I have a DigitalOcean droplet running Ubuntu.
On it, I host three sites using Apache. I am trying to add a fourth, "newsite.com", swapping from another host. This fourth site is live on another environment with SSL enabled.
The existing three sites run fine. They have SSL enabled using LetsEncrypt and I use virtual hosts to set up multiple domains with the same IP. However, for the fourth one, the new site, if I try to view the site (by editing my Win10 hosts file to point at the server IP) I see one of the other three sites, "oldsite1.com", which is the highest in the list sorted alphabetically. I understand Apache works its way down the list of enabled sites to select one. The new site does not have SSL enabled as I cannot run LetsEncrypt until the DNS has been changed.
The .conf file for the new site looks like this:
<VirtualHost *:80>
ServerAdmin webmaster#newsite.com
ServerName newsite.com
ServerAlias www.newsite.com
DocumentRoot /var/www/newsite.com/public_html
<Directory /var/www/newsite.com/public_html>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<IfModule mod_dir.c>
DirectoryIndex index.php index.pl index.cgi index.html index.xhtml index.htm
</IfModule>
RewriteEngine on
RewriteCond %{SERVER_NAME} =newsite.com [OR]
RewriteCond %{SERVER_NAME} =www.newsite.com
RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
This matches the .conf files of the other sites.
My newsite .htaccess file:
#Force SSL
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://newsite.com/$1 [R=301,L]
# Prevent Directory listing
Options -Indexes
#Whitelist IP
#RewriteEngine On
#RewriteCond %{REMOTE_ADDR} [removed]
#RewriteCond %{DOCUMENT_ROOT}/error.html -f
#RewriteCond %{DOCUMENT_ROOT}/error.enable -f
#RewriteCond %{SCRIPT_FILENAME} !error.html
#RewriteRule ^.*$ /error.html [R=503,L]
#ErrorDocument 503 /error.html
#Header Set Cache-Control "max-age=0, no-store"
# Prevent Direct Access to files
<FilesMatch "(?i)((\.tpl|\.ini|\.log|(?<!robots)\.txt))">
Require all denied
## For apache 2.2 and older, replace "Require all denied" with these two lines :
# Order deny,allow
# Deny from all
</FilesMatch>
# SEO URL Settings
RewriteEngine On
RewriteBase /
RewriteRule ^sitemap.xml$ index.php?route=extension/feed/google_sitemap [L]
RewriteRule ^googlebase.xml$ index.php?route=extension/feed/google_base [L]
RewriteRule ^system/download/(.*) index.php?route=error/not_found [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !.*\.(ico|gif|jpg|jpeg|png|js|css)
RewriteRule ^([^?]*) index.php?_route_=$1 [L,QSA]
### Additional Settings that may need to be enabled for some servers
### Uncomment the commands by removing the # sign in front of it.
### If you get an "Internal Server Error 500" after enabling any of the following settings, restore the # as this means your host doesn't allow that.
# 1. If your cart only allows you to add one item at a time, it is possible register_globals is on. This may work to disable it:
# php_flag register_globals off
# 2. If your cart has magic quotes enabled, This may work to disable it:
# php_flag magic_quotes_gpc Off
# 3. Set max upload file size. Most hosts will limit this and not allow it to be overridden but you can try
# php_value upload_max_filesize 999M
# 4. set max post size. uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value post_max_size 999M
# 5. set max time script can take. uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value max_execution_time 200
# 6. set max time for input to be recieved. Uncomment this line if you have a lot of product options or are getting errors where forms are not saving all fields
# php_value max_input_time 200
# 7. disable open_basedir limitations
# php_admin_value open_basedir none
###Compression stuff###
# Enable Gzip Compression
AddOutputFilterByType DEFLATE text/text
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
# Leverage Browser Caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access plus 1 year"
ExpiresByType image/jpeg "access plus 1 year"
ExpiresByType image/gif "access plus 1 year"
ExpiresByType image/png "access plus 1 year"
ExpiresByType text/css "access plus 1 month"
ExpiresByType application/pdf "access plus 1 month"
ExpiresByType text/x-javascript "access plus 1 month"
