wordpress: Restrict access to a few version discovery vectors

[chef.git] / cookbooks / wordpress / templates / default / apache.erb

diff --git a/cookbooks/wordpress/templates/default/apache.erb b/cookbooks/wordpress/templates/default/apache.erb
index 997b44322cb6a3b9874dd8c8576dbad957b1eba0..200c500894c285c1a0743e4fe7c306c07d432990 100644 (file)
--- a/cookbooks/wordpress/templates/default/apache.erb
+++ b/cookbooks/wordpress/templates/default/apache.erb
@@ -27,6 +27,13 @@
   # Enable SSL
   #
   SSLEngine on
+<% if @ssl_certificate -%>
+  SSLCertificateFile /etc/ssl/certs/<%= @ssl_certificate %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @ssl_certificate %>.key
+<% end -%>
+<% if @ssl_certificate -%>
+  SSLCertificateChainFile /etc/ssl/certs/<%= @ssl_certificate_chain %>.pem
+<% end -%>
 
   CustomLog /var/log/apache2/<%= @name %>-access.log combined
   ErrorLog /var/log/apache2/<%= @name %>-error.log
@@ -50,15 +57,19 @@
     RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
     RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
     RewriteRule ^wp-includes/theme-compat/ - [F,L]
+    RewriteRule ^readme\.html$ [F,L]
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule . /index.php [L]
+
     Options -Indexes
+    AllowOverride AuthConfig
+
+    Require all granted
   </Directory>
 
   <Files <%= @directory %>/wp-config.php>
-    Order allow,deny
-    Deny from all
+    Require all denied
   </Files>
 
   <Directory <%= @directory %>/uploads>
@@ -68,17 +79,18 @@
   </Directory>
 
   <Directory ~ "\.svn">
-    Order allow,deny
-    Deny from all
+    Require all denied
   </Directory>
 
   <Directory ~ "\.git">
-    Order allow,deny
-    Deny from all
+    Require all denied
   </Directory>
 
+  <Files ~ "\.(txt|md)$">
+    Require all denied
+  </Files>
+
   <Files ~ "~$">
-    Order allow,deny
-    Deny from all
+    Require all denied
   </Files>
 </VirtualHost>