Re: New 2.4 configuration, need sanity and security check

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/06/17 10:53 PM, David Mehler wrote:
Hello,

I'm doing a config rewrite. I'm using apache 2.4. If someone who does
security could give my setup a check from a security perspective i'd
appreciate it.

I'm also wondering in particular about my cache setup and virtual
hosts. There's a lot of repeated lines.

Config at the end of this message, rather long.

Much appreciation.

Thanks.
Dave.

# httpd.conf

#
# Httpd minimalistic configuration
#

ServerRoot "/usr/local"
Listen xxx.xxx.xxx.xxx:80
# Loadable modules
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
#LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
LoadModule file_cache_module libexec/apache24/mod_file_cache.so
LoadModule cache_module libexec/apache24/mod_cache.so
LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule socache_dc_module libexec/apache24/mod_socache_dc.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
#LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
#LoadModule lua_module libexec/apache24/mod_lua.so
LoadModule env_module libexec/apache24/mod_env.so
LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule lbmethod_byrequests_module
libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module
libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
#LoadModule status_module libexec/apache24/mod_status.so
#LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
#LoadModule suexec_module libexec/apache24/mod_suexec.so
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule security2_module libexec/apache24/mod_security2.so
#LoadModule perl_module        libexec/apache24/mod_perl.so
#LoadModule evasive20_module   libexec/apache24/mod_evasive20.so
LoadModule geoip_module       libexec/apache24/mod_geoip.so
LoadModule h264_streaming_module libexec/apache24/mod_h264_streaming.so
LoadModule php5_module        libexec/apache24/libphp5.so

User www
Group www
ServerAdmin xxx@xxxxxxxxxxx
ServerName www.example.com:80
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/usr/local/www/apache24/xxxxxxxxx"
<Directory "/usr/local/www/apache24/xxx">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
    DirectoryIndex index.html index.htm index.pl
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "/var/log/httpd-error.log"
LogLevel warn
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog "/var/log/httpd-access.log" common
<IfModule headers_module>
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    RequestHeader unset Proxy early
</IfModule>
    TypesConfig etc/apache24/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
#   MIME-types for downloading Certificates and CRLs
AddType application/x-x509-cacert .crt
AddType application/x-pkcs7-crl    .crl
# Mime types for HTML 5 audio and videos
AddType audio/aac .aac
AddType audio/mp4 .mp4 .m4a
AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg
AddType audio/ogg .oga .ogg
AddType audio/wav .wav
AddType audio/webm .webm
AddType video/mp4 .mp4 .m4v
AddType video/ogg .ogv
AddType video/webm .webm
MIMEMagicFile etc/apache24/magic

# Include server default values
Include etc/apache24/extra/httpd-default.conf

# Include mpm values
Include etc/apache24/extra/httpd-mpm.conf

# Secure (SSL/TLS) connections
Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

# Some security settings
Include etc/apache24/extra/httpd-security.conf
Include etc/apache24/Includes/*.conf
# For mod security
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
  #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf

#
# Mod deflate settings
#
     SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
text/javascript application/javascript
     SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-v
          Header append Vary User-Agent

AcceptFilter http none
AcceptFilter https none

# GeoIP
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
GeoIPScanProxyHeaders On

# Cache setup
CacheRoot /usr/local/www/proxy
CacheDirLevels 2
CacheDirLength 1

# for acme challenges
<Directory "/usr/local/www/.well-known/">
   Options None
   AllowOverride None
   Require all granted
   Header add Content-Type text/plain
</Directory>

# httpd-default.conf

#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 60

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName On

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

#
# Set a timeout for how long the client may take to send the request header
# and body.
# The default for the headers is header=20-40,MinRate=500, which means wait
# for the first byte of headers for 20 seconds. If some data arrives,
# increase the timeout corresponding to a data rate of 500 bytes/s, but not
# above 40 seconds.
# The default for the request body is body=20,MinRate=500, which is the same
# but has no upper limit for the timeout.
# To disable, set to header=0 body=0
#
<IfModule reqtimeout_module>
  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

# httpd-mpm.conf
#
# Server-Pool Management (MPM specific)
#

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
# Note that this is the default PidFile for most MPMs.
#
<IfModule !mpm_netware_module>
    PidFile "/var/run/httpd.pid"
</IfModule>

#
# Only one of the below sections will be relevant on your
# installed httpd.  Use "apachectl -l" to find out the
# active mpm.
#

