環境

 ホストOS:Debian GNU/Linux 10.7
ゲストOS:FreeBSD 12.2-RELEASE r366954 GENERIC amd64

 

▼Apacheインストール

# pkg -y install apache24

▼Apacheの設定ファイル修正

# vi /usr/local/etc/apache24/httpd.conf

 

▼コメント外す

ServerAdmin このメールアドレスはスパムボットから保護されています。閲覧するにはJavaScriptを有効にする必要があります。
ServerName www.server-bff.net:80


◎適宜修正
<Directory />
    AllowOverride All
    Require all denied
</Directory>

DocumentRoot "/usr/local/www/apache24/data/joomla"
<Directory "/usr/local/www/apache24/data/joomla">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.php index.html index.cgi
</IfModule>

 

◎バージョン表示を無効化

ServerSignature Off
ServerTokens Prod

 

◎HTTP TRACEメソッドを無効化

TraceEnable off

 

◎Includeするファイルを適宜、追加修正

# Secure (SSL/TLS) connections
Include /usr/local/etc/apache24/extra/httpd-ssl.conf

Include /usr/local/etc/apache24/Includes/phpmyadmin.conf
Include /usr/local/etc/apache24/Includes/grav.conf
Include /usr/local/etc/apache24/Includes/joomla.conf

 

◎iconsフォルダ無効化

# /usr/local/etc/apache24/extra/httpd-autoindex.conf
下記、#を付けて無効にする。

#Alias /icons/ "/usr/local/www/apache24/icons/"
#<Directory "/usr/local/www/apache24/icons">
#    Options Indexes MultiViews
#    AllowOverride None
#    Require all granted
#</Directory>

 

◎ログをcombined形式に変更

CustomLog "/var/log/httpd-access.log" combined

 

 

▼SSL設定

vi /usr/local/etc/apache24/extra/httpd-ssl.conf

 

◎コメント外す、修正箇所

Listen 0.0.0.0:443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLUseStapling On

SSLStaplingCache "shmcb:/var/run/ssl_stapling(32768)"

SSLStaplingStandardCacheTimeout 3600

SSLStaplingErrorCacheTimeout 600

<VirtualHost _default_:443>
#   General setup for the virtual host
DocumentRoot "/usr/local/www/apache24/data/joomla"
ServerName www.server-bff.net:443
ServerAdmin このメールアドレスはスパムボットから保護されています。閲覧するにはJavaScriptを有効にする必要があります。
ErrorLog "/var/log/httpd-error.log"
#TransferLog "/var/log/httpd-access.log"
CustomLog "/var/log/httpd-access.log" combined

SSLEngine on

 

◎鍵の場所指定

SSLCertificateFile "/usr/local/etc/letsencrypt/live/www.server-bff.net/fullchain.pem"

SSLCertificateKeyFile "/usr/local/etc/letsencrypt/live/www.server-bff.net/privkey.pem"

 

◎HSTS設定
Header set Strict-Transport-Security "max-age=31536000"


【詳細仕様書】https://tools.ietf.org/html/rfc6797

 

◎SSL仕様にhttpd.confの下記、コメント外す。

LoadModule log_config_module libexec/apache24/mod_log_config.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so

 

◎httpd-ssl.confをIncludeする。

# Secure (SSL/TLS) connections
Include /usr/local/etc/apache24/extra/httpd-ssl.conf

 

◎クリックジャッキングを防止

下記、追記
Header always append X-Frame-Options DENY

 

◎Expect-CTヘッダー有効にする。

コメント外す。
LoadModule headers_module libexec/apache24/mod_headers.so

下記、追記
<IfModule mod_headers.c>
  <Directory />
    Header always set Expect-CT "enforce, max-age=300, report-uri='https://www.server-bff.net/'"
  </Directory>
</IfModule>

 

▼設定ファイル文法チェック

# apachectl configtest
Performing sanity check on apache24 configuration:
Syntax OK

 

▼起動設定

# vi /etc/rc.conf
apache24_enable="YES"
apache24_http_accept_enable="YES"

 

▼Apache再起動

# service apache24 restart
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 829.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.

 

以上