On 16/06/17 10:53 PM, David Mehler wrote:
Hello, I'm doing a config rewrite. I'm using apache 2.4. If someone who does security could give my setup a check from a security perspective i'd appreciate it. I'm also wondering in particular about my cache setup and virtual hosts. There's a lot of repeated lines. Config at the end of this message, rather long. Much appreciation. Thanks. Dave. # httpd.conf # # Httpd minimalistic configuration # ServerRoot "/usr/local" Listen xxx.xxx.xxx.xxx:80 # Loadable modules LoadModule authn_file_module libexec/apache24/mod_authn_file.so #LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so #LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so LoadModule authn_core_module libexec/apache24/mod_authn_core.so LoadModule authz_host_module libexec/apache24/mod_authz_host.so LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so LoadModule authz_user_module libexec/apache24/mod_authz_user.so #LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so #LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so LoadModule authz_core_module libexec/apache24/mod_authz_core.so #LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so #LoadModule access_compat_module libexec/apache24/mod_access_compat.so LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so #LoadModule auth_form_module libexec/apache24/mod_auth_form.so #LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so #LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so LoadModule file_cache_module libexec/apache24/mod_file_cache.so LoadModule cache_module libexec/apache24/mod_cache.so LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so #LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so #LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so #LoadModule socache_dc_module libexec/apache24/mod_socache_dc.so #LoadModule watchdog_module libexec/apache24/mod_watchdog.so #LoadModule macro_module libexec/apache24/mod_macro.so LoadModule dbd_module libexec/apache24/mod_dbd.so #LoadModule dumpio_module libexec/apache24/mod_dumpio.so #LoadModule buffer_module libexec/apache24/mod_buffer.so #LoadModule data_module libexec/apache24/mod_data.so #LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so #LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so #LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so #LoadModule request_module libexec/apache24/mod_request.so LoadModule include_module libexec/apache24/mod_include.so LoadModule filter_module libexec/apache24/mod_filter.so #LoadModule reflector_module libexec/apache24/mod_reflector.so #LoadModule substitute_module libexec/apache24/mod_substitute.so #LoadModule sed_module libexec/apache24/mod_sed.so #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so LoadModule deflate_module libexec/apache24/mod_deflate.so #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so LoadModule mime_module libexec/apache24/mod_mime.so LoadModule log_config_module libexec/apache24/mod_log_config.so #LoadModule log_debug_module libexec/apache24/mod_log_debug.so #LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so #LoadModule logio_module libexec/apache24/mod_logio.so #LoadModule lua_module libexec/apache24/mod_lua.so LoadModule env_module libexec/apache24/mod_env.so LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so LoadModule expires_module libexec/apache24/mod_expires.so LoadModule headers_module libexec/apache24/mod_headers.so #LoadModule usertrack_module libexec/apache24/mod_usertrack.so LoadModule unique_id_module libexec/apache24/mod_unique_id.so LoadModule setenvif_module libexec/apache24/mod_setenvif.so LoadModule version_module libexec/apache24/mod_version.so #LoadModule remoteip_module libexec/apache24/mod_remoteip.so #LoadModule proxy_module libexec/apache24/mod_proxy.so #LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so #LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so #LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so #LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so #LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so #LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so #LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so #LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so #LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so #LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so #LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so #LoadModule session_module libexec/apache24/mod_session.so #LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so #LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so #LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so #LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so LoadModule ssl_module libexec/apache24/mod_ssl.so #LoadModule dialup_module libexec/apache24/mod_dialup.so #LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so #LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so #LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so #LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so #LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so #LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so LoadModule unixd_module libexec/apache24/mod_unixd.so #LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so #LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so #LoadModule dav_module libexec/apache24/mod_dav.so #LoadModule status_module libexec/apache24/mod_status.so #LoadModule autoindex_module libexec/apache24/mod_autoindex.so #LoadModule asis_module libexec/apache24/mod_asis.so #LoadModule info_module libexec/apache24/mod_info.so #LoadModule suexec_module libexec/apache24/mod_suexec.so #LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so #LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so #LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so LoadModule negotiation_module libexec/apache24/mod_negotiation.so LoadModule dir_module libexec/apache24/mod_dir.so #LoadModule imagemap_module libexec/apache24/mod_imagemap.so #LoadModule actions_module libexec/apache24/mod_actions.so #LoadModule speling_module libexec/apache24/mod_speling.so #LoadModule userdir_module libexec/apache24/mod_userdir.so LoadModule alias_module libexec/apache24/mod_alias.so LoadModule rewrite_module libexec/apache24/mod_rewrite.so #LoadModule security2_module libexec/apache24/mod_security2.so #LoadModule perl_module libexec/apache24/mod_perl.so #LoadModule evasive20_module libexec/apache24/mod_evasive20.so LoadModule geoip_module libexec/apache24/mod_geoip.so LoadModule h264_streaming_module libexec/apache24/mod_h264_streaming.so LoadModule php5_module libexec/apache24/libphp5.so User www Group www ServerAdmin xxx@xxxxxxxxxxx ServerName www.example.com:80 <Directory /> AllowOverride none Require all denied </Directory> DocumentRoot "/usr/local/www/apache24/xxxxxxxxx" <Directory "/usr/local/www/apache24/xxx"> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> DirectoryIndex index.html index.htm index.pl <Files ".ht*"> Require all denied </Files> ErrorLog "/var/log/httpd-error.log" LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog "/var/log/httpd-access.log" common <IfModule headers_module> # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied # backend servers which have lingering "httpoxy" defects. # 'Proxy' request header is undefined by the IETF, not listed by IANA RequestHeader unset Proxy early </IfModule> TypesConfig etc/apache24/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # MIME-types for downloading Certificates and CRLs AddType application/x-x509-cacert .crt AddType application/x-pkcs7-crl .crl # Mime types for HTML 5 audio and videos AddType audio/aac .aac AddType audio/mp4 .mp4 .m4a AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg AddType audio/ogg .oga .ogg AddType audio/wav .wav AddType audio/webm .webm AddType video/mp4 .mp4 .m4v AddType video/ogg .ogv AddType video/webm .webm MIMEMagicFile etc/apache24/magic # Include server default values Include etc/apache24/extra/httpd-default.conf # Include mpm values Include etc/apache24/extra/httpd-mpm.conf # Secure (SSL/TLS) connections Include etc/apache24/extra/httpd-ssl.conf <IfModule ssl_module> SSLRandomSeed startup builtin SSLRandomSeed connect builtin </IfModule> # Some security settings Include etc/apache24/extra/httpd-security.conf Include etc/apache24/Includes/*.conf # For mod security #Include /usr/local/etc/modsecurity/*.conf # Load the base Owasp rules #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf # # Mod deflate settings # SetOutputFilter DEFLATE AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-v Header append Vary User-Agent AcceptFilter http none AcceptFilter https none # GeoIP GeoIPEnable On SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry GeoIPScanProxyHeaders On # Cache setup CacheRoot /usr/local/www/proxy CacheDirLevels 2 CacheDirLength 1 # for acme challenges <Directory "/usr/local/www/.well-known/"> Options None AllowOverride None Require all granted Header add Content-Type text/plain </Directory> # httpd-default.conf # # This configuration file reflects default settings for Apache HTTP Server. # # You may change these, but chances are that you may not need to. # # # Timeout: The number of seconds before receives and sends time out. # Timeout 60 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive Off # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 5 # # UseCanonicalName: Determines how Apache constructs self-referencing # URLs and the SERVER_NAME and SERVER_PORT variables. # When set "Off", Apache will use the Hostname and Port supplied # by the client. When set "On", Apache will use the value of the # ServerName directive. # UseCanonicalName On # # AccessFileName: The name of the file to look for in each directory # for additional configuration directives. See also the AllowOverride # directive. # AccessFileName .htaccess # # ServerTokens # This directive configures what you return as the Server HTTP response # Header. The default is 'Full' which sends information about the OS-Type # and compiled in modules. # Set to one of: Full | OS | Minor | Minimal | Major | Prod # where Full conveys the most information, and Prod the least. # ServerTokens Prod # # Optionally add a line containing the server version and