Add new Amsterdam addresses to whitelists

[chef.git] / cookbooks / wordpress / templates / default / apache.erb

diff --git a/cookbooks/wordpress/templates/default/apache.erb b/cookbooks/wordpress/templates/default/apache.erb
index 9b691798203ed299d64bb6c7b4d2932864a6b015..67476b6f82160f46537b46722f42623810c27265 100644 (file)
--- a/cookbooks/wordpress/templates/default/apache.erb
+++ b/cookbooks/wordpress/templates/default/apache.erb
@@ -42,9 +42,6 @@
   </Directory>
 <% end -%>
 
-  ProxyFCGISetEnvIf "true" PHP_ADMIN_VALUE "open_basedir=<%= @directory %>/:/usr/share/php/:/tmp/\ndisable_functions=exec,shell_exec,system,passthru,popen"
-  ProxyFCGISetEnvIf "true" PHP_VALUE "upload_max_filesize=70M\npost_max_size=100M"
-
   <Directory <%= @directory %>>
     RewriteEngine on
 
@@ -54,6 +51,7 @@
     RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
     RewriteRule ^wp-includes/theme-compat/ - [F,L]
     RewriteRule ^readme\.html$ [F,L]
+    RewriteRule ^index\.php$ - [L]
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule . /index.php [L]
@@ -62,6 +60,13 @@
     AllowOverride AuthConfig
 
     Require all granted
+
+    # https://www.wp-pay.org/http-authorization-header-missing/
+    CGIPassAuth on
+
+    <FilesMatch ".+\.ph(ar|p|tml)$">
+      SetHandler "proxy:unix:/run/php/php-<%= @name %>-fpm.sock|fcgi://127.0.0.1"
+    </FilesMatch>
   </Directory>
 
   <Files <%= @directory %>/wp-config.php>
@@ -84,11 +89,16 @@
     Require all denied
   </Directory>
 
-  <Files ~ "\.(txt|md)$">
+  <Files ~ "(?<!robots|ads|security|humans)\.(txt|md)$">
     Require all denied
   </Files>
 
   <Files ~ "~$">
     Require all denied
   </Files>
+
+  <Files "xmlrpc.php">
+    Require all denied
+  </Files>
+
 </VirtualHost>