ServerName mysite.me ServerAdmin webmaster@localhost DocumentRoot /var/www/mysite.me/web ErrorLog ${APACHE_LOG_DIR}/mysite.me-ssl-error.log CustomLog ${APACHE_LOG_DIR}/mysite.me-ssl-access.log combined Options -Indexes -Includes +FollowSymLinks -MultiViews AllowOverride None # Set the default handler. DirectoryIndex index.php index.html index.htm RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)$ index.php/$1 [L] # From the Apache version 2.4.10 and above, use the SetHandler to run PHP as a fastCGI process server SetHandler "proxy:unix:/run/php/php8.2-fpm.sock|fcgi://localhost" # Protect files and directories from prying eyes. Require all denied Order allow,deny # Only allow POST and GET requests. Deny from all # Various header fixes. # Disable content sniffing for all responses, since it's an attack vector. # This header is also set in FinishResponseSubscriber, which depending on # Apache configuration might get placed in the 'onsuccess' table. To prevent # header duplication, unset that one prior to setting in the 'always' table. # See "To circumvent this limitation..." in # https://httpd.apache.org/docs/current/mod/mod_headers.html. Header onsuccess unset X-Content-Type-Options Header always set X-Content-Type-Options nosniff Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Frame-Options DENY Header always set X-XSS-Protection "1; mode=block" # Disable Proxy header, since it's an attack vector. RequestHeader unset Proxy SSLCertificateFile /etc/letsencrypt/live/mysite.me/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mysite.me/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf