Switch remaining PHP sites to use FPM

[chef.git] / cookbooks / wordpress / templates / default / apache.erb
diff --git a/cookbooks/wordpress/templates/default/apache.erb b/cookbooks/wordpress/templates/default/apache.erb

index 90adc23a29c6ae908af45fdb3a9b36d3ed3aed28..ea2e20c0c2a2bbf641a2fe74b5e62de3e4248ba9 100644 (file)
--- a/cookbooks/wordpress/templates/default/apache.erb
+++ b/cookbooks/wordpress/templates/default/apache.erb
@@ -11,36 +11,39 @@
    CustomLog /var/log/apache2/<%= @name %>-access.log combined
    ErrorLog /var/log/apache2/<%= @name %>-error.log
  
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+  RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
  
-<% if @ssl_enabled -%>
-    RedirectPermanent / https://<%= @name %>/
-  </VirtualHost>
-  <VirtualHost *:443>
-    ServerName <%= @name %>
-  <% @aliases.each do |alias_name| -%>
-    ServerAlias <%= alias_name %>
-  <% end -%>
+<VirtualHost *:443>
+  ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+  ServerAlias <%= alias_name %>
  
-    ServerAdmin webmaster@openstreetmap.org
+  ServerAdmin webmaster@openstreetmap.org
  
-    #
-    # Enable SSL
-    #
-    SSLEngine on
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
  
-    CustomLog /var/log/apache2/<%= @name %>-access.log combined
-    ErrorLog /var/log/apache2/<%= @name %>-error.log
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
  <% end -%>
  
    DocumentRoot <%= @directory %>
  <% @urls.each do |url,directory| -%>
    Alias <%= url %> <%= directory %>
+  <Directory <%= directory %>>
+    AllowOverride None
+    Require all granted
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+      SetHandler None
+    </FilesMatch>
+  </Directory>
  <% end -%>
  
-  php_admin_value open_basedir <%= @directory %>/:/usr/share/php/:/tmp/
-  php_admin_value disable_functions "exec,shell_exec,system,passthru,popen,proc_open"
-  php_value upload_max_filesize 70M
-  php_value post_max_size 100M
+  ProxyFCGISetEnvIf "true" PHP_ADMIN_VALUE "open_basedir=<%= @directory %>/:/usr/share/php/:/tmp/\ndisable_functions=exec,shell_exec,system,passthru,popen,proc_open"
+  ProxyFCGISetEnvIf "true" PHP_VALUE "upload_max_filesize=70M\npost_max_size=100M"
  
    <Directory <%= @directory %>>
      RewriteEngine on
@@ -50,35 +53,42 @@
      RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
      RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
      RewriteRule ^wp-includes/theme-compat/ - [F,L]
+    RewriteRule ^readme\.html$ [F,L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]
+
      Options -Indexes
+    AllowOverride AuthConfig
+
+    Require all granted
    </Directory>
  
    <Files <%= @directory %>/wp-config.php>
-    Order allow,deny
-    Deny from all
+    Require all denied
    </Files>
  
    <Directory <%= @directory %>/uploads>
      AllowOverride None
      AddType text/plain .html .htm .shtml
-    php_admin_flag engine off
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+      SetHandler None
+    </FilesMatch>
    </Directory>
  
    <Directory ~ "\.svn">
-    Order allow,deny
-    Deny from all
+    Require all denied
    </Directory>
  
    <Directory ~ "\.git">
-    Order allow,deny
-    Deny from all
+    Require all denied
    </Directory>
  
+  <Files ~ "\.(txt|md)$">
+    Require all denied
+  </Files>
+
    <Files ~ "~$">
-    Order allow,deny
-    Deny from all
+    Require all denied
    </Files>
  </VirtualHost>