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxRequestWorkers: maximum number of server processes allowed to start
# MaxConnectionsPerChild: maximum number of connections a server process serves
#                         before terminating
<IfModule mpm_prefork_module>
    StartServers             8
    MinSpareServers          40
    MaxSpareServers         80
    MaxClients 200
    MaxRequestsPerChild 9000
    #MaxRequestWorkers      250
    #MaxConnectionsPerChild   12000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of worker threads
# MaxConnectionsPerChild: maximum number of connections a server process serves
#                         before terminating
<IfModule mpm_worker_module>
    StartServers             3
    MinSpareThreads         75
    MaxSpareThreads        250
    ThreadsPerChild         25
    MaxRequestWorkers      400
    MaxConnectionsPerChild   0
</IfModule>

# event MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of worker threads
# MaxConnectionsPerChild: maximum number of connections a server process serves
#                         before terminating
<IfModule mpm_event_module>
    StartServers             4
    MinSpareThreads         30
    MaxSpareThreads        100
    ThreadsPerChild         50
    MaxRequestWorkers      200
    MaxConnectionsPerChild   6000
</IfModule>

# NetWare MPM
# ThreadStackSize: Stack size allocated for each worker thread
# StartThreads: Number of worker threads launched at server startup
# MinSpareThreads: Minimum number of idle threads, to handle request spikes
# MaxSpareThreads: Maximum number of idle threads
# MaxThreads: Maximum number of worker threads alive at the same time
# MaxConnectionsPerChild: Maximum  number of connections a thread serves. It
#                         is recommended that the default value of 0 be set
#                         for this directive on NetWare.  This will allow the
#                         thread to continue to service requests indefinitely.
<IfModule mpm_netware_module>
    ThreadStackSize      65536
    StartThreads           250
    MinSpareThreads         25
    MaxSpareThreads        250
    MaxThreads            1000
    MaxConnectionsPerChild   0
</IfModule>

# OS/2 MPM
# StartServers: Number of server processes to maintain
# MinSpareThreads: Minimum number of idle threads per process,
#                  to handle request spikes
# MaxSpareThreads: Maximum number of idle threads per process
# MaxConnectionsPerChild: Maximum number of connections per server process
<IfModule mpm_mpmt_os2_module>
    StartServers             2
    MinSpareThreads          5
    MaxSpareThreads         10
    MaxConnectionsPerChild   0
</IfModule>

# WinNT MPM
# ThreadsPerChild: constant number of worker threads in the server process
# MaxConnectionsPerChild: maximum number of connections a server process serves
<IfModule mpm_winnt_module>
    ThreadsPerChild        150
    MaxConnectionsPerChild   0
</IfModule>

# The maximum number of free Kbytes that every allocator is allowed
# to hold without calling free(). In threaded MPMs, every thread has its own
# allocator. When not set, or when set to zero, the threshold will be set to
# unlimited.
<IfModule !mpm_netware_module>
    MaxMemFree            2048
</IfModule>
<IfModule mpm_netware_module>
    MaxMemFree             100
</IfModule>

# httpd-ssl.conf
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
listen 66.228.47.34:443
#Listen [2600:3c03:0:0:f03c:91ff:fedf:6fc]:443

# OCSP Stapling settings
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponderTimeout 15
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 3600

# For modern configuration
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# 04/14/17:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH
SSLHonorCipherOrder On
#SSLProtocol all -SSLv2 -SSLv3
        # Enable PFS
#SSLHonorCipherOrder On
#SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH
 #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCompression Off
SSLSessionTickets Off
# Strong dh parameters file
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

# For temporary legacy intermediate clients
#SSLProtocol             all -SSLv2 -SSLv3
#SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#SSLHonorCipherOrder     on
#SSLCompression          off
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/sslvhost"
ServerName www.davemehler.com:443
ServerAdmin webmaster@xxxxxxxxxxxxxx
ErrorLog "/var/log/http-ssl-error.log"
TransferLog "/var/log/httpd-ssl-access.log"
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/server.crt"
SSLCertificateKeyFile "/etc/ssl/private/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
	<Directory /usr/local/www/apache24/sslvhost>
Require all granted
Options FollowSymLinks
AllowOverRide none
	</Directory>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
#BrowserMatch "MSIE [2-5]" \
         #nokeepalive ssl-unclean-shutdown \
         #downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#Alias /mail "/usr/local/www/roundcube/"
#Alias /awstats/icon "/usr/local/www/awstats/icon/"
#Alias /awstatsicon "/usr/local/www/awstats/icon/"
#ScriptAlias /awstats "/usr/local/www/awstats/cgi-bin/"
</VirtualHost>