virtual host # name to server-generated pages (internal error documents, FTP directory # listings, mod_status and mod_info output etc., but not CGI generated # documents or custom error documents). # Set to "EMail" to also include a mailto: link to the ServerAdmin. # Set to one of: On | Off | EMail # ServerSignature Off # # HostnameLookups: Log the names of clients or just their IP addresses # e.g., www.apache.org (on) or 204.62.129.132 (off). # The default is off because it'd be overall better for the net if people # had to knowingly turn this feature on, since enabling it means that # each client request will result in AT LEAST one lookup request to the # nameserver. # HostnameLookups Off # # Set a timeout for how long the client may take to send the request header # and body. # The default for the headers is header=20-40,MinRate=500, which means wait # for the first byte of headers for 20 seconds. If some data arrives, # increase the timeout corresponding to a data rate of 500 bytes/s, but not # above 40 seconds. # The default for the request body is body=20,MinRate=500, which is the same # but has no upper limit for the timeout. # To disable, set to header=0 body=0 # <IfModule reqtimeout_module> RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 </IfModule> # httpd-mpm.conf # # Server-Pool Management (MPM specific) # # # PidFile: The file in which the server should record its process # identification number when it starts. # # Note that this is the default PidFile for most MPMs. # <IfModule !mpm_netware_module> PidFile "/var/run/httpd.pid" </IfModule> # # Only one of the below sections will be relevant on your # installed httpd. Use "apachectl -l" to find out the # active mpm. # # prefork MPM # StartServers: number of server processes to start # MinSpareServers: minimum number of server processes which are kept spare # MaxSpareServers: maximum number of server processes which are kept spare # MaxRequestWorkers: maximum number of server processes allowed to start # MaxConnectionsPerChild: maximum number of connections a server process serves # before terminating <IfModule mpm_prefork_module> StartServers 8 MinSpareServers 40 MaxSpareServers 80 MaxClients 200 MaxRequestsPerChild 9000 #MaxRequestWorkers 250 #MaxConnectionsPerChild 12000 </IfModule> # worker MPM # StartServers: initial number of server processes to start # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestWorkers: maximum number of worker threads # MaxConnectionsPerChild: maximum number of connections a server process serves # before terminating <IfModule mpm_worker_module> StartServers 3 MinSpareThreads 75 MaxSpareThreads 250 ThreadsPerChild 25 MaxRequestWorkers 400 MaxConnectionsPerChild 0 </IfModule> # event MPM # StartServers: initial number of server processes to start # MinSpareThreads: minimum number of worker threads which are kept spare # MaxSpareThreads: maximum number of worker threads which are kept spare # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestWorkers: maximum number of worker threads # MaxConnectionsPerChild: maximum number of connections a server process serves # before terminating <IfModule mpm_event_module> StartServers 4 MinSpareThreads 30 MaxSpareThreads 100 ThreadsPerChild 50 MaxRequestWorkers 200 MaxConnectionsPerChild 6000 </IfModule> # NetWare MPM # ThreadStackSize: Stack size allocated for each worker thread # StartThreads: Number of worker threads launched at server startup # MinSpareThreads: Minimum number of idle threads, to handle request spikes # MaxSpareThreads: Maximum number of idle threads # MaxThreads: Maximum number of worker threads alive at the same time # MaxConnectionsPerChild: Maximum number of connections a thread serves. It # is recommended that the default value of 0 be set # for this directive on NetWare. This will allow the # thread to continue to service requests indefinitely. <IfModule mpm_netware_module> ThreadStackSize 65536 StartThreads 250 MinSpareThreads 25 MaxSpareThreads 250 MaxThreads 1000 MaxConnectionsPerChild 0 </IfModule> # OS/2 MPM # StartServers: Number of server processes to maintain # MinSpareThreads: Minimum number of idle threads per process, # to handle request spikes # MaxSpareThreads: Maximum number of idle threads per process # MaxConnectionsPerChild: Maximum number of connections per server process <IfModule mpm_mpmt_os2_module> StartServers 2 MinSpareThreads 5 MaxSpareThreads 10 MaxConnectionsPerChild 0 </IfModule> # WinNT MPM # ThreadsPerChild: constant number of worker threads in the server process # MaxConnectionsPerChild: maximum number of connections a server process serves <IfModule mpm_winnt_module> ThreadsPerChild 150 MaxConnectionsPerChild 0 </IfModule> # The maximum number of free Kbytes that every allocator is allowed # to hold without calling free(). In threaded MPMs, every thread has its own # allocator. When not set, or when set to zero, the threshold will be set to # unlimited. <IfModule !mpm_netware_module> MaxMemFree 2048 </IfModule> <IfModule mpm_netware_module> MaxMemFree 100 </IfModule> # httpd-ssl.conf SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 listen 66.228.47.34:443 #Listen [2600:3c03:0:0:f03c:91ff:fedf:6fc]:443 # OCSP Stapling settings SSLUseStapling On SSLStaplingCache "shmcb:logs/stapling-cache(150000)" SSLStaplingResponderTimeout 15 SSLStaplingReturnResponderErrors off SSLStaplingStandardCacheTimeout 3600 # For modern configuration # https://mozilla.github.io/server-side-tls/ssl-config-generator/ # 04/14/17: SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH SSLHonorCipherOrder On #SSLProtocol all -SSLv2 -SSLv3 # Enable PFS #SSLHonorCipherOrder On #SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH #SSSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 # # https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html SSLCompression Off SSLSessionTickets Off # Strong dh parameters file SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem" # For temporary legacy intermediate clients #SSLProtocol all -SSLv2 -SSLv3 #SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA #SSLHonorCipherOrder on #SSLCompression off SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/var/run/ssl_scache(512000)" SSLSessionCacheTimeout 300 <VirtualHost _default_:443> DocumentRoot "/usr/local/www/apache24/sslvhost" ServerName www.davemehler.com:443 ServerAdmin webmaster@xxxxxxxxxxxxxx ErrorLog "/var/log/http-ssl-error.log" TransferLog "/var/log/httpd-ssl-access.log" SSLEngine on SSLCertificateFile "/etc/ssl/certs/server.crt" SSLCertificateKeyFile "/etc/ssl/private/server.key" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/local/www/apache24/sslvhost> Require all granted Options FollowSymLinks AllowOverRide none </Directory> <Directory "/usr/local/www/apache24/cgi-bin"> SSLOptions +StdEnvVars </Directory> #BrowserMatch "MSIE [2-5]" \ #nokeepalive ssl-unclean-shutdown \ #downgrade-1.0 force-response-1.0 CustomLog "/var/log/httpd-ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" #Alias /mail "/usr/local/www/roundcube/" #Alias /awstats/icon "/usr/local/www/awstats/icon/" #Alias /awstatsicon "/usr/local/www/awstats/icon/" #ScriptAlias /awstats "/usr/local/www/awstats/cgi-bin/" </VirtualHost> # httpd-security.conf <IfModule mod_headers.c> Header unset ETag Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure Header set X-XSS-Protection "1; mode=block" Header append Referrer-Policy: no-referrer-when-downgrade Header always unset "X-Powered-By" Header set X-Permitted-Cross-Domain-Policies "none" </IfModule> # Remove server identification header <ifModule ModSecurity.c> SecServerSignature '' </ifModule> FileETag None TraceEnable off # Deploy Content Security Policy CSP <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'; script-src 'self';" Header set X-Content-Type-Options nosniff # Originally set to deny #Header set X-Frame-Options DENY Header set X-Frame-Options SAMEORIGIN </IfModule> # mod_evasive module <IfModule mod_evasive20.c> DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify root@xxxxxxxxxxxxxx DOSWhitelist 127.0.0.1 DOSSystemCommand '/sbin/pfctl -t evasive -T add %s' </IfModule> vhosts.conf # # Virtual host file # # The example.com http virtual host <VirtualHost *:80> ServerName example.com RewriteEngine On RewriteRule ^/?(.*) http://www.example.com/$1 [R,L] </VirtualHost> <VirtualHost *:80> ServerAdmin xxx@xxxxxxxxxxx DocumentRoot "/usr/vhosts/example.com/htdocs/" ServerName www.example.com ServerAlias www.example.com ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to example.com/.well-known gets forwarded to the https site RewriteEngine on RewriteCond %{REQUEST_URI} !^/.well-known RewriteRule (.*) https://www.example.com/$1 [R=301,L] ErrorLog "/usr/vhosts/example.com/logs/error.log" <Directory "/usr/vhosts/example.com/htdocs/"> Options FollowSymLinks AllowOverRide None Require all granted </Directory> <IfModule mod_log_config.c> CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined </IfModule> # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie <Location /> CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All </Location> </VirtualHost> # The test.example.com http virtual host <VirtualHost *:80> ServerAdmin webmaster@xxxxxxxxxxx DocumentRoot "/usr/vhosts/test.example.com/htdocs/" ServerName test.example.com ServerAlias test.example.com ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to test.example.com/.well-known gets forwarded to the https site RewriteEngine on RewriteCond %{REQUEST_URI} !^/.well-known RewriteRule (.*) https://test.example.com/$1 [R=301,L] ErrorLog "/usr/vhosts/test.example.com/logs/error.log" <Directory "/usr/vhosts/test.example.com/htdocs/"> # mod_authn_core and mod_auth_basic configuration # for mod_authn_dbd #AuthType Basic #AuthName "Restricted Access" # To cache credentials, put socache ahead of dbd here #AuthBasicProvider socache dbd # Also required for caching: tell the cache to cache dbd lookups! #AuthnCacheProvideFor dbd #AuthnCacheContext my-server # mod_authn_dbd SQL query to authenticate a user #AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s" # mod_authz_core configuration #<RequireAll> #Require group alpha beta testgroup #Require dbd-group team #Require not group reject #<RequireAny> #Require valid-user #</RequireAny> #<RequireNone> #Require group temps #</RequireNone> #</RequireAll> #Require group testgroup #Require dbd-group testgroup #Require valid-user # mod_authz_dbd configuration #AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = '%s'" #AuthzSendForbiddenOnFailure On Options FollowSymLinks AllowOverRide None Require all granted </Directory> <IfModule mod_log_config.c> CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/test.example.com/logs/access.log-%Y-%m-%d.log 86400" combined </IfModule> # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie <Location /> CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All </Location> </VirtualHost> # The example.net http virtual host <VirtualHost *:80> ServerName example.net RewriteEngine On RewriteRule ^/?