etc/apache2

etc/apache2/conf-available/charset.conf

@@ -0,0 +1,6 @@
+# Read the documentation before enabling AddDefaultCharset.
+# In general, it is only a good idea if you know that all your files
+# have this encoding. It will override any encoding given in the files
+# in meta http-equiv or xml encoding tags.
+
+#AddDefaultCharset UTF-8

etc/apache2/conf-available/localized-error-pages.conf

@@ -0,0 +1,79 @@
+# Customizable error responses come in three flavors:
+# 1) plain text
+# 2) local redirects
+# 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# Putting this all together, we can internationalize error responses.
+#
+# We use Alias to redirect any /error/HTTP_<error>.html.var response to
+# our collection of by-error message multi-language collections.  We use
+# includes to substitute the appropriate text.
+#
+# You can modify the messages' appearance without changing any of the
+# default HTTP_<error>.html.var files by adding the line:
+#
+#Alias /error/include/ "/your/include/path/"
+#
+# which allows you to create your own set of files by starting with the
+# /usr/share/apache2/error/include/ files and copying them to /your/include/path/,
+# even on a per-VirtualHost basis.  If you include the Alias in the global server
+# context, is has to come _before_ the 'Alias /error/ ...' line.
+#
+# The default include files will display your Apache version number and your
+# ServerAdmin email address regardless of the setting of ServerSignature.
+#
+# WARNING: The configuration below will NOT work out of the box if you have a
+#		  SetHandler directive in a <Location /> context somewhere. Adding
+#		  the following three lines AFTER the <Location /> context should
+#		  make it work in most cases:
+#		  <Location /error/>
+#			 SetHandler none
+#		  </Location>
+#
+# The internationalized error documents require mod_alias, mod_include
+# and mod_negotiation.  To activate them, uncomment the following 37 lines.
+
+#<IfModule mod_negotiation.c>
+#	<IfModule mod_include.c>
+#		<IfModule mod_alias.c>
+#
+#			Alias /error/ "/usr/share/apache2/error/"
+#
+#			<Directory "/usr/share/apache2/error">
+#				Options IncludesNoExec
+#				AddOutputFilter Includes html
+#				AddHandler type-map var
+#				Order allow,deny
+#				Allow from all
+#				LanguagePriority en cs de es fr it nl sv pt-br ro
+#				ForceLanguagePriority Prefer Fallback
+#			</Directory>
+#
+#			ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
+#			ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
+#			ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
+#			ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
+#			ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
+#			ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
+#			ErrorDocument 410 /error/HTTP_GONE.html.var
+#			ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
+#			ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
+#			ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
+#			ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
+#			ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
+#			ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
+#			ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
+#			ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
+#			ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
+#			ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
+#		</IfModule>
+#	</IfModule>
+#</IfModule>

etc/apache2/conf-available/other-vhosts-access-log.conf

@@ -0,0 +1,2 @@
+# Define an access log for VirtualHosts that don't define their own logfile
+CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined

etc/apache2/conf-available/php8.4-fpm.conf

@@ -0,0 +1,34 @@
+# Redirect to local php-fpm if mod_php is not available
+<IfModule !mod_php8.c>
+<IfModule proxy_fcgi_module>
+    # Enable http authorization headers
+    <IfModule setenvif_module>
+    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
+    </IfModule>
+
+    # Using (?:pattern) instead of (pattern) is a small optimization that
+    # avoid capturing the matching pattern (as $1) which isn't used here
+    <FilesMatch ".+\.ph(?:ar|p|tml)$">
+        SetHandler "proxy:unix:/run/php/php8.4-fpm.sock|fcgi://localhost"
+    </FilesMatch>
+# The default configuration works for most of the installation, however it could
+# be improved in various ways. One simple improvement is to not pass files that
+# doesn't exist to the handler as shown below, for more configuration examples
+# see https://wiki.apache.org/httpd/PHP-FPM
+#    <FilesMatch ".+\.ph(?:ar|p|tml)$">
+#        <If "-f %{REQUEST_FILENAME}">
+#            SetHandler "proxy:unix:/run/php/php8.4-fpm.sock|fcgi://localhost"
+#        </If>
+#    </FilesMatch>
+    <FilesMatch ".+\.phps$">
+        # Deny access to raw php sources by default
+        # To re-enable it's recommended to enable access to the files
+        # only in specific virtual host or directory
+        Require all denied
+    </FilesMatch>
+    # Deny access to files without filename (e.g. '.php')
+    <FilesMatch "^\.ph(?:ar|p|ps|tml)$">
+        Require all denied
+    </FilesMatch>
+</IfModule>
+</IfModule>

etc/apache2/conf-available/security.conf

@@ -0,0 +1,56 @@
+# Changing the following options will not really affect the security of the
+# server, but might make attacks slightly more difficult in some cases.
+
+#
+# ServerTokens
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+# where Full conveys the most information, and Prod the least.
+ServerTokens Prod
+
+#
+# Optionally add a line containing the server version and virtual host
+# name to server-generated pages (internal error documents, FTP directory
+# listings, mod_status and mod_info output etc., but not CGI generated
+# documents or custom error documents).
+# Set to "EMail" to also include a mailto: link to the ServerAdmin.
+# Set to one of:  On | Off | EMail
+#ServerSignature Off
+ServerSignature Off
+
+#
+# Allow TRACE method
+#
+# Set to "extended" to also reflect the request body (only for testing and
+# diagnostic purposes).
+#
+# Set to one of:  On | Off | extended
+TraceEnable Off
+#TraceEnable On
+
+#
+# Forbid access to version control directories
+#
+# If you use version control systems in your document root, you should
+# probably deny access to their directories.
+#
+# Examples:
+#
+#RedirectMatch 404 /\.git
+#RedirectMatch 404 /\.svn
+
+#
+# Setting this header will prevent MSIE from interpreting files as something
+# else than declared by the content type in the HTTP headers.
+# Requires mod_headers to be enabled.
+#
+#Header set X-Content-Type-Options: "nosniff"
+
+#
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+#Header set Content-Security-Policy "frame-ancestors 'self';"

etc/apache2/conf-available/serve-cgi-bin.conf

@@ -0,0 +1,18 @@
+<IfModule mod_alias.c>
+	<IfModule mod_cgi.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfModule mod_cgid.c>
+		Define ENABLE_USR_LIB_CGI_BIN
+	</IfModule>
+
+	<IfDefine ENABLE_USR_LIB_CGI_BIN>
+		ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
+		<Directory "/usr/lib/cgi-bin">
+			AllowOverride None
+			Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
+			Require all granted
+		</Directory>
+	</IfDefine>
+</IfModule>