Apache Fine Tunes on Ubuntu 20.04
Copyright (C) 2020 Exforge exforge@x386.xyz
# This document is free text: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# any later version.
# This document is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
# Based on Alexey Abel's ISP Mail Tutorial Caramel Edition
https://123qwe.com/
# 1.1. Certificate Authorities
# 1.1.1. Letsencrypt may issue normal certificates
@ CAA 0 issue "letsencrypt.org"
# 1.1.2. Wildcard domains are not allowed by anyone
@ CAA 0 issuewild ";"
# 1.1.3. Violations can be reported to postmaster@karasite.com
CAA 0 iodef "mailto:postmaster@x11.xyz"
#
# 1.2. SPF Policy for Email Server
# 1.2.1. All my emails come from the servers with MX record
# in my domain. Reject all others.
# Add as a txt record for x11.xyz (replace with your domain)
@ TXT "v=spf1 mx -all"
#
# 1.3. DMARC Policy for Email Server
# Dmarc Version 1, reject non complied mail, report to postmaster, strict dkim
# and spf policy, filter 100% of the messages.
# Add as a txt record for _dmarc.x11.xyz (replace with your domain)
_dmarc "v=DMARC1; p=reject; rua=mailto:postmaster@x11.xyz; adkim=s; aspf=s; pct=100;"
2. Apache More Secure Configuration
https://ssl-config.mozilla.org/
# is a good place to start
# 2.1. More Secure HTTPS redirect
# Contents of the conf file
# rewrite mod must be enabled
<VirtualHost *:80>
ServerName www.x11.xyz
# Force redirect to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301]
ErrorLog ${APACHE_LOG_DIR}/www.x11.xyz-error.log
</VirtualHost>
#
# 2.2. More Secure HTTPS conf
# Contents of the conf file
# headers and ssl mods must be enabled
<VirtualHost *:443>
ServerName my.server.com
DocumentRoot /var/www/www.x11.xyz
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.x11.xyz/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.x11.xyz/privkey.pem
# enable HTTP/2, if available
Protocols h2 http/1.1
# HSTS (mod_headers is required) (63072000 seconds = 2 years)
Header always set Strict-Transport-Security "max-age=63072000"
ErrorLog ${APACHE_LOG_DIR}/my.server.com.port443-error.log
</VirtualHost>
#
# 2.3. More Secure TLS Configuration
# A more secure Apache conf may be created to apply security
# to all hosted sites
sudo nano /etc/apache2/conf-available/ssl-stricter-options.conf
#_________________________________________________________________
# Generated by: https://ssl-config.mozilla.org/
# modern configuration, tweak to your needs
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
#_________________________________________________________________
#
# Enable new conf
sudo a2enconf ssl-stricter-options
#
# 2.4. Enable all mentioned mods
sudo a2enmod rewrite ssl headers
3. Disabling All Apache Access Logs
# You may consider respecting your user's privacy by not keeping any
# access logs on Apache Servers. I'd like to follow Alexey Abel's
# approach.
# We start by not configuring any access or custom logs on apache confs,
# but Apache itself catches all access logs at orher-vhosts-access-log.conf
# So we have to disable it.
sudo a2disconf other-vhosts-access-log
# For HTTPS we use letsencrypt's certificates, Certbot automates the renewal
# process of the certificates. It is a good thing, because letsencrypt
# certificates last only 2 months.
# I use the certificates mostly for Apache, Postfix and Dovecot. When Certbot
# renews a certificate, Apache, Postfix or Dovecot don't know about it. They
# might keep using the old certificates. Therefore it is a good idea to
# restart these services when a certificate is renewed.
# Christoph Haas and Alexey Abel use 2 different methods for that purpose.
# Both is documented here, choose whichever you want.
#
# 4.1. Christoph's Method:
# Add a line to certbot ini file
sudo nano /etc/letsencrypt/cli.ini
#___________________________________________________________________________
post-hook = systemctl restart postfix ; systemctl restart dovecot ; systemctl restart apache2
#___________________________________________________________________________
#
# 4.2. Alexey's Method:
# Certbot runs all scripts in the /etc/letsencrypt/renewal-hooks/deploy
# directory after a successfull renewal. We'll put there a scipt.
sudo nano /etc/letsencrypt/renewal-hooks/deploy/reloadall.sh
#__________________________________________
#!/bin/bash
systemctl reload apache2
systemctl reload postfix
systemctl reload dovecot
#__________________________________________
# Make the script executable
sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/reloadall.sh