httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank <thu...@apache.org>
Subject Re: [users@httpd] New 2.4 configuration, need sanity and security check
Date Sun, 18 Jun 2017 04:11:13 GMT
On 16/06/17 10:53 PM, David Mehler wrote:
> Hello,
>
> I'm doing a config rewrite. I'm using apache 2.4. If someone who does
> security could give my setup a check from a security perspective i'd
> appreciate it.
>
> I'm also wondering in particular about my cache setup and virtual
> hosts. There's a lot of repeated lines.
>
> Config at the end of this message, rather long.
>
> Much appreciation.
>
> Thanks.
> Dave.
>
> # httpd.conf
>
> #
> # Httpd minimalistic configuration
> #
>
> ServerRoot "/usr/local"
> Listen xxx.xxx.xxx.xxx:80
> # Loadable modules
> LoadModule authn_file_module libexec/apache24/mod_authn_file.so
> #LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
> #LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
> LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
> LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
> LoadModule authn_core_module libexec/apache24/mod_authn_core.so
> LoadModule authz_host_module libexec/apache24/mod_authz_host.so
> LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
> LoadModule authz_user_module libexec/apache24/mod_authz_user.so
> #LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
> #LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
> LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
> LoadModule authz_core_module libexec/apache24/mod_authz_core.so
> #LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
> #LoadModule access_compat_module libexec/apache24/mod_access_compat.so
> LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
> #LoadModule auth_form_module libexec/apache24/mod_auth_form.so
> #LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
> #LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
> LoadModule file_cache_module libexec/apache24/mod_file_cache.so
> LoadModule cache_module libexec/apache24/mod_cache.so
> LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
> LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
> LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
> #LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
> #LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
> #LoadModule socache_dc_module libexec/apache24/mod_socache_dc.so
> #LoadModule watchdog_module libexec/apache24/mod_watchdog.so
> #LoadModule macro_module libexec/apache24/mod_macro.so
> LoadModule dbd_module libexec/apache24/mod_dbd.so
> #LoadModule dumpio_module libexec/apache24/mod_dumpio.so
> #LoadModule buffer_module libexec/apache24/mod_buffer.so
> #LoadModule data_module libexec/apache24/mod_data.so
> #LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
> #LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
> #LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
> #LoadModule request_module libexec/apache24/mod_request.so
> LoadModule include_module libexec/apache24/mod_include.so
> LoadModule filter_module libexec/apache24/mod_filter.so
> #LoadModule reflector_module libexec/apache24/mod_reflector.so
> #LoadModule substitute_module libexec/apache24/mod_substitute.so
> #LoadModule sed_module libexec/apache24/mod_sed.so
> #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
> LoadModule deflate_module libexec/apache24/mod_deflate.so
> #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
> #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
> LoadModule mime_module libexec/apache24/mod_mime.so
> LoadModule log_config_module libexec/apache24/mod_log_config.so
> #LoadModule log_debug_module libexec/apache24/mod_log_debug.so
> #LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
> #LoadModule logio_module libexec/apache24/mod_logio.so
> #LoadModule lua_module libexec/apache24/mod_lua.so
> LoadModule env_module libexec/apache24/mod_env.so
> LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
> #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
> LoadModule expires_module libexec/apache24/mod_expires.so
> LoadModule headers_module libexec/apache24/mod_headers.so
> #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
> LoadModule unique_id_module libexec/apache24/mod_unique_id.so
> LoadModule setenvif_module libexec/apache24/mod_setenvif.so
> LoadModule version_module libexec/apache24/mod_version.so
> #LoadModule remoteip_module libexec/apache24/mod_remoteip.so
> #LoadModule proxy_module libexec/apache24/mod_proxy.so
> #LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
> #LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
> #LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
> #LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
> #LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
> #LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
> #LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
> #LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
> #LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
> #LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
> #LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
> #LoadModule session_module libexec/apache24/mod_session.so
> #LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
> #LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
> #LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
> LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
> #LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
> LoadModule ssl_module libexec/apache24/mod_ssl.so
> #LoadModule dialup_module libexec/apache24/mod_dialup.so
> #LoadModule lbmethod_byrequests_module
> libexec/apache24/mod_lbmethod_byrequests.so
> #LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
> #LoadModule lbmethod_bybusyness_module
> libexec/apache24/mod_lbmethod_bybusyness.so
> #LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
> #LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
> LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
> #LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
> LoadModule unixd_module libexec/apache24/mod_unixd.so
> #LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
> #LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
> #LoadModule dav_module libexec/apache24/mod_dav.so
> #LoadModule status_module libexec/apache24/mod_status.so
> #LoadModule autoindex_module libexec/apache24/mod_autoindex.so
> #LoadModule asis_module libexec/apache24/mod_asis.so
> #LoadModule info_module libexec/apache24/mod_info.so
> #LoadModule suexec_module libexec/apache24/mod_suexec.so
> #LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
> #LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
> #LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
> LoadModule negotiation_module libexec/apache24/mod_negotiation.so
> LoadModule dir_module libexec/apache24/mod_dir.so
> #LoadModule imagemap_module libexec/apache24/mod_imagemap.so
> #LoadModule actions_module libexec/apache24/mod_actions.so
> #LoadModule speling_module libexec/apache24/mod_speling.so
> #LoadModule userdir_module libexec/apache24/mod_userdir.so
> LoadModule alias_module libexec/apache24/mod_alias.so
> LoadModule rewrite_module libexec/apache24/mod_rewrite.so
> #LoadModule security2_module libexec/apache24/mod_security2.so
> #LoadModule perl_module        libexec/apache24/mod_perl.so
> #LoadModule evasive20_module   libexec/apache24/mod_evasive20.so
> LoadModule geoip_module       libexec/apache24/mod_geoip.so
> LoadModule h264_streaming_module libexec/apache24/mod_h264_streaming.so
> LoadModule php5_module        libexec/apache24/libphp5.so
>
> User www
> Group www
> ServerAdmin xxx@example.com
> ServerName www.example.com:80
> <Directory />
>     AllowOverride none
>     Require all denied
> </Directory>
> DocumentRoot "/usr/local/www/apache24/xxxxxxxxx"
> <Directory "/usr/local/www/apache24/xxx">
>     Options Indexes FollowSymLinks
>     AllowOverride None
>     Require all granted
> </Directory>
>     DirectoryIndex index.html index.htm index.pl
> <Files ".ht*">
>     Require all denied
> </Files>
> ErrorLog "/var/log/httpd-error.log"
> LogLevel warn
>     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>     LogFormat "%h %l %u %t \"%r\" %>s %b" common
>     CustomLog "/var/log/httpd-access.log" common
> <IfModule headers_module>
>     # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
>     # backend servers which have lingering "httpoxy" defects.
>     # 'Proxy' request header is undefined by the IETF, not listed by IANA
>     RequestHeader unset Proxy early
> </IfModule>
>     TypesConfig etc/apache24/mime.types
>     AddType application/x-compress .Z
>     AddType application/x-gzip .gz .tgz
> #   MIME-types for downloading Certificates and CRLs
> AddType application/x-x509-cacert .crt
> AddType application/x-pkcs7-crl    .crl
> # Mime types for HTML 5 audio and videos
> AddType audio/aac .aac
> AddType audio/mp4 .mp4 .m4a
> AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg
> AddType audio/ogg .oga .ogg
> AddType audio/wav .wav
> AddType audio/webm .webm
> AddType video/mp4 .mp4 .m4v
> AddType video/ogg .ogv
> AddType video/webm .webm
> MIMEMagicFile etc/apache24/magic
>
> # Include server default values
> Include etc/apache24/extra/httpd-default.conf
>
> # Include mpm values
> Include etc/apache24/extra/httpd-mpm.conf
>
> # Secure (SSL/TLS) connections
> Include etc/apache24/extra/httpd-ssl.conf
> <IfModule ssl_module>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
>
> # Some security settings
> Include etc/apache24/extra/httpd-security.conf
> Include etc/apache24/Includes/*.conf
> # For mod security
> #Include /usr/local/etc/modsecurity/*.conf
> # Load the base Owasp rules
>   #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
>
> #
> # Mod deflate settings
> #
>      SetOutputFilter DEFLATE
> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
> text/javascript application/javascript
>      SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-v
>           Header append Vary User-Agent
>
> AcceptFilter http none
> AcceptFilter https none
>
> # GeoIP
> GeoIPEnable On
> SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
> SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
> GeoIPScanProxyHeaders On
>
> # Cache setup
> CacheRoot /usr/local/www/proxy
> CacheDirLevels 2
> CacheDirLength 1
>
> # for acme challenges
> <Directory "/usr/local/www/.well-known/">
>    Options None
>    AllowOverride None
>    Require all granted
>    Header add Content-Type text/plain
> </Directory>
>
> # httpd-default.conf
>
> #
> # This configuration file reflects default settings for Apache HTTP Server.