ExpiresByType application/x-shockwave-flash "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresDefault "access plus 1 month"
</IfModule>
# Remove Browser Bugs
#BrowserMatch ^Mozilla/4 gzip-only-text/html
#BrowserMatch ^Mozilla/4\.0[678] no-gzip
#BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
#Header append Vary User-Agent
Running sudo apache2ctl -S returns:
VirtualHost configuration:
*:443 is a NameVirtualHost
default server oldsite1.com (/etc/apache2/sites-enabled/oldsite1.com-le-ssl.conf:2)
port 443 namevhost oldsite1.com (/etc/apache2/sites-enabled/oldsite1.com-le-ssl.conf:2)
alias www.oldsite1.com
port 443 namevhost oldsite2.com (/etc/apache2/sites-enabled/oldsite2.com-le-ssl.conf:2)
alias www.oldsite2.com
port 443 namevhost oldsite3.com (/etc/apache2/sites-enabled/oldsite3.com-le-ssl.conf:2)
alias www.oldsite3.com
*:80 is a NameVirtualHost
default server 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 127.0.0.1 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost oldsite1.com (/etc/apache2/sites-enabled/oldsite1.com.conf:1)
alias www.oldsite1.com
port 80 namevhost oldsite2.com (/etc/apache2/sites-enabled/oldsite2.com.conf:1)
alias www.oldsite2.com
port 80 namevhost oldsite3.com (/etc/apache2/sites-enabled/oldsite3.com.conf:1)
alias www.oldsite3.com
port 80 namevhost newsite.com (/etc/apache2/sites-enabled/newsite.com.conf:1)
alias www.newsite.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
I have tried emptying the newsite .htaccess and restarted apache multiple times but I am always shown oldsite1.com when I try to view newsite.com.
Assuming there is nothing wrong with my .conf or .htaccess, why is Apache preferring the vhost of the first site in the list?
You are forcing ssl. The moment you load http://newsite.com you are being redirected to https://newsite.com.
You only have a vhost for newsite.com on port 80 and not on port 443.
Since there is no vhost for the requested domain on port 443 you will be served the default site.
You will get your site as expected if you comment out this part:
#Force SSL
RewriteEngine On
#RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ https://newsite.com/$1 [R=301,L]
Related
Implement a redirect to HTTPS to website
Earlier we have a website with HTTP, and recently we have purchased in to HTTPS. Now I am tried to implement the redirect to HTTPS.
For this I tried below code in
<IfModule mod_rewrite.c>
## enable rewrites
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ www.example.com/$1 [R,L]
</IfModule>
When I uploaded the .htaccess file with above code. The website is not able to display.
And my entire .htaccess file as below.
#DirectoryIndex index.html
#AddType application/x-httpd-php5 .html .htm
#AddType application/x-httpd-php .html .htm
#RemoveHandler .html .htm
#AddType application/x-httpd-php .html .htm
#RewriteRule ^/?inscription/map\.html$ - [F,L]
<FilesMatch "\.html$" >
#ForceType application/x-httpd-php
</FilesMatch>
#Canonicalization issue
RewriteCond %{HTTP_HOST} !^www.example.com$ [NC]
RewriteRule ^(.*)$ www.example.com/$1 [L,R=301]
#Google Caching Issue
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ www.example.com/$1 [R,L]
<IfModule mod_rewrite.c>
## enable rewrites
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
#RewriteRule ^(.*)$ www.example.com/$1 [R,L]
#Redirect from http to https
#RewriteCond %{HTTP:X-Forwarded-Proto} !https
#RewriteCond %{HTTPS} off
#RewriteRule ^ www.example.com/ [L,R=301]
ErrorDocument 404 www.example.com
</IfModule>
<IfModule mod_expires.c>
ExpiresActive on
ExpiresDefault "access plus 1 month"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType image/x-icon "access plus 1 year"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/jpeg "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
ExpiresByType text/css "access plus 1 month"
</IfModule>
<IfModule mod_deflate.c>
# Compress HTML, CSS, JavaScript, Text, XML and fonts
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
# Remove browser bugs (only needed for really old browsers)
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
</IfModule>
<Files "phpinfo.php">
Order Allow,Deny
Deny from all
</Files>
#<Files >
#AddType application/x-httpd-php .html .htm
#</Files>
Options -Indexes
Can you please help on this. to implement the redirection from http to https.
