2021-01-07
Most readers in geminispace will already be familiar with the term "tilde" as synonymous with a shared/multi-user unix environment. I've recently reconfigured my personal server to be more like these traditional systems, because it's a configuration that works well for me. In doing so I went from using nginx to using apache, because it seemed the better choice for the job. Nginx is better optimized for high load and easier to configure as a proxy for application servers, but apache has a lot of advantages for a shared environment:
You'll need to enable the suexec and userdir mods for apache, but after that the configuration is quite straight forward. Here's what mine looks like for the vhost in question:
<VirtualHost *:80>
ServerName warmedal.se
ServerAlias www.warmedal.se
Redirect permanent / https://warmedal.se/
</VirtualHost>
<VirtualHost *:443>
ServerName warmedal.se
ServerAlias www.warmedal.se
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/warmedal.se/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/warmedal.se/privkey.pem
# I have several vhosts all using the same folder for letsencrypt acme challenges
Alias /.well-known/acme-challenge /home/www-data/acme-challenge/.well-known/acme-challenge
DocumentRoot /home/www-data/warmedal.se
# I disallow access to all hidden files and directories
<Location ~ "\/\..*">
Deny from All
</Location>
<Location ~ "^\/.well-known\/.*">
Allow from All
</Location>
# This part is all it takes to serve files from ~/public_html of any user
UserDir public_html
# And this executes all files ending in .cgi instead of serving their contents
<Directory "/home/*/public_html">
Options +ExecCGI
AddHandler cgi-script .cgi
</Directory>
</VirtualHost>
Please tell me if you see any obvious mistakes here. I'm specifically uncertain about the difference between "Deny from All" and "Require all denied".
-- CC0 Björn Wärmedal