> #
> # You may change these, but chances are that you may not need to.
> #
>
> #
> # Timeout: The number of seconds before receives and sends time out.
> #
> Timeout 60
>
> #
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
> #
> KeepAlive Off
>
> #
> # MaxKeepAliveRequests: The maximum number of requests to allow
> # during a persistent connection. Set to 0 to allow an unlimited amount.
> # We recommend you leave this number high, for maximum performance.
> #
> MaxKeepAliveRequests 100
>
> #
> # KeepAliveTimeout: Number of seconds to wait for the next request from the
> # same client on the same connection.
> #
> KeepAliveTimeout 5
>
> #
> # UseCanonicalName: Determines how Apache constructs self-referencing
> # URLs and the SERVER_NAME and SERVER_PORT variables.
> # When set "Off", Apache will use the Hostname and Port supplied
> # by the client.  When set "On", Apache will use the value of the
> # ServerName directive.
> #
> UseCanonicalName On
>
> #
> # AccessFileName: The name of the file to look for in each directory
> # for additional configuration directives.  See also the AllowOverride
> # directive.
> #
> AccessFileName .htaccess
>
> #
> # ServerTokens
> # This directive configures what you return as the Server HTTP response
> # Header. The default is 'Full' which sends information about the OS-Type
> # and compiled in modules.
> # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
> # where Full conveys the most information, and Prod the least.
> #
> ServerTokens Prod
>
> #
> # Optionally add a line containing the server version and virtual host
> # name to server-generated pages (internal error documents, FTP directory
> # listings, mod_status and mod_info output etc., but not CGI generated
> # documents or custom error documents).
> # Set to "EMail" to also include a mailto: link to the ServerAdmin.
> # Set to one of:  On | Off | EMail
> #
> ServerSignature Off
>
> #
> # HostnameLookups: Log the names of clients or just their IP addresses
> # e.g., www.apache.org (on) or 204.62.129.132 (off).
> # The default is off because it'd be overall better for the net if people
> # had to knowingly turn this feature on, since enabling it means that
> # each client request will result in AT LEAST one lookup request to the
> # nameserver.
> #
> HostnameLookups Off
>
> #
> # Set a timeout for how long the client may take to send the request header
> # and body.
> # The default for the headers is header=20-40,MinRate=500, which means wait
> # for the first byte of headers for 20 seconds. If some data arrives,
> # increase the timeout corresponding to a data rate of 500 bytes/s, but not
> # above 40 seconds.
> # The default for the request body is body=20,MinRate=500, which is the same
> # but has no upper limit for the timeout.
> # To disable, set to header=0 body=0
> #
> <IfModule reqtimeout_module>
>   RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
> </IfModule>
>
> # httpd-mpm.conf
> #
> # Server-Pool Management (MPM specific)
> #
>
> #
> # PidFile: The file in which the server should record its process
> # identification number when it starts.
> #
> # Note that this is the default PidFile for most MPMs.
