X-Git-Url: https://iankelling.org/git/?p=basic-https-conf;a=blobdiff_plain;f=web-conf;fp=web-conf;h=074fddd45c6279b62a9919a1544441caaf38ac60;hp=274f1eb91191274651dd6acacaec6a43a53ef74f;hb=06cb6315863aab25ba94359e0fc397c2f44677c5;hpb=1789ce6a87ccf1d83edf335c3ae3a4ac5ad8c5f6

diff --git a/web-conf b/web-conf
index 274f1eb..074fddd 100755
--- a/web-conf
+++ b/web-conf
@@ -158,9 +158,12 @@ if [[ $t == apache2 ]]; then
 
     cat >$vhost_file <<EOF
 <VirtualHost *:$port>
-        ServerName $h
-        ServerAlias www.$h
-        DocumentRoot $root
+ServerName $h
+ServerAlias www.$h
+DocumentRoot $root
+<Directory $root>
+  Options -Indexes -FollowSymlinks
+</Directory>
 EOF
 
     if [[ $extra_settings ]]; then
@@ -172,7 +175,7 @@ EOF
         # https://httpd.apache.org/docs/2.4/mod/mod_http2.html
         a2enmod http2
         cat >>$vhost_file <<EOF
-        Protocols h2 http/1.1
+Protocols h2 http/1.1
 EOF
     fi
 
@@ -182,8 +185,8 @@ EOF
         # reference: https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
         # retry=0: https://stackoverflow.com/questions/683052/why-am-i-getting-an-apache-proxy-503-error
         cat >>$vhost_file <<EOF
-        ProxyPass "/"  "http://$proxy/" retry=0
-        ProxyPassReverse "/"  "http://$proxy/"
+ProxyPass "/"  "http://$proxy/" retry=0
+ProxyPassReverse "/"  "http://$proxy/"
 EOF
     fi
 
@@ -193,29 +196,29 @@ EOF
         https_arg=" https"
         common_ssl_conf=/etc/apache2/common-ssl.conf
         cat >>$vhost_file <<EOF
-        SSLCertificateFile $cert_dir/fullchain.pem
-        SSLCertificateKeyFile $cert_dir/privkey.pem
-        Include $common_ssl_conf
-        # From cerbot generated config example, taken 4/2017,
-        # should be rechecked once a year or so.
-        Header always set Strict-Transport-Security "max-age=31536000"
-        SSLUseStapling on
-        Header always set Content-Security-Policy upgrade-insecure-requests
+SSLCertificateFile $cert_dir/fullchain.pem
+SSLCertificateKeyFile $cert_dir/privkey.pem
+Include $common_ssl_conf
+# From cerbot generated config example, taken 4/2017,
+# should be rechecked once a year or so.
+Header always set Strict-Transport-Security "max-age=31536000"
+SSLUseStapling on
+Header always set Content-Security-Policy upgrade-insecure-requests
 EOF
 
         echo "$0: creating $redir_file"
         cat >$redir_file <<EOF
 <VirtualHost *:80>
-        ServerName $h
-        ServerAdmin webmaster@localhost
-        DocumentRoot /var/www/html
+ServerName $h
+ServerAdmin webmaster@localhost
+DocumentRoot /var/www/html
 
-        ErrorLog \${APACHE_LOG_DIR}/error.log
-        CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
+ErrorLog \${APACHE_LOG_DIR}/error.log
+CustomLog \${APACHE_LOG_DIR}/access.log vhost_time_combined
 
-        RewriteEngine on
-        RewriteCond %{SERVER_NAME} =$h
-        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
+RewriteEngine on
+RewriteCond %{SERVER_NAME} =$h
+RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
 </VirtualHost>
 EOF
         if ! $listen_80; then
@@ -240,22 +243,16 @@ SSLProtocol             all -SSLv2 -SSLv3
 SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 SSLHonorCipherOrder     on
 SSLCompression          off
+SSLSessionTickets       off
 
 SSLOptions +StrictRequire
 
 # Add vhost name to log entries:
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
 LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
-
-#CustomLog /var/log/apache2/access.log vhost_combined
-#LogLevel warn
-#ErrorLog /var/log/apache2/error.log
-
-# Always ensure Cookies have "Secure" set (JAH 2012/1)
-#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4"
 EOF
 
-        upstream=https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+        upstream=https://raw.githubusercontent.com/certbot/certbot/master/certbot-apache/certbot_apache/options-ssl-apache.conf
         if ! diff -u <(wget -q -O - $upstream) $common_ssl_conf; then
             cat <<EOF
 WARNING!!!!!!!!!
@@ -273,8 +270,8 @@ EOF
     fi # end if $ssl
 
     cat >>$vhost_file <<'EOF'
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
+ErrorLog ${APACHE_LOG_DIR}/error.log
+CustomLog ${APACHE_LOG_DIR}/access.log vhost_time_combined
 </VirtualHost>
 EOF
 
@@ -342,25 +339,27 @@ ssl_stapling_verify on;
 EOF
     cat >$vhost_file <<EOF
 server {
-    server_name $h www.$h;
-    root $root;
-    listen $port $ssl_arg;
-    listen [::]:$port $ssl_arg;
-
+  server_name $h www.$h;
+  root $root;
+  listen $port $ssl_arg;
+  listen [::]:$port $ssl_arg;
+  location $root {
+    autoindex off;
+  }
 EOF
     if $ssl; then
         cat >>$vhost_file <<EOF
-    ssl_certificate $cert_dir/fullchain.pem;
-    ssl_certificate_key $cert_dir/privkey.pem;
-    include $common_ssl_conf;
+  ssl_certificate $cert_dir/fullchain.pem;
+  ssl_certificate_key $cert_dir/privkey.pem;
+  include $common_ssl_conf;
 EOF
 
         cat >$redir_file <<EOF
 server {
-    server_name $h www.$h;
-    listen 80 $http2_arg;
-    listen [::]:80 $http2_arg;
-    return 301 https://$server_name$request_uri;
+  server_name $h www.$h;
+  listen 80 $http2_arg;
+  listen [::]:80 $http2_arg;
+  return 301 https://$server_name$request_uri;
 }
 EOF
     fi # end if $ssl
@@ -371,14 +370,14 @@ EOF
 
     if [[ $proxy ]]; then
         cat >>$vhost_file <<EOF
-    location / {
-        proxy_set_header Host \$host;
-        proxy_set_header X-Real-IP \$remote_addr;
-        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Ssl on;
-        proxy_set_header X-Forwarded-Port $port;
-        proxy_pass http://$proxy;
-    }
+  location / {
+    proxy_set_header Host \$host;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-Port $port;
+    proxy_pass http://$proxy;
+  }
 EOF
     fi