I have a working site on a single server with multiple virtual hosts
and a commercial SSL certificate that serves them all okay.
When setting up my site originally I was following examples from
several places and now I wonder if I might simplify my configuration
without compromising current security. Note that I am not interested
is serving non-ssl pages at all.
Here is my current config for one of the virtual hosts:
#==== BEGIN CURRENT ====
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName tb.com
ServerAlias *.tb.com
DocumentRoot /home/tom/public_html/tb.com/public
# for SSI
<Directory /home/tom/public_html/tb.com/public/>
Options +Includes
</Directory>
# try ssl
Redirect / https://tb.com/
# special restrictions are now in a separate file
Include /etc/apache2/sites-available/tb.com.conf
# site boiler plate
Include /etc/apache2/sites-available/vhost-boilerplate.conf
</VirtualHost>
# SSL OPERATIONS #
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile
/home/tom/ssl-cert-data/fortuna-ssl-cert-no-36283-2011-02-23-tb.com.crt
SSLCertificateKeyFile
/home/tom/ssl-cert-data/server-2011-02-23-36283.key.unsecure
SSLCertificateChainFile /home/tom/ssl-cert-data/sub.class2.server.ca.pem
SSLCACertificateFile /home/tom/ssl-cert-data/ca.pem
ServerName tb.com
ServerAlias *.tb.com
DocumentRoot /home/tom/public_html/tb.com/public
# for SSL
Include /etc/apache2/sites-available/tb.com.conf
# site boiler plate
Include /etc/apache2/sites-available/vhost-boilerplate.conf
</VirtualHost>
#==== END CURRENT ====
Here are the boiler plate file contents:
#==== BEGIN BOILER PLATE ====
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log vhost_combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
#==== END BOILER PLATE ====
And here is what I would like to have (and simpler, if possible):
#==== BEGIN PROPOSED ====
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName tb.com
ServerAlias *.tb.com
# try ssl
Redirect / https://tb.com/
</VirtualHost>
# SSL OPERATIONS #
<IfModule mod_ssl.c>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile
/home/tom/ssl-cert-data/fortuna-ssl-cert-no-36283-2011-02-23-tb.com.crt
SSLCertificateKeyFile
/home/tom/ssl-cert-data/server-2011-02-23-36283.key.unsecure
SSLCertificateChainFile /home/tom/ssl-cert-data/sub.class2.server.ca.pem
SSLCACertificateFile /home/tom/ssl-cert-data/ca.pem
ServerName tb.com
ServerAlias *.tb.com
DocumentRoot /home/tom/public_html/tb.com/public
# for SSL
Include /etc/apache2/sites-available/tb.com.conf
# site boiler plate
Include /etc/apache2/sites-available/vhost-boilerplate.conf
</VirtualHost>
#==== END PROPOSED ====
Any suggestions or comments are appreciated (particularly with regards
to security).
Best regards,
-Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|