(.*) http://www.example.net/$1 [R,L] </VirtualHost> <VirtualHost *:80> ServerAdmin xxx@xxxxxxxxxxx DocumentRoot "/usr/vhosts/example.net/htdocs/" ServerName www.example.net ServerAlias www.example.net ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to example.net/.well-known gets forwarded to the https site # RewriteEngine on # RewriteCond %{REQUEST_URI} !^/.well-known # RewriteRule (.*) https://www.example.com/$1 [R=301,L] ErrorLog "/usr/vhosts/example.net/logs/error.log" <Directory "/usr/vhosts/example.net/htdocs/"> Options FollowSymLinks AllowOverRide None Require all granted </Directory> <IfModule mod_log_config.c> CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/example.net/logs/access.log-%Y-%m-%d.log 86400" combined </IfModule> # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie <Location /> CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All </Location> </VirtualHost> # The example.org http virtual host <VirtualHost *:80> ServerName example.org RewriteEngine On RewriteRule ^/?(.*) http://www.example.org/$1 [R,L] </VirtualHost> <VirtualHost *:80> ServerAdmin xxx@xxxxxxxxxxx DocumentRoot "/usr/vhosts/example.org/htdocs/" ServerName www.example.org ServerAlias www.example.org ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to example.org/.well-known gets forwarded to the https site # RewriteEngine on # RewriteCond %{REQUEST_URI} !^/.well-known # RewriteRule (.*) https://www.example.com/$1 [R=301,L] ErrorLog "/usr/vhosts/example.org/logs/error.log" <Directory "/usr/vhosts/example.org/htdocs/"> Options FollowSymLinks AllowOverRide None Require all granted </Directory> <IfModule mod_log_config.c> CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/example.org/logs/access.log-%Y-%m-%d.log 86400" combined </IfModule> # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie <Location /> CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All </Location> </VirtualHost> # The webmail.example.com http virtual host <VirtualHost *:80> ServerAdmin xxx@xxxxxxxxxxx DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/" ServerName webmail.example.com ServerAlias webmail.example.com ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to webmail.example.com/.well-known gets forwarded to the https site RewriteEngine on RewriteCond %{REQUEST_URI} !^/.well-known RewriteRule (.*) https://webmail.example.com/$1 [R=301,L] ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log" <Directory "/usr/vhosts/webmail.example.com/htdocs/"> Options FollowSymLinks AllowOverRide None Require all granted </Directory> <IfModule mod_log_config.c> CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400" combined </IfModule> # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie <Location /> CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All </Location> </VirtualHost> # The webmail.example.org http virtual host <VirtualHost *:80> ServerAdmin xxx@xxxxxxxxxxx DocumentRoot "/usr/vhosts/webmail.example.org/htdocs/" ServerName webmail.example.org ServerAlias webmail.example.org ErrorDocument 404 /errordocs/error404.htm # share well-known for renewal via Let's Encrypt! Alias /.well-known/ /usr/local/www/.well-known/ # Anything that isn't going to webmail.example.org/.well-known gets forwarded to the https site RewriteEngine on RewriteCond %{REQUEST_URI} !^/.well-known RewriteRule (.*) https://webmail.example.org/$1 [R=301,L] ErrorLog "/usr/vhosts/webmail.example.org/logs/error.log" <Directory "/usr/vhosts/webmail.example.org/htdocs/"> Options FollowSymLinks AllowOverRide None Require all granted </Directory> <IfModule mod_log_config.c> CustomLog "|/usr/local/sbin/rotatelogs -l /usr/vhosts/webmail.example.org/logs/access.log-%Y-%m-%d.log 86400" combined </IfModule> # Disc cache setup CacheQuickHandler off CacheLock on CacheLockPath /tmp/mod_cache-lock CacheLockMaxAge 5 CacheIgnoreHeaders Set-Cookie <Location /> CacheEnable disk CacheHeader on CacheDefaultExpire 600 CacheMaxExpire 86400 CacheLastModifiedFactor 0.5 ExpiresActive on ExpiresDefault "access plus 5 minutes" Header merge Cache-Control public FileETag All </Location> </VirtualHost> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
No one will parse your entire httpd.conf out of their free time.Instead, I recommend starting with http://httpd.apache.org/docs/current/upgrading.html
Then you can focus on specific problems. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx