###
### svelte-apache-ssl.conf
### http://czep.net/16/svelte-apache.html
###

###
### httpd.conf for apache 2.4.x (RedHat systems)
###

### Main server configuration
ServerRoot "/etc/httpd"
Listen 80
ServerAdmin webmaster@example.net
ServerName example.net:80

### Base set of modules
LoadModule mime_module modules/mod_mime.so
LoadModule dir_module modules/mod_dir.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule unixd_module modules/mod_unixd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule systemd_module modules/mod_systemd.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule status_module modules/mod_status.so
LoadModule info_module modules/mod_info.so
LoadModule wsgi_module modules/mod_wsgi.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule headers_module modules/mod_headers.so
LoadModule alias_module modules/mod_alias.so

# Pick one MPM module
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so
#LoadModule mpm_event_module modules/mod_mpm_event.so

User apache
Group apache
DocumentRoot "/var/www/html"
DirectoryIndex index.html

# Default deny access to root filesystem
<Directory />
    AllowOverride none
    Require all denied
</Directory>

# Configure access to document root
<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

# Prevent viewing of .htaccess and .htpasswd files
<Files ".ht*">
    Require all denied
</Files>

# Logging
ErrorLog "logs/error_log"
LogLevel info 
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog "logs/access_log" combined

# Mime types
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

# Misc
AddDefaultCharset UTF-8
EnableSendfile on

# mod_status and mod_info config
ExtendedStatus On
<Location "/apache-status">
    SetHandler server-status
    Require ip 192.168
</Location>

<Location "/apache-info">
    SetHandler server-info
    Require ip 192.168
</Location>

# WSGI config
WSGIDaemonProcess dev processes=2 threads=15 display-name=%{GROUP}
WSGIProcessGroup dev

WSGIScriptAlias /wsgi-info /var/www/wsgi-scripts/wsgi-info.wsgi

<Directory /var/www/wsgi-scripts>
    Require all granted
</Directory>

<Location "/wsgi-info">
    Require ip 192.168
</Location>

# Redirect port 80 to 443
<VirtualHost *:80>
   ServerName example.net
   Redirect permanent / https://example.net/
</VirtualHost>

###
### SSL config
###

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLProtocol -all +TLSv1.2
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off

<VirtualHost _default_:443>
   DocumentRoot "/var/www/html"
   ServerName example.net:443
   ErrorLog logs/ssl_error_log
   TransferLog logs/ssl_access_log
   LogLevel warn
   SSLEngine on

   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

   CustomLog logs/ssl_request_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"

    # add SSL environment variables to WSGI requests
    <Directory "/var/www/wsgi-scripts">
        SSLOptions +StdEnvVars
    </Directory>
</VirtualHost>

### EOF ###