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ www.example.com/$1 [R,L]
You need to include the scheme, ie. https in the substitution string. For example:
RewriteRule ^(.*)$ https://www.example.com/$1 [R,L]
The same applies to all the other redirects in your .htaccess file.
If you don't explicitly include the HTTPS scheme in a HTTP to HTTPS redirect then it's never going to redirect to HTTPS. However, a relative path substitution (ie. one that does not start with a scheme or slash) is seen as relative to the current directory (unless RewriteBase is defined). So, a substitution string like www.example.com will effectively be treated as a subdirectory from the current directory (document root) and attempting to convert this into an external redirect will result in a malformed redirect like http://www.example.com/path/to/public_html/www.example.com/<foo>.
ErrorDocument 404 www.example.com
You have a similar issue with your ErrorDocument directive. However, you should not be "redirecting" to the custom error document (which is what will happen if you specify an absolute URL here). You should define a custom error document. eg. /errors/my404.html and state this in the ErrorDocument directive:
ErrorDocument 404 /errors/my404.html
The custom error document is then served using an internal subrequest. There is no "external redirect" here.
UPDATE#1:
Can you please edit above .htaccess file and post here?
I've removed all the commented-out code sections - so add those back as appropriate. Although several of the mod_rewrite sections that were commented out I assume are just earlier/incorrect attempts. I've also reordered some bits (eg. it is more logical to define Options and ErrorDocument directives early in the file - you certainly shouldn't split these up). I've omitted the mod_expires and mod_deflate sections for brevity.
I've also updated the deprecated mod_access_compat (Order, Deny, etc.) directives for Apache 2.4 Require all denied.
I'm also assuming the www subdomain is canonical and you have no other subdomains.
# Allow FollowSymlinks (required for mod_rewrite)
# and prevent directory listings (mod_autoindex)
Options +FollowSymlinks -Indexes
# Define custom error documents
ErrorDocument 404 /errors/my404.html
# Block access to specific files
<Files "phpinfo.php">
Require all denied
</Files>
# Enable mod_rewrite rewrite engine
RewriteEngine On
# Canonical redirect: non-www to www (and HTTPS)
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule (.*) https://www.%{HTTP_HOST}/$1 [R=301,L]
# Canonical redirect: HTTP to HTTPS
RewriteCond %{SERVER_PORT} 80
RewriteRule (.*) https://www.example.com/$1 [R=301,L]
# mod_expires directives go here...
# mod_deflate directives go here...
Clear your browser cache before testing and test first with 302 (temporary) redirects to avoid potential caching issues.
Note I assume you have already tested the SERVER_PORT 80 check and this works as intended on your server*1. I notice in your commented-out code you are also checking the X-Forwarded-Proto HTTP request header - this is only required if your application server is behind a front-end proxy that manages the HTTPS connection. If this is the case then checking SERVER_PORT (or HTTPS) may fail.
*1 UPDATE#2: It seems this is not the case and you are having to implement a non-standard check for %{ENV:HTTPS} instead of checking the SERVER_PORT, which is resulting in a redirect loop. This implies that your webhost (a shared hosting platform I assume) is using some kind of front-end proxy to manage the SSL connection and your application server is actually communicating over plain HTTP to the front-end proxy.
# Force from http to https
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
Solved with below code.
#Force from http to https
RewriteCond %{ENV:HTTPS} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
I have an LAMP server for my Drupal 8 site.
I do not know what I can optimize to improve the performance of my site.
This is a dynamic site.
Should I use the htaccess files or disable them and put everything in vhost ?
Is the file below correct ?
What can I add ?
.htaccess :