> #
> <IfModule !mpm_netware_module>
>     PidFile "/var/run/httpd.pid"
> </IfModule>
>
> #
> # Only one of the below sections will be relevant on your
> # installed httpd.  Use "apachectl -l" to find out the
> # active mpm.
> #
>
> # prefork MPM
> # StartServers: number of server processes to start
> # MinSpareServers: minimum number of server processes which are kept spare
> # MaxSpareServers: maximum number of server processes which are kept spare
> # MaxRequestWorkers: maximum number of server processes allowed to start
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> #                         before terminating
> <IfModule mpm_prefork_module>
>     StartServers             8
>     MinSpareServers          40
>     MaxSpareServers         80
>     MaxClients 200
>     MaxRequestsPerChild 9000
>     #MaxRequestWorkers      250
>     #MaxConnectionsPerChild   12000
> </IfModule>
>
> # worker MPM
> # StartServers: initial number of server processes to start
> # MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept spare
> # ThreadsPerChild: constant number of worker threads in each server process
> # MaxRequestWorkers: maximum number of worker threads
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> #                         before terminating
> <IfModule mpm_worker_module>
>     StartServers             3
>     MinSpareThreads         75
>     MaxSpareThreads        250
>     ThreadsPerChild         25
>     MaxRequestWorkers      400
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # event MPM
> # StartServers: initial number of server processes to start
> # MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept spare
> # ThreadsPerChild: constant number of worker threads in each server process
> # MaxRequestWorkers: maximum number of worker threads
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> #                         before terminating
> <IfModule mpm_event_module>
>     StartServers             4
>     MinSpareThreads         30
>     MaxSpareThreads        100
>     ThreadsPerChild         50
>     MaxRequestWorkers      200
>     MaxConnectionsPerChild   6000
> </IfModule>
>
> # NetWare MPM
> # ThreadStackSize: Stack size allocated for each worker thread
> # StartThreads: Number of worker threads launched at server startup
> # MinSpareThreads: Minimum number of idle threads, to handle request spikes
> # MaxSpareThreads: Maximum number of idle threads
> # MaxThreads: Maximum number of worker threads alive at the same time
> # MaxConnectionsPerChild: Maximum  number of connections a thread serves. It
> #                         is recommended that the default value of 0 be set
> #                         for this directive on NetWare.  This will allow the
> #                         thread to continue to service requests indefinitely.
> <IfModule mpm_netware_module>
>     ThreadStackSize      65536
>     StartThreads           250
>     MinSpareThreads         25
>     MaxSpareThreads        250
>     MaxThreads            1000
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # OS/2 MPM
> # StartServers: Number of server processes to maintain
> # MinSpareThreads: Minimum number of idle threads per process,
> #                  to handle request spikes
> # MaxSpareThreads: Maximum number of idle threads per process
> # MaxConnectionsPerChild: Maximum number of connections per server process
> <IfModule mpm_mpmt_os2_module>
>     StartServers             2
>     MinSpareThreads          5
>     MaxSpareThreads         10
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # WinNT MPM
> # ThreadsPerChild: constant number of worker threads in the server process
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> <IfModule mpm_winnt_module>
>     ThreadsPerChild        150
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # The maximum number of free Kbytes that every allocator is allowed
> # to hold without calling free(). In threaded MPMs, every thread has its own
> # allocator. When not set, or when set to zero, the threshold will be set to
> # unlimited.
