# begin vhost for <%= @title %>
:<%= @port %>>
ServerName <%= @title %>.<%= @hosting_domain %>
<% if @server_alias != false %> ServerAlias <%= @server_alias %><% end %>
DocumentRoot <%= @docroot %>
<% if @https_redirect != false or @canonical != false %>
RewriteEngine On
<% end -%>
<% if @https_redirect != false %>
# Redirect all HTTP to HTTPS
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [redirect=301]<% end %>
<% if @redirect_match != false %> RedirectMatch ^/$ <%= @protocol %>://<%= @title %>.<%= @hosting_domain %>/<%= @redirect_match %><% end %>
<% if @redirect != false %> Redirect <%= @redirect %><% end %>
<% if @aliases != false %><% @aliases.each do |map| -%>
Alias <%= map %>
<% end -%><% end -%>
<% if @use != false %><% @use.each do |instance| -%>
Use <%= instance %>
<% end -%><% end -%>
<% if @mpm == true %>
AssignUserId <%= @user %> <%= @gid %>
<% end %>
<% if @canonical != false %>
<%- for canonical_exception in @canonical_exceptions -%>
RewriteCond %{HTTP_HOST} !=<%= canonical_exception %> [NC]
<%- end -%>
RewriteCond %{HTTP_HOST} !=<%= @canonical %> [NC]
RewriteCond %{HTTP_HOST} !=""
RewriteRule ^/(.*) <%= @protocol %>://<%= @canonical %>/$1 [L,R=301]
<% end %>
<% if @custom_directives != false -%>
<%= @custom_directives %>
<% end -%>
<% if @custom_log != false -%>
CustomLog "/var/log/apache2/<%= @name %>-access.log" <%= @custom_log_format %>
<% end -%>
<% if @error_log != false -%>
ErrorLog /var/log/apache2/<%= @name %>-error.log
<% end -%>
<% if @allow_override != false %>
>
AllowOverride <%= @allow_override %>
<% end -%>
<% if @certbot != false -%>
# Add Alias For Lets Encrypt WebRoot Authentication Using ACME
# See https://ubuntu101.co.za/ssl/postfix-and-dovecot-on-ubuntu-with-a-lets-encrypt-ssl-certificate/
AliasMatch ^/.well-known/acme-challenge/(.*)$ /var/spool/certbot/<%= @name %>/.well-known/acme-challenge/$1
Alias /.well-known/acme-challenge/ /var/spool/certbot/<%= @name %>/.well-known/acme-challenge/
/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w-]{43}$)"
<% end -%>
# end vhost for <%= @title %>
<% if @ssl == true %>
# begin ssl vhost for <%= @title %>
:<%= scope.lookupvar('apache::https_port') %>>
# Use HTTP Strict Transport Security to force client to use secure connections only
Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains"
ServerName <%= @title %>.<%= @hosting_domain %>
<% if @server_alias != false %> ServerAlias <%= @server_alias %><% end %>
DocumentRoot <%= @docroot %>
<% if @redirect_match != false %> RedirectMatch ^/$ <%= @protocol %>://<%= @title %>.<%= @hosting_domain %>/<%= @redirect_match %><% end %>
<% if @redirect != false %> Redirect <%= @redirect %><% end %>
<% if @aliases != false %><% aliases.each do |map| -%>
Alias <%= @map %>
<% end -%><% end -%>
<% if @use != false %><% @use.each do |instance| -%>
Use <%= instance %>
<% end -%><% end -%>
<% if @custom_directives != false -%>
<%= @custom_directives %>
<% end -%>
<% if @custom_log != false -%>
CustomLog "/var/log/apache2/<%= @name %>-access.log" <%= @custom_log_format %>
<% end -%>
<% if @error_log != false -%>
ErrorLog /var/log/apache2/<%= @name %>-error.log
<% end -%>
<% if @allow_override != false %>
>
AllowOverride <%= @allow_override %>
<% end -%>
<% if @mpm == true %>
AssignUserId <%= @user %> <%= @gid %>
<% end %>
# SSL Configuration
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH
SSLHonorCipherOrder on
SSLCompression off
SSLCertificateFile /etc/ssl/certs/<%= @title %>.crt
SSLCertificateKeyFile /etc/ssl/private/<%= @title %>.pem
# end ssl vhost for <%= @title %>
<% end %>