Commit 53e14f29 authored by Benjamin Sonntag's avatar Benjamin Sonntag

[enh] entire (and strict) Apache configuration now published

parent 9873d998
ServerTokens ProductOnly
ServerSignature Off
......
......@@ -4,7 +4,8 @@
DocumentRoot /var/www/htdocs
RewriteRule ^/http-bind(.*) http://localhost:5280/http-bind$1 [P,L]
RewriteEngine On
RewriteRule ^/http-bind(.*) http://jabber.lqdn.fr:5280/http-bind$1 [P,L]
<Directory />
Options FollowSymLinks
......@@ -12,7 +13,7 @@
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
AllowOverride All
Order allow,deny
allow from all
</Directory>
......@@ -30,9 +31,9 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/private/star.lqdn.fr.crt
SSLCertificateKeyFile /etc/ssl/private/star.lqdn.fr.key
SSLCertificateChainFile /etc/ssl/private/star.lqdn.fr.chain
SSLCertificateFile /etc/ssl/private/lqdn.fr.crt
SSLCertificateKeyFile /etc/ssl/private/lqdn.fr.key
SSLCertificateChainFile /etc/ssl/private/lqdn.fr.chain
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
......@@ -42,9 +43,12 @@
Header set Strict-Transport-Security "max-age=31622400"
SSLHonorCipherOrder on
SSLCipherSuite -ALL:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:DHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:TLS_RSA_WITH_3DES_EDE_CBC_SHA:ECDHE-RSA-RC4-SHA:RC4-SHA
SSLProtocol all -SSLv2 -SSLv3
<Location /wp-admin>
AuthUserFile /etc/htpasswd
AuthName "go away"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
</IfModule>
<VirtualHost *:80>
ServerAdmin contact@laquadrature.net
ServerName jabber63t4r2qi57.onion
DocumentRoot /var/www/htdocs
RewriteEngine On
RewriteRule ^/http-bind(.*) http://jabber.lqdn.fr:5280/http-bind$1 [P,L]
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
<Location /wp-admin>
AuthUserFile /etc/htpasswd
AuthName "go away"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin contact@laquadrature.net
ServerName jabber63t4r2qi57.onion
DocumentRoot /var/www/htdocs
RewriteEngine On
RewriteRule ^/http-bind(.*) http://jabber.lqdn.fr:5280/http-bind$1 [P,L]
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options -Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
SSLCertificateFile /etc/ssl/private/lqdn.fr.crt
SSLCertificateKeyFile /etc/ssl/private/lqdn.fr.key
SSLCertificateChainFile /etc/ssl/private/lqdn.fr.chain
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
Header set Strict-Transport-Security "max-age=31622400"
<Location /wp-admin>
AuthUserFile /etc/htpasswd
AuthName "go away"
AuthType Basic
require valid-user
</Location>
</VirtualHost>
<IfModule mod_ssl.c>
#
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the SSL library.
# The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
#
SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# (The mechanism dbm has known memory leaks and should not be used).
#SSLSessionCache dbm:${APACHE_RUN_DIR}/ssl_scache
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:${APACHE_RUN_DIR}/ssl_mutex
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate. See the
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!RC4:!3DES:+HIGH:+MEDIUM
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH !EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLHonorCipherOrder on
# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2 -SSLv3
# Allow insecure renegotiation with clients which do not yet support the
# secure renegotiation protocol. Default: Off
#SSLInsecureRenegotiation on
# Whether to forbid non-SNI clients to access name based virtual hosts.
# Default: Off
#SSLStrictSNIVHostCheck On
</IfModule>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment