Most readers in geminispace will already be familiar with the term "tilde" as synonymous with a shared/multi-user unix environment. I've recently reconfigured my personal server to be more like these traditional systems, because it's a configuration that works well for me. In doing so I went from using nginx to using apache, because it seemed the better choice for the job. Nginx is better optimized for high load and easier to configure as a proxy for application servers, but apache has a lot of advantages for a shared environment:
You'll need to enable the suexec and userdir mods for apache, but after that the configuration is quite straight forward. Here's what mine looks like for the vhost in question:
<VirtualHost *:80> ServerName warmedal.se ServerAlias www.warmedal.se Redirect permanent / https://warmedal.se/ </VirtualHost> <VirtualHost *:443> ServerName warmedal.se ServerAlias www.warmedal.se SSLEngine On SSLCertificateFile /etc/letsencrypt/live/warmedal.se/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/warmedal.se/privkey.pem # I have several vhosts all using the same folder for letsencrypt acme challenges Alias /.well-known/acme-challenge /home/www-data/acme-challenge/.well-known/acme-challenge DocumentRoot /home/www-data/warmedal.se # I disallow access to all hidden files and directories <Location ~ "\/\..*"> Deny from All </Location> <Location ~ "^\/.well-known\/.*"> Allow from All </Location> # This part is all it takes to serve files from ~/public_html of any user UserDir public_html # And this executes all files ending in .cgi instead of serving their contents <Directory "/home/*/public_html"> Options +ExecCGI AddHandler cgi-script .cgi </Directory> </VirtualHost>
Please tell me if you see any obvious mistakes here. I'm specifically uncertain about the difference between "Deny from All" and "Require all denied".
-- CC0 Björn Wärmedal