> <IfModule !mpm_netware_module>
>     MaxMemFree            2048
> </IfModule>
> <IfModule mpm_netware_module>
>     MaxMemFree             100
> </IfModule>
>
> # httpd-ssl.conf
> SSLRandomSeed startup file:/dev/urandom 512
> SSLRandomSeed connect file:/dev/urandom 512
> listen 66.228.47.34:443
> #Listen [2600:3c03:0:0:f03c:91ff:fedf:6fc]:443
>
> # OCSP Stapling settings
> SSLUseStapling On
> SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
> SSLStaplingResponderTimeout 15
> SSLStaplingReturnResponderErrors off
> SSLStaplingStandardCacheTimeout 3600
>
> # For modern configuration
> # https://mozilla.github.io/server-side-tls/ssl-config-generator/
> # 04/14/17:
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
> SSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH
> SSLHonorCipherOrder On
> #SSLProtocol all -SSLv2 -SSLv3
>         # Enable PFS
> #SSLHonorCipherOrder On
> #SSLCipherSuite
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH
>  #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
> #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
> #SSSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> #
> # https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
> SSLCompression Off
> SSLSessionTickets Off
> # Strong dh parameters file
> SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
>
> # For temporary legacy intermediate clients
> #SSLProtocol             all -SSLv2 -SSLv3
> #SSLCipherSuite
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> #SSLHonorCipherOrder     on
> #SSLCompression          off
> SSLPassPhraseDialog  builtin
> SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
> SSLSessionCacheTimeout  300
>
> <VirtualHost _default_:443>
> DocumentRoot "/usr/local/www/apache24/sslvhost"
> ServerName www.davemehler.com:443
> ServerAdmin webmaster@davemehler.com
> ErrorLog "/var/log/http-ssl-error.log"
> TransferLog "/var/log/httpd-ssl-access.log"
> SSLEngine on
> SSLCertificateFile "/etc/ssl/certs/server.crt"
> SSLCertificateKeyFile "/etc/ssl/private/server.key"
> <FilesMatch "\.(cgi|shtml|phtml|php)$">
>     SSLOptions +StdEnvVars
> </FilesMatch>
> 	<Directory /usr/local/www/apache24/sslvhost>
> Require all granted
> Options FollowSymLinks
> AllowOverRide none
> 	</Directory>
> <Directory "/usr/local/www/apache24/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
> #BrowserMatch "MSIE [2-5]" \
>          #nokeepalive ssl-unclean-shutdown \
>          #downgrade-1.0 force-response-1.0
> CustomLog "/var/log/httpd-ssl_request.log" \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> #Alias /mail "/usr/local/www/roundcube/"
> #Alias /awstats/icon "/usr/local/www/awstats/icon/"
> #Alias /awstatsicon "/usr/local/www/awstats/icon/"
> #ScriptAlias /awstats "/usr/local/www/awstats/cgi-bin/"
> </VirtualHost>
>
> # httpd-security.conf
> <IfModule mod_headers.c>
> Header unset ETag
> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
> Header set X-XSS-Protection "1; mode=block"
> Header append Referrer-Policy: no-referrer-when-downgrade
> Header always unset "X-Powered-By"
> Header set X-Permitted-Cross-Domain-Policies "none"
> </IfModule>
> # Remove server identification header
> <ifModule ModSecurity.c>
>   SecServerSignature ''
> </ifModule>
>
> FileETag None
> TraceEnable off
>
> # Deploy Content Security Policy CSP
> <IfModule mod_headers.c>
> Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
>     Header set X-Content-Type-Options nosniff
> # Originally set to deny
>     #Header set X-Frame-Options DENY
>     Header set X-Frame-Options SAMEORIGIN
> </IfModule>
>
> # mod_evasive module
> <IfModule mod_evasive20.c>
>     DOSHashTableSize    3097
>     DOSPageCount        2
>     DOSSiteCount        50
>     DOSPageInterval     1
>     DOSSiteInterval     1
>     DOSBlockingPeriod   10
> DOSEmailNotify root@davemehler.com
> DOSWhitelist	127.0.0.1
> DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
> </IfModule>
>
> vhosts.conf
> #
> # Virtual host file
> #
>
> # The example.com http virtual host
> <VirtualHost *:80>
>     ServerName example.com
>     RewriteEngine On
>     RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]
> </VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin xxx@example.com
>     DocumentRoot "/usr/vhosts/example.com/htdocs/"
>     ServerName www.example.com
>     ServerAlias www.example.com
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to example.com/.well-known gets
> forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://www.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/example.com/logs/error.log"
>     <Directory "/usr/vhosts/example.com/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The test.example.com http virtual host
> <VirtualHost *:80>
>     ServerAdmin webmaster@example.com
>     DocumentRoot "/usr/vhosts/test.example.com/htdocs/"
>     ServerName test.example.com
>     ServerAlias test.example.com
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to test.example.com/.well-known gets
> forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://test.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/test.example.com/logs/error.log"
>     <Directory "/usr/vhosts/test.example.com/htdocs/">
>  # mod_authn_core and mod_auth_basic configuration
>  # for mod_authn_dbd
>  #AuthType Basic
>  #AuthName "Restricted Access"
>
>  # To cache credentials, put socache ahead of dbd here
>  #AuthBasicProvider socache dbd
>
>  # Also required for caching: tell the cache to cache dbd lookups!