#
# Apache/PHP/Drupal settings:
#
# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order allow,deny
</IfModule>
</FilesMatch>
# Don't show directory listings for URLs which map to a directory.
Options -Indexes
# Set the default handler.
DirectoryIndex index.php index.html index.htm
# Add correct encoding for SVGZ.
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
# Most of the following PHP settings cannot be changed at runtime. See
# sites/default/default.settings.php and
# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
# changed at runtime.
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_value assert.active 0
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
# PHP 5.6 has deprecated $HTTP_RAW_POST_DATA and produces warnings if this is
# not set.
php_value always_populate_raw_post_data -1
</IfModule>
# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive on
ExpiresDefault "access plus 30 seconds"
ExpiresByType text/html "access plus 15 days"
ExpiresByType image/gif "access plus 1 months"
ExpiresByType image/jpg "access plus 1 months"
ExpiresByType image/jpeg "access plus 1 months"
ExpiresByType image/png "access plus 1 months"
ExpiresByType text/js "access plus 1 months"
ExpiresByType text/javascript "access plus 1 months"
<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
</FilesMatch>
</IfModule>
# Set a fallback resource if mod_rewrite is not enabled. This allows Drupal to
# work without clean URLs. This requires Apache version >= 2.2.16. If Drupal is
# not accessed by the top level URL (i.e.: http://example.com/drupal/ instead of
# http://example.com/), the path to index.php will need to be adjusted.
<IfModule !mod_rewrite.c>
FallbackResource /index.php
</IfModule>
# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on
# Set "protossl" to "s" if we were accessed via https://. This is used later
# if you enable "www." stripping or enforcement, in order to ensure that
# you don't bounce between http and https.
RewriteRule ^ - [E=protossl]
RewriteCond %{HTTPS} on
RewriteRule ^ - [E=protossl:s]
# Make sure Authorization HTTP header is available to PHP
# even when running as CGI or FastCGI.
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess because
# <DirectoryMatch> is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "/\.|^\.(?!well-known/)" - [F]
# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/foo will be redirected to http://www.example.com/foo)
# uncomment the following:
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http%{ENV:protossl}://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/foo will be redirected to http://example.com/foo)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http%{ENV:protossl}://%1%{REQUEST_URI} [L,R=301]
# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /
# Redirect common PHP files to their new locations.
RewriteCond %{REQUEST_URI} ^(.*)?/(install.php) [OR]
RewriteCond %{REQUEST_URI} ^(.*)?/(rebuild.php)
RewriteCond %{REQUEST_URI} !core
RewriteRule ^ %1/core/%2 [L,QSA,R=301]
# Rewrite install.php during installation to see if mod_rewrite is working
RewriteRule ^core/install.php core/install.php?rewrite=ok [QSA,L]
# Pass all requests not referring directly to files in the filesystem to
# index.php.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
# For security reasons, deny access to other PHP files on public sites.
# Note: The following URI conditions are not anchored at the start (^),
# because Drupal may be located in a subdirectory. To further improve
# security, you can replace '!/' with '!^/'.
# Allow access to PHP files in /core (like authorize.php or install.php):
RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
# Allow access shariff-backend-php.
RewriteCond %{REQUEST_URI} !/shariff-backend-php/
# Allow access to test-specific PHP files:
RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
# Allow access to Statistics module's custom front controller.
# Copy and adapt this rule to directly execute PHP files in contributed or
# custom modules or to run another PHP application in the same directory.
RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
# Deny access to any other PHP files that do not match the rules above.
# Specifically, disallow autoload.php from being served directly.
RewriteRule "^(.+/.*|autoload)\.php($|/)" - [F]
# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
<IfModule mod_headers.c>
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]
# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]
# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]
<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header set Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
</IfModule>
# Various header fixes.
<IfModule mod_headers.c>
# Disable content sniffing, since it's an attack vector.
Header always set X-Content-Type-Options nosniff
# Disable Proxy header, since it's an attack vector.
RequestHeader unset Proxy
</IfModule>
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
AddOutputFilterByType DEFLATE application/x-font
AddOutputFilterByType DEFLATE application/x-font-opentype
AddOutputFilterByType DEFLATE application/x-font-otf
AddOutputFilterByType DEFLATE application/x-font-truetype
AddOutputFilterByType DEFLATE application/x-font-ttf
AddOutputFilterByType DEFLATE application/x-javascript
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE font/opentype
AddOutputFilterByType DEFLATE font/otf
AddOutputFilterByType DEFLATE font/ttf
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/xml
</IfModule>
/etc/apache2/sites-available/www-domaine-com-le-ssl.conf :
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin contact#domaine.com
ServerName domaine.com
ServerAlias www.domaine.com
Protocols h2 http/1.1
DocumentRoot /var/www/www-domaine-com/web/
<Directory /var/www/www-domaine-com/web>
Options FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
<FilesMatch \.php$>
SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>
<Proxy "fcgi://localhost/" enablereuse=on flushpackets=on max=10>
</Proxy>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/domaine.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domaine.com/privkey.pem
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header always set Content-Security-Policy "default-src https: data: wss: 'unsafe-inline' 'unsafe-eval'; base-uri 'self';"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
</VirtualHost>
</IfModule>
Using dynamic configuration files (".htaccess") will definitely slow down your server. That is documented and actually easy to understand:
The static configuration is read exactly once at startup time. When dynamic configuration files are enabled, then the server has to check each physical folder from the root up to the requested object (if mapped to the file system) whether there are such configuration files (which can occur on every level of the file system). And if some are found then each has to be read and interpreted for every single request. All that is additional load.
