Prevent use of buggy parser gem

[chef.git] / cookbooks / wordpress / templates / default / apache.erb
diff --git a/cookbooks/wordpress/templates/default/apache.erb b/cookbooks/wordpress/templates/default/apache.erb

index ea2e20c0c2a2bbf641a2fe74b5e62de3e4248ba9..b15ec55d91c3e9edf684d7b968ba80ff4afc435d 100644 (file)
--- a/cookbooks/wordpress/templates/default/apache.erb
+++ b/cookbooks/wordpress/templates/default/apache.erb
@@ -8,17 +8,19 @@
  
    ServerAdmin webmaster@openstreetmap.org
  
-  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended
    ErrorLog /var/log/apache2/<%= @name %>-error.log
  
    RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
    RedirectPermanent / https://<%= @name %>/
  </VirtualHost>
+<% unless @aliases.empty? -%>
  
  <VirtualHost *:443>
-  ServerName <%= @name %>
-<% @aliases.each do |alias_name| -%>
+  ServerName <%= @aliases.first %>
+<% @aliases.drop(1).each do |alias_name| -%>
    ServerAlias <%= alias_name %>
+<% end -%>
  
    ServerAdmin webmaster@openstreetmap.org
  
@@ -26,10 +28,25 @@
    SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
    SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
  
-  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended
    ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
  <% end -%>
  
+<VirtualHost *:443>
+  ServerName <%= @name %>
+
+  ServerAdmin webmaster@openstreetmap.org
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined_extended
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
    DocumentRoot <%= @directory %>
  <% @urls.each do |url,directory| -%>
    Alias <%= url %> <%= directory %>
@@ -42,9 +59,6 @@
    </Directory>
  <% end -%>
  
-  ProxyFCGISetEnvIf "true" PHP_ADMIN_VALUE "open_basedir=<%= @directory %>/:/usr/share/php/:/tmp/\ndisable_functions=exec,shell_exec,system,passthru,popen,proc_open"
-  ProxyFCGISetEnvIf "true" PHP_VALUE "upload_max_filesize=70M\npost_max_size=100M"
-
    <Directory <%= @directory %>>
      RewriteEngine on
  
@@ -54,6 +68,7 @@
      RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
      RewriteRule ^wp-includes/theme-compat/ - [F,L]
      RewriteRule ^readme\.html$ [F,L]
+    RewriteRule ^index\.php$ - [L]
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteCond %{REQUEST_FILENAME} !-d
      RewriteRule . /index.php [L]
@@ -62,6 +77,13 @@
      AllowOverride AuthConfig
  
      Require all granted
+
+    # https://www.wp-pay.org/http-authorization-header-missing/
+    CGIPassAuth on
+
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+      SetHandler "proxy:unix:/run/php/php-<%= @name %>-fpm.sock|fcgi://127.0.0.1"
+    </FilesMatch>
    </Directory>
  
    <Files <%= @directory %>/wp-config.php>
@@ -84,11 +106,15 @@
      Require all denied
    </Directory>
  
-  <Files ~ "\.(txt|md)$">
+  <Files ~ "(?<!robots|ads|security|humans)\.(txt|md)$">
      Require all denied
    </Files>
  
    <Files ~ "~$">
      Require all denied
    </Files>
+
+  <Files "xmlrpc.php">
+    Require all denied
+  </Files>
  </VirtualHost>