>  #AuthnCacheProvideFor dbd
>  #AuthnCacheContext my-server
>
>  # mod_authn_dbd SQL query to authenticate a user
>  #AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s"
>
>  # mod_authz_core configuration
>             #<RequireAll>
>                 #Require group alpha beta testgroup
> #Require dbd-group team
>                 #Require not group reject
>                 #<RequireAny>
>                     #Require valid-user
>                 #</RequireAny>
>         #<RequireNone>
>             #Require group temps
>         #</RequireNone>
>             #</RequireAll>
>                     #Require group testgroup
> #Require dbd-group testgroup
>                     #Require valid-user
>
>   # mod_authz_dbd configuration
>   #AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = '%s'"
> #AuthzSendForbiddenOnFailure On
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/test.example.com/logs/access.log-%Y-%m-%d.log 86400"
> combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The example.net http virtual host
> <VirtualHost *:80>
>     ServerName example.net
>     RewriteEngine On
>     RewriteRule ^/?(.*) http://www.example.net/$1 [R,L]
> </VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin xxx@example.net
>     DocumentRoot "/usr/vhosts/example.net/htdocs/"
>     ServerName www.example.net
>     ServerAlias www.example.net
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to example.net/.well-known gets
> forwarded to the https site
> #    RewriteEngine on
> #    RewriteCond %{REQUEST_URI} !^/.well-known
> #    RewriteRule (.*) https://www.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/example.net/logs/error.log"
>     <Directory "/usr/vhosts/example.net/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/example.net/logs/access.log-%Y-%m-%d.log 86400" combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The example.org http virtual host
> <VirtualHost *:80>
>     ServerName example.org
>     RewriteEngine On
>     RewriteRule ^/?(.*) http://www.example.org/$1 [R,L]
> </VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin xxx@example.org
>     DocumentRoot "/usr/vhosts/example.org/htdocs/"
>     ServerName www.example.org
>     ServerAlias www.example.org
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to example.org/.well-known gets
> forwarded to the https site
> #    RewriteEngine on
> #    RewriteCond %{REQUEST_URI} !^/.well-known
> #    RewriteRule (.*) https://www.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/example.org/logs/error.log"
>     <Directory "/usr/vhosts/example.org/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/example.org/logs/access.log-%Y-%m-%d.log 86400" combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The webmail.example.com http virtual host
> <VirtualHost *:80>
>     ServerAdmin xxx@example.com
>     DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/"
>     ServerName webmail.example.com
>     ServerAlias webmail.example.com
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to webmail.example.com/.well-known
> gets forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://webmail.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log"
>     <Directory "/usr/vhosts/webmail.example.com/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400"
> combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The webmail.example.org http virtual host
> <VirtualHost *:80>
>     ServerAdmin xxx@example.org
>     DocumentRoot "/usr/vhosts/webmail.example.org/htdocs/"
>     ServerName webmail.example.org
>     ServerAlias webmail.example.org
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to webmail.example.org/.well-known
> gets forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://webmail.example.org/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/webmail.example.org/logs/error.log"
>     <Directory "/usr/vhosts/webmail.example.org/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/webmail.example.org/logs/access.log-%Y-%m-%d.log 86400"
> combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

No one will parse your entire httpd.conf out of their free time.

Instead, I recommend starting with 
http://httpd.apache.org/docs/current/upgrading.html

Then you can focus on specific problems.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message