# AllowOverride None
	# Require all denied
	#</Directory>


	# Changing the following options will not really affect the security of the
	# server, but might make attacks slightly more difficult in some cases.

	#
	# ServerTokens
	# This directive configures what you return as the Server HTTP response
	# Header. The default is 'Full' which sends information about the OS-Type
	# and compiled in modules.
	# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod
	# where Full conveys the most information, and Prod the least.
	#ServerTokens Minimal
	ServerTokens Prod
	#ServerTokens Full

	#
	# Optionally add a line containing the server version and virtual host
	# name to server-generated pages (internal error documents, FTP directory
	# listings, mod_status and mod_info output etc., but not CGI generated
	# documents or custom error documents).
	# Set to "EMail" to also include a mailto: link to the ServerAdmin.
	# Set to one of: On \| Off \| EMail
	#ServerSignature Off
	ServerSignature Off

	#
	# Allow TRACE method
	#
	# Set to "extended" to also reflect the request body (only for testing and
	# diagnostic purposes).
	#
	# Set to one of: On \| Off \| extended
	TraceEnable Off
	#TraceEnable On

	#
	# Forbid access to version control directories
	#
	# If you use version control systems in your document root, you should
	# probably deny access to their directories. For example, for subversion:
	#
	#<DirectoryMatch "/\.svn">
	# Require all denied
	#</DirectoryMatch>

	#
	# Setting this header will prevent MSIE from interpreting files as something
	# else than declared by the content type in the HTTP headers.
	# Requires mod_headers to be enabled.
	#
	#Header set X-Content-Type-Options: "nosniff"

	#
	# Setting this header will prevent other sites from embedding pages from this
	# site as frames. This defends against clickjacking attacks.
	# Requires mod_headers to be enabled.
	#
	#Header set X-Frame-Options: "sameorigin"

	Header set Strict-Transport-Security: "max-age=63072000; includeSubdomains; preload;"
	Header set X-Frame-Options: "SAMEORIGIN"
	Header set X-Content-Type-Options: "nosniff"
	Header set X-XSS-Protection: "1; mode=block"
	Header set Referrer-Policy: "origin"