apache.md

General

• Always set AllowOverride to None on debugging unexpected configuration behaviour, chances are that an .htaccess-file is causing the trouble.
• Set AllowOverride to None permanently and put everything into the vhost/main configuration files. Makes your setup a bit more secure and because not every directory has to be traversed recursively to search for an .htaccess-file, also more performant.

How-Tos

Allow Hosts with Certain IP-Addresses to Bypass HTTP Basic Authentication on a Webserver behind a Proxy (Requires X-Forwarded-For to be Set)

<Directory /var/www/>
  SetEnvIf X-Forwarded-For 172.16.37.1 allow
  SetEnvIf X-Forwarded-For 172.16.37.4 allow
  Order deny,allow
  deny from all
  Allow from env=allow
  AuthType Basic
  AuthName login
  AuthUserFile /etc/httpd/passwd
  Require valid-user
  Satisfy any
  Options Indexes FollowSymLinks MultiViews
</Directory>

Serve an Maintenance Page Except for Some Hosts

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_ADDR} !^(144\.257\.357\.328|127\.0\.0|172\.16\.30|728\.420\.650\.210) # internal or external networks you don't want to serve the maintenance page for.
RewriteCond %{REQUEST_URI} !^/maintenance\.html$
RewriteCond %{REQUEST_URI} !^/maintenance\.jpg$
RewriteRule ^(.*)$ http://www.example.com/maintenance.html [L]

Set PHP Errors for Debugging

php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_flag  log_errors on
php_value error_log  /var/www/html/phperrors.log

Improve Security

Header always append X-Frame-Options SAMEORIGIN
TraceEnable Off
ServerSignature Off
ServerTokens Prod

Permissions

HTTPDUSER=www-data; HTTPUSER=foo HTTPDOCS=/var/www;
usermod -a -G $HTTPDUSER $HTTPUSER;
chown root:$HTTPDUSER $HTTPDOCS
chmod 2775 $HTTPDOCS
echo 'umask 002' >> /etc/apache2/envvars
echo 'umask 002' >> /home/$HTTPUSER/.zshrc.local
echo 'umask 002' >> /home/$HTTPUSER/.bashrc
find $HTTPDOCS -type d -exec chmod 2775 {} \;
find $HTTPDOCS -type f -exec chmod 0664 {} \;