Add DDOS protection

2022-01-30 01:03:07 +01:00
parent a182cee8b0
commit 5942bc57e6
3 changed files with 100 additions and 58 deletions
--- a/dev/setup/apache/virtualhost
+++ b/dev/setup/apache/virtualhost
@@ -1,62 +1,93 @@
 <VirtualHost *:80>
-#php_admin_value sendmail_path "/usr/sbin/sendmail -t -i"
-#php_admin_value mail.force_extra_parameters "-f postmaster@mydomain.com"
-php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f postmaster@mydomain.com"
-php_admin_value open_basedir /tmp/:/home/../htdocs
+	#php_admin_value sendmail_path "/usr/sbin/sendmail -t -i"
+	#php_admin_value mail.force_extra_parameters "-f postmaster@mydomain.com"
+	php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f postmaster@mydomain.com"
+	php_admin_value open_basedir /tmp/:/home/.../htdocs:/home/.../dolibarr_documents:
+	
+	ServerName myvirtualalias
+	ServerAlias myvirtualalias
+	
+	UseCanonicalName On
+	
+	KeepAlive On
+	KeepAliveTimeout 5
+	MaxKeepAliveRequests 20
+	
+	AddDefaultCharset UTF-8
+	
+	DocumentRoot "/home/.../htdocs"
+	
+	<Directory /home/.../htdocs/>
+	   	AllowOverride None
+	   	Options       -Indexes -MultiViews +FollowSymLinks -ExecCGI
+	   	Require all granted

-ServerName myvirtualalias
-ServerAlias myvirtualalias
+		# To restrict access by a HTTP basic auth	   
+	   	#AuthType Basic
+       	#AuthName "Authenticate to backoffice"
+       	#AuthUserFile /etc/apache2/.htpasswd
+       	#require valid-user
+	</Directory>
+	
+	# Leaving /public and /api, /dav, .well_known but also wrappers for document and viewimage accessible to everyone
+    <Directory /home/admin/wwwroot/dolibarr/htdocs/public/>
+        AuthType None
+        Require all granted
+        Satisfy any
+    </Directory>
+    <Directory /home/admin/wwwroot/dolibarr/htdocs/api/>
+        AuthType None
+        Require all granted
+        Satisfy any
+    </Directory>
+    <Directory /home/admin/wwwroot/dolibarr/htdocs/dav/>
+        AuthType None
+        Require all granted
+        Satisfy any
+    </Directory>
+    <Directory /home/admin/wwwroot/dolibarr/htdocs/.well-known/>
+        AuthType None
+        Require all granted
+        Satisfy any
+    </Directory>
+    <Files ~ "(document\.php|viewimage\.php|\.js\.php|\.json\.php|\.js|\.css\.php|\.css|\.gif|\.png|\.svg|\.woff2|favicon\.ico)$">
+        AuthType None
+        Require all granted
+        Satisfy any
+    </Files>

-UseCanonicalName On
-
-AddDefaultCharset UTF-8
-
-DocumentRoot "/home/.../htdocs"
-
-<Directory /home/.../htdocs/>
-   AllowOverride None
-   Options       -Indexes -MultiViews +FollowSymLinks -ExecCGI
-   Require all granted
-</Directory>
-
-<Directory "/home/../htdocs/cache">
-   Deny from all
-   RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
-   AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
-</Directory>
-
-
-ErrorLog /var/log/apache2/myvirtualalias_error_log
-TransferLog /var/log/apache2/myvirtualalias_access_log
-
-# Compress returned resources of type php pages, text file export, css and javascript
-AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
-
-AddType text/javascript .jgz
-AddEncoding gzip .jgz
-ExpiresActive On
-ExpiresByType image/x-icon A2592000
-ExpiresByType image/gif A2592000
-ExpiresByType image/png A2592000
-ExpiresByType image/jpeg A2592000
-ExpiresByType text/css A2592000
-ExpiresByType text/javascript A2592000
-ExpiresByType application/x-javascript A2592000
-ExpiresByType application/javascript A2592000
-
-SSLEngine On
-
-#   A self-signed (snakeoil) certificate can be created by installing
-#   the ssl-cert package. See
-#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
-#   If both key and certificate are stored in the same file, only the
-#   SSLCertificateFile directive is needed.
-SSLCertificateFile    /etc/letsencrypt/live/www.mydomain.com/cert.pem
-SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
-SSLCertificateChainFile /etc/letsencrypt/live/www.mydomain.com/chain.pem
-
-#RewriteEngine   on
-#RewriteCond     %{SERVER_PORT} ^80$
-#RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
+        
+	ErrorLog /var/log/apache2/myvirtualalias_error_log
+	TransferLog /var/log/apache2/myvirtualalias_access_log
+	
+	# Compress returned resources of type php pages, text file export, css and javascript
+	AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript
+	
+	AddType text/javascript .jgz
+	AddEncoding gzip .jgz
+	ExpiresActive On
+	ExpiresByType image/x-icon A2592000
+	ExpiresByType image/gif A2592000
+	ExpiresByType image/png A2592000
+	ExpiresByType image/jpeg A2592000
+	ExpiresByType text/css A2592000
+	ExpiresByType text/javascript A2592000
+	ExpiresByType application/x-javascript A2592000
+	ExpiresByType application/javascript A2592000
+	
+	SSLEngine On
+	
+	#   A self-signed (snakeoil) certificate can be created by installing
+	#   the ssl-cert package. See
+	#   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
+	#   If both key and certificate are stored in the same file, only the
+	#   SSLCertificateFile directive is needed.
+	SSLCertificateFile    /etc/letsencrypt/live/www.mydomain.com/cert.pem
+	SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem
+	SSLCertificateChainFile /etc/letsencrypt/live/www.mydomain.com/chain.pem
+	
+	#RewriteEngine   on
+	#RewriteCond     %{SERVER_PORT} ^80$
+	#RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]

 </VirtualHost>