# ************************************ # Managed by Puppet # ************************************ # Unconditionally redirect all HTTP traffic for this vhost to HTTPS ServerName <%= @vhost_name %> ServerAdmin <%= scope['mediawiki::serveradmin'] %> RewriteEngine On RewriteRule ^/(.*) https://<%= @vhost_name %>/$1 [last,redirect=permanent] LogLevel warn ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined ServerSignature Off ServerName <%= @vhost_name %> ServerAdmin <%= scope['mediawiki::serveradmin'] %> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # Once the machine is using something to terminate TLS that supports ECDHE # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS # only is guaranteed. SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on SSLCertificateFile <%= scope['mediawiki::cert_file'] %> SSLCertificateKeyFile <%= scope['mediawiki::key_file'] %> <% unless [nil, :undef].include?(scope['mediawiki::chain_file']) %> SSLCertificateChainFile <%= scope['mediawiki::chain_file'] %> <% end %> RedirectMatch ^/$ https://<%= @vhost_name %>/wiki/ DocumentRoot <%= @docroot %> Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all "> # Ignore .htaccess files AllowOverride None # Serve HTML as plaintext, don't execute SHTML AddType text/plain .html .htm .shtml .php # Don't run arbitrary PHP code. php_admin_flag engine off # Allow access to serve images Require all granted "> Require all granted ExpiresActive On "> ExpiresByType image/gif A2592000 ExpiresByType image/png A2592000 ExpiresByType image/jpeg A2592000 ExpiresByType text/css A2592000 ExpiresByType text/javascript A2592000 ExpiresByType application/x-javascript A2592000 ExpiresByType application/x-font-woff A2592000 ExpiresByType image/svg+xml A2592000 ExpiresByType application/vnd.ms-fontobject A2592000 ExpiresByType application/x-font-ttf A2592000 ## I think it's likely dangerous to enable this for the entire domain. ## I'm nearly positive we only need to do so for the WebFonts. ## For now I'm going to keep this disabled. #Header add Access-Control-Allow-Origin "*" AddType application/x-font-woff .woff AddType application/vnd.ms-fontobject .eot # TTF doesn't have an official MIME type, but I really don't want to use application/octet-stream for it AddType application/x-font-ttf .ttf Alias /w/images <%= scope['mediawiki::mediawiki_images_location'] %> Alias /w <%= scope['mediawiki::mediawiki_location'] %> Alias /wiki <%= scope['mediawiki::mediawiki_location'] %>/index.php <% if scope['mediawiki::favicon_path'] != nil %> Alias /favicon.ico <%= scope['mediawiki::favicon_path'] %> "> Require all granted <% end %> <% if scope['mediawiki::disallow_robots'] == true %> # Request that search engines not index this site Alias /robots.txt /srv/mediawiki/robots.txt Require all granted <% end %> # Redirect old /Article_Name urls RewriteEngine on <% if scope['mediawiki::disallow_robots'] == true %> RewriteCond %{REQUEST_URI} !^/robots.txt$ <% end %> RewriteCond %{REQUEST_URI} !^/w/ RewriteCond %{REQUEST_URI} !^/wiki/ RewriteRule ^/(.*)$ https://<%= @vhost_name %>/wiki/$1 [L,R] # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined ServerSignature Off