These files are only supported for two typical situations:
when you have no access to the actual host configuration of the server (read: really cheap hosting providers)
for applications that insist on writing their own rewriting rules (which is an obvious security nightmare once you start thinking about it)
If none of the two situations apply to you, then the clear recommendation is to not use dynamic configuration files but use the static configuration instead. And possibly even to disable those files completely.
Take care however for the details. You cannot simply move the directives in all cases, sometimes you need to adapt them:
there are directives you cannot use in all locations (consult the http server documentation for details on that, it is of excellent quality and comes with great examples and details)
you may have to adjust a few details, for examples the matching pattern in RewriteRules which is applied to absolute paths in the static configuration but to relative paths in dynamic configuration files. Again this is clearly documented.
Okay so I am having a little difficulty with my site, I created a sub-domain and it points to the correct folder /var/www/html/pathfinder/ but it does not create the trailing slash www.example.com
that causes an issue because then it attempts to load css files at www.example.comcss/file.css
I am using SSL and can't figure out what I have done wrong.
<IfModule mod_ssl.c>
<VirtualHost *:443>
DocumentRoot /var/www/html/pathfinder
ServerName www.subdomain.example.com
ServerAlias subdomain.example.com
<Directory /var/www/html/pathfinder/>
Options Indexes FollowSymLinks
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error_1.log
CustomLog ${APACHE_LOG_DIR}/access_1.log combined
SSLCertificateFile /etc/letsencrypt/live/www.subdomain.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.subdomain.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>
# HTTPS over SSL version
# Information: https://github.com/exodus4d/pathfinder/wiki/Apache
# Enable rewrite engine and route requests to framework ===========================================
RewriteEngine On
# HTTP to HTTPS ===================================================================================
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
RewriteCond %{HTTP_HOST} !=localhost
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Rewrite NONE www. to force www. =================================================================
RewriteCond %{HTTP_HOST} !^www\.
# skip "localhost" (dev environment)...
RewriteCond %{HTTP_HOST} !=localhost
# skip IP calls (dev environment)
RewriteCond %{HTTP_HOST} !^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$
# rewrite everything else to "https://" and "www."
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Some servers require you to specify the `RewriteBase` directive
# In such cases, it should be the path (relative to the document root)
# containing this .htaccess file:
# RewriteBase /app/
# Protect system files ============================================================================
RewriteCond %{ENV:REDIRECT_STATUS} ^$
RewriteRule ^(lib|tmp)\/|\.(ini|php)$ - [R=404]
# Rewrite "everything" to index.php (dispatcher) ==================================================
RewriteCond %{REQUEST_FILENAME} !-l
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* index.php [L,QSA]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