# httpd-security.conf
<IfModule mod_headers.c>
Header unset ETag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-XSS-Protection "1; mode=block"
Header append Referrer-Policy: no-referrer-when-downgrade
Header always unset "X-Powered-By"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
# Remove server identification header
<ifModule ModSecurity.c>
  SecServerSignature ''
</ifModule>

FileETag None
TraceEnable off

# Deploy Content Security Policy CSP
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
    Header set X-Content-Type-Options nosniff
# Originally set to deny
    #Header set X-Frame-Options DENY
    Header set X-Frame-Options SAMEORIGIN
</IfModule>

# mod_evasive module
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
DOSEmailNotify root@xxxxxxxxxxxxxx
DOSWhitelist	127.0.0.1
DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
</IfModule>

vhosts.conf
#
# Virtual host file
#

# The example.com http virtual host
<VirtualHost *:80>
    ServerName example.com
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin xxx@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/example.com/htdocs/"
    ServerName www.example.com
    ServerAlias www.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.com/.well-known gets
forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.com/logs/error.log"
    <Directory "/usr/vhosts/example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The test.example.com http virtual host
<VirtualHost *:80>
    ServerAdmin webmaster@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/test.example.com/htdocs/"
    ServerName test.example.com
    ServerAlias test.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to test.example.com/.well-known gets
forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://test.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/test.example.com/logs/error.log"
    <Directory "/usr/vhosts/test.example.com/htdocs/">
 # mod_authn_core and mod_auth_basic configuration
 # for mod_authn_dbd
 #AuthType Basic
 #AuthName "Restricted Access"

 # To cache credentials, put socache ahead of dbd here
 #AuthBasicProvider socache dbd

 # Also required for caching: tell the cache to cache dbd lookups!
 #AuthnCacheProvideFor dbd
 #AuthnCacheContext my-server

 # mod_authn_dbd SQL query to authenticate a user
 #AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s"

 # mod_authz_core configuration
            #<RequireAll>
                #Require group alpha beta testgroup
#Require dbd-group team
                #Require not group reject
                #<RequireAny>
                    #Require valid-user
                #</RequireAny>
        #<RequireNone>
            #Require group temps
        #</RequireNone>
            #</RequireAll>
                    #Require group testgroup
#Require dbd-group testgroup
                    #Require valid-user

  # mod_authz_dbd configuration
  #AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = '%s'"
#AuthzSendForbiddenOnFailure On
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/test.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The example.net http virtual host
<VirtualHost *:80>
    ServerName example.net
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.net/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin xxx@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/example.net/htdocs/"
    ServerName www.example.net
    ServerAlias www.example.net

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.net/.well-known gets
forwarded to the https site
#    RewriteEngine on
#    RewriteCond %{REQUEST_URI} !^/.well-known
#    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.net/logs/error.log"
    <Directory "/usr/vhosts/example.net/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.net/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The example.org http virtual host
<VirtualHost *:80>
    ServerName example.org
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.org/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin xxx@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/example.org/htdocs/"
    ServerName www.example.org
    ServerAlias www.example.org

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.org/.well-known gets
forwarded to the https site
#    RewriteEngine on
#    RewriteCond %{REQUEST_URI} !^/.well-known
#    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.org/logs/error.log"
    <Directory "/usr/vhosts/example.org/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.org/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The webmail.example.com http virtual host
<VirtualHost *:80>
    ServerAdmin xxx@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/"
    ServerName webmail.example.com
    ServerAlias webmail.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to webmail.example.com/.well-known
gets forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://webmail.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log"
    <Directory "/usr/vhosts/webmail.example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The webmail.example.org http virtual host
<VirtualHost *:80>
    ServerAdmin xxx@xxxxxxxxxxx
    DocumentRoot "/usr/vhosts/webmail.example.org/htdocs/"
    ServerName webmail.example.org
    ServerAlias webmail.example.org

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to webmail.example.org/.well-known
gets forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://webmail.example.org/$1 [R=301,L]

    ErrorLog "/usr/vhosts/webmail.example.org/logs/error.log"
    <Directory "/usr/vhosts/webmail.example.org/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.org/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


No one will parse your entire httpd.conf out of their free time.

Instead, I recommend starting with http://httpd.apache.org/docs/current/upgrading.html

Then you can focus on specific problems.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux