Baikal
Baikal copied to clipboard
sabre-io
Provide a vhost file template for HTTPS site configuration
Hi,
It would be very nice if Baïkal is provided with and vhost configuration file template for HTTPS site configuration (the same way it is currently provided with vhost configuration file template for HTTP). It will save a lot of time to Lamp new comer (and lazy! ;) ) people. Up front thanks.
Regards, iGoX
I'd second this. I tried to configure a secure connection using Apache with SSL proxing, only later finding out, that there are problems with this setup and SabreDAV. Do you have any hints on where to find a suitable template?
EDIt: would the Symfony documentation be a reasonable start?
I had success with the following configuration (Ubuntu 14.04 Server, Apache 2.4, mod_ssl, mod_rewrite, mod_php5):
<VirtualHost *:443>
# ServerName YOURSERVERNAME
ServerAlias YOUR.SERVER.IP.ADDRESS
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache.crt
SSLCertificateKeyFile /etc/ssl/private/apache.key
DocumentRoot /var/www/baikal/web
<Directory /var/www/baikal/web>
AllowOverride None
Require all granted
Allow from All
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]
</IfModule>
</Directory>
ErrorLog /var/log/apache2/baikal_error.log
CustomLog /var/log/apache2/baikal_access.log combined
</VirtualHost>
Source: http://symfony.com/doc/current/cookbook/configuration/web_server_configuration.html
I'm sharing an nginx vhost I use for version 0.2.7.
In my configuration I use HTTP Strict Transport Security (HSTS).
Replace default with this:
server {
listen 80;
server_name baikal.domain.tld;
return 301 https://$server_name$request_uri;
}
and create your vhost file in /etc/nginx/sites-available/baikal.domain.tld and create a symlink in /etc/nginx/sites-enabled
server {
listen 443 ssl;
server_name baikal.domain.tld;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# change the following two according to your configuration
ssl_certificate /etc/letsencrypt/live/baikal.domain.tld/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/baikal.domain.tld/privkey.pem;
ssl_session_tickets off;
server_tokens off;
## extra secure settings, enable if you know what you're doing
## use 'openssl dhparam -out dhparam.pem 4096' for the next line
#ssl_dhparam /etc/nginx/ssl/dhparams.pem;
#ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
#ssl_ecdh_curve secp384r1;
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /etc/letsencrypt/live/baikal.domain.tld/chain.pem;
#resolver 8.8.8.8 8.8.4.4 valid=300s;
#resolver_timeout 5s;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
# change the following two according to your configuration
access_log /var/log/nginx/baikal.domain.tld_access.log;
error_log /var/log/nginx/baikal.domain.tld_error.log;
# change the following according to your configuration
root /var/www/baikal.domain.tld;
index index.php;
proxy_set_header X-Forwarded-For $remote_addr;
charset utf-8;
location / {
try_files $uri $uri/ =404;
}
location ~ ^(.+\.php)(.*) {
try_files $fastcgi_script_name =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /(\.ht|Core|Specific) {
deny all;
return 404;
}
rewrite ^/.well-known/caldav /cal.php redirect;
rewrite ^/.well-known/carddav /card.php redirect;
}
That looks like a very complete configuration. I'll definitely add this to the site
I'm sharing an working apache 2.2 config with following features:
- HSTS activated
- Strong Cipher Config
- SNI
- PHP-FPM
- TLS 1.1 / TLS 1.2 only
<VirtualHost *:443>
ServerName baikal.foo.bar
ServerAdmin [email protected]
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLHonorCipherOrder on
SSLCompression off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLStrictSNIVHostCheck on
SSLCertificateFile /path/to/cert.crt
SSLCertificateKeyFile /path/to/key.key
SSLCertificateChainFile /path/to/chain-cert.crt
SSLCACertificateFile /path/to/ca-cert.crt
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
DirectoryIndex index.php index.php5 index.php4 index.html index.xhtml index.htm
# AccessFileName .htaccess
AddHandler php5-fcgi .php
AddHandler php5-fcgi .php5
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /path/to/document-root/php5-fcgi
FastCgiExternalServer /path/to/document-root/php5-fcgi -socket /path/to/php-fpm-socket.sock -pass-header Authorization
# Baikal
RewriteEngine On
RewriteRule "^/.well-known/caldav" "baikal/html/dav.php" [R,L]
RewriteRule "^/.well-known/carddav" "baikal/html/dav.php" [R,L]
DocumentRoot /path/to/document-root/
<Directory /path/to/document-root/>
Options -ExecCGI +FollowSymlinks -Includes -Indexes -MultiViews -SymlinksIfOwnerMatch
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory ~ "/admin">
Order allow,deny
Deny from all
</Directory>
<Directory ~ "/Specific">
Order allow,deny
Deny from all
</Directory>
LogLevel warn
RewriteLogLevel 0
ErrorLog /path/to/error.log
CustomLog /path/to/access.log combined
RewriteLog /path/to/rewrite-log.log
</VirtualHost>