# PHP global Vars (can be set in php.ini as well,...) =============================================
php_value max_input_vars 5000
php_value suhosin.get.max_vars 5000
php_value suhosin.post.max_vars 5000
php_value suhosin.request.max_vars 5000
# Activate PHP error log ==========================================================================
php_flag log_errors on
# php_value error_log "/www/htdocs/www.pathfinder-w.space/logs/php_errors.log"
# Cache Header ====================================================================================
# You should not change anything in here!
# New versioned files come with a unique path (e.g. ../js/v1.0.0/..) to force client cache busting.
<ifmodule mod_expires.c>
# fonts
<Filesmatch "\.(eot|woff2|woff|ttf|ttf|svg)$">
ExpiresActive on
ExpiresDefault "access plus 1 month"
Header append Cache-Control "public"
</Filesmatch>
# images/vector graphics
<Filesmatch "\.(jpg|jpeg|png|gif|swf|ico|svg)$">
ExpiresActive on
ExpiresDefault "access plus 1 year"
Header append Cache-Control "public"
FileETag None
Header unset ETag
</Filesmatch>
# css
<Filesmatch "\.(css)$">
ExpiresActive on
ExpiresDefault "access plus 1 month"
</Filesmatch>
## js/source maps
<Filesmatch "\.(js|map)$">
ExpiresActive on
ExpiresDefault "access plus 1 year"
Header append Cache-Control "public"
FileETag None
Header unset ETag
</Filesmatch>
# html templates
<Filesmatch "\.(htm|html)$">
ExpiresActive on
ExpiresDefault "access plus 1 week"
</Filesmatch>
</ifmodule>
I'm having trouble getting ProcessMaker running on CentOS 7. I've got through the CentOS 7 installation and have all of the prerequisites. I've modified my virtual hosts file to look like this:
NameVirtualHost my.host.com
<VirtualHost my.host.com:80>
ServerName my.host.com
DocumentRoot /opt/processmaker/workflow/public_html
DirectoryIndex index.html index.php
<Directory /opt/processmaker/workflow/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Require all granted
Allow from all
ExpiresActive On
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*/(.*)$ app.php [QSA,L,NC]
</Directory>
</VirtualHost>
I receive the following error message:
Sistem Configuration Error:
Please review your apache virtual host configuration file, and be sure you have the following rules:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /app.php [QSA,L]
</IfModule>
I've verified that mod_rewrite is installed and loaded:
# ls /etc/httpd/modules | grep mod_rewrite
mod_rewrite.so
# grep rewrite /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so
What am I missing here?
<VirtualHost *:9999>
ServerName 127.0.0.1
DocumentRoot /opt/processmaker/workflow/public_html
DirectoryIndex index.html index.php
<Directory /opt/processmaker/workflow>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /app.php [QSA,L]
ExpiresActive On
ExpiresDefault "access plus 1 day"
ExpiresByType image/gif "access plus 1 day"
ExpiresByType image/png "access plus 1 day"
ExpiresByType image/jpg "access plus 1 day"
ExpiresByType text/css "access plus 1 day"
ExpiresByType text/javascript "access plus 1 day"
</Directory>
</VirtualHost>
I still don't understand why this was happening, but reinstalling everything slightly differently fixed it. The major change was using the default PHP installation, but adding the current EPEL repository to get php_mcrypt, but otherwise following the stock installation instructions. I don't see any good reason why this would have changed anything, but it now works.
I want to host two different services on a Apache web server, reachable via the same domain: Some special URLs should go into the filesystem, all others should be handle by a Rails application.
Example:
http://mydomain.com/foo/123.txt
=> should deliver /var/www/special/foo/123.txt
http://mydomain.com/users
=> should go to Rails/Passenger
Here is my virtual host setup for the Rails app:
<VirtualHost *:80>
ServerName mydomain.com
ServerAlias *.mydomain.com
DocumentRoot /var/www/mydomain/current/public
<Directory /var/www/mydomain/current/public>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
ExpiresActive on
ExpiresDefault "access plus 1 year"
FileETag MTime Size
</Directory>
RewriteEngine On
# Check for maintenance file and redirect all requests
ErrorDocument 503 /system/maintenance.html
RewriteCond %{REQUEST_URI} !\.(css|gif|jpg|png)$
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ - [redirect=503,last]
# Rewrite index to check for static
RewriteRule ^/$ /index.html [QSA]
# Rewrite to check for Rails cached page
RewriteRule ^([^.]+)$ $1.html [QSA]
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/xml application/xhtml+xml text/javascript application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
ErrorLog /var/log/apache2/mydomain.com-error_log
CustomLog /var/log/apache2/mydomain.com-access_log combined
</VirtualHost>
Somewhere in the middle a RewriteCond/RewiteRule should be added, so accessing http://mydomain.com/foo/123.txt does not go to the Rails app, but the filesystem instead.
For this I need help. It would by great if someone can can give me a hint.
Found the solution by myself:
RewriteCond %{REQUEST_URI} ^/foo/.*$
RewriteRule ^.*$ /var/www/special/foo%{REQUEST_URI}