Kallobombus hosts various sites. They all have their document root in my home directory, `/home/alex`.
These sites all have a file such as `alexschroeder` in `/etc/apache2/sites-available/` which is linked to `/etc/apache2/sites-enabled/000-alexschroeder.ch` and the like.
The following setup allows me to run Perl scripts in the document root. Note that I keep my certificates and key files in a local directory, `/home/alex/ssl`.
I stripped the commented stuff because Iām trying to just remember the important stuff.
1. Define an access log for VirtualHosts that don't define their own logfile
CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined
LimitRequestLine 32000 LimitRequestFieldSize 32000
1. Enable this for template generation
Alias /munin /var/cache/munin/www
<Directory /var/cache/munin/www>
Order allow,deny
# Allow from localhost 127.0.0.0/8 ::1
Allow from all
Options None
AuthUserFile /etc/munin/munin-htpasswd
AuthName "Munin"
AuthType Basic
require valid-user
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault M310
</IfModule>
</Directory>
1. Enables fastcgi for munin-cgi-graph if present
ScriptAlias /munin-cgi/munin-cgi-graph /usr/lib/munin/cgi/munin-cgi-graph
<Location /munin-cgi/munin-cgi-graph>
Order allow,deny
# Allow from localhost 127.0.0.0/8 ::1
Allow from all
AuthUserFile /etc/munin/munin-htpasswd
AuthName "Munin"
AuthType Basic
require valid-user
<IfModule mod_fastcgi.c>
SetHandler fastcgi-script
</IfModule>
</Location>
ScriptAlias /munin-cgi/munin-cgi-html /usr/lib/munin/cgi/munin-cgi-html
<Location /munin-cgi/munin-cgi-html>
Order allow,deny
Allow from localhost 127.0.0.0/8 ::1
# AuthUserFile /etc/munin/munin-htpasswd
# AuthName "Munin"
# AuthType Basic
# require valid-user
<IfModule mod_fastcgi.c>
SetHandler fastcgi-script
</IfModule>
</Location>
SetEnv PERL5LIB /home/alex/perl5/lib/perl5
1. ServerTokens 1. This directive configures what you return as the Server HTTP response 1. Header. The default is 'Full' which sends information about the OS-Type 1. and compiled in modules. 1. Set to one of: Full | OS | Minimal | Minor | Major | Prod 1. where Full conveys the most information, and Prod the least. 1. ServerTokens Prod 1. Optionally add a line containing the server version and virtual host 1. name to server-generated pages (internal error documents, FTP directory 1. listings, mod_status and mod_info output etc., but not CGI generated 1. documents or custom error documents). 1. Set to "EMail" to also include a mailto: link to the ServerAdmin. 1. Set to one of: On | Off | EMail 1. ServerSignature Off 1. Allow TRACE method 1. 1. Set to "extended" to also reflect the request body (only for testing and 1. diagnostic purposes). 1. 1. Set to one of: On | Off | extended 1. TraceEnable Off
This one I wrote myself.
1. Test 1. https://www.ssllabs.com/ssltest/analyze.html 1. SSL v3 goes to the dogs - POODLE kills off protocol 1. https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/ SSLProtocol All -SSLv2 -SSLv3 1. The Logjam Attack 1. https://weakdh.org/ 1. Guide to Deploying Diffie-Hellman for TLS 1. https://weakdh.org/sysadmin.html SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on 1. Guide to Deploying Diffie-Hellman for TLS 1. https://weakdh.org/sysadmin.html 1. The following line is not suitable for my version of Apache 2.22 1. (verified using sudo apachectl configtest) 1. SSLOpenSSLConfCmd DHParameters "/home/alex/ssl/dhparams.pem"
This means I need to live with ā*Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.ā*
ServerName kallobombus
Resources: Redirecting HTTP to HTTPS. Configuring Apache to use your Gandi SSL Certificate.
Configuring Apache to use your Gandi SSL Certificate
<VirtualHost *:80>
ServerName alexschroeder.ch
ServerAlias www.alexschroeder.ch
Redirect permanent / https://alexschroeder.ch/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin alex@alexschroeder.ch
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName alexschroeder.ch
ServerAlias www.alexschroeder.ch
ServerAlias rpg.alexschroeder.ch
DocumentRoot /home/alex/alexschroeder.ch
<Directory /home/alex/alexschroeder.ch>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /home/alex/ssl/alexschroeder.crt
SSLCertificateKeyFile /home/alex/ssl/alexschroeder.key
SSLCertificateChainFile /home/alex/ssl/GandiStandardSSLCA2.pem
SSLVerifyClient None
</VirtualHost>
<VirtualHost *:80>
ServerAdmin alex@arabisch-lernen.org
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName www.arabisch-lernen.org
ServerAlias arabisch-lernen.org
DocumentRoot /home/alex/arabisch-lernen.org
<Directory /home/alex/arabisch-lernen.org>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName campaignwiki.org
ServerAlias www.campaignwiki.org
Redirect permanent / https://campaignwiki.org/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin alex@campaignwiki.org
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName campaignwiki.org
ServerAlias www.campaignwiki.org
DocumentRoot /home/alex/campaignwiki.org
<Directory /home/alex/campaignwiki.org>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /home/alex/ssl/campaignwiki.crt
SSLCertificateKeyFile /home/alex/ssl/campaignwiki.key
SSLCertificateChainFile /home/alex/ssl/GandiStandardSSLCA2.pem
SSLVerifyClient None
</VirtualHost>
<VirtualHost *:80>
ServerAdmin alex@communitywiki.org
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName www.communitywiki.org
ServerAlias communitywiki.org
DocumentRoot /home/alex/communitywiki.org
<Directory /home/alex/communitywiki.org>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>
<VirtualHost *:80>
ServerName oddmuse.org
ServerAlias www.oddmuse.org
Redirect permanent / https://oddmuse.org/
</VirtualHost>
<VirtualHost *:443>
ServerAdmin alex@oddmuse.org
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName oddmuse.org
ServerAlias www.oddmuse.org
DocumentRoot /home/alex/oddmuse.org
<Directory /home/alex/oddmuse.org>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
SSLEngine on
SSLCertificateFile /home/alex/ssl/oddmuse.crt
SSLCertificateKeyFile /home/alex/ssl/oddmuse.key
SSLCertificateChainFile /home/alex/ssl/GandiStandardSSLCA2.pem
SSLVerifyClient None
</VirtualHost>
<VirtualHost *:80>
ServerAdmin alex@orientalisch.info
<Directory />
Options None
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
ServerName www.orientalisch.info
ServerAlias orientalisch.info
DocumentRoot /home/alex/orientalisch.info
<Directory /home/alex/orientalisch.info>
Options ExecCGI Includes Indexes MultiViews SymLinksIfOwnerMatch
AddHandler cgi-script .pl
AllowOverride All
Order Allow,Deny
Allow from all
</Directory>
</VirtualHost>