# This file is rendered by CFEngine # manual edits will be reverted. ServerSignature Off ServerTokens ProductOnly ServerName {{{vars.sys.fqhost}}} ServerRoot "{{{vars.sys.workdir}}}/httpd" Listen 80 PidFile "{{{vars.sys.workdir}}}/httpd/httpd.pid" # Modules LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbd_module modules/mod_authn_dbd.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule dbd_module modules/mod_dbd.so LoadModule dumpio_module modules/mod_dumpio.so LoadModule reqtimeout_module modules/mod_reqtimeout.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule include_module modules/mod_include.so LoadModule filter_module modules/mod_filter.so LoadModule substitute_module modules/mod_substitute.so LoadModule deflate_module modules/mod_deflate.so LoadModule log_config_module modules/mod_log_config.so LoadModule log_forensic_module modules/mod_log_forensic.so LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule expires_module modules/mod_expires.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule unique_id_module modules/mod_unique_id.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule version_module modules/mod_version.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule asis_module modules/mod_asis.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule ldap_module modules/mod_ldap.so LoadModule ssl_module modules/mod_ssl.so # Required to drop privledges LoadModule unixd_module modules/mod_unixd.so # Required for use of Order and Require commands LoadModule access_compat_module modules/mod_access_compat.so # Required for SSL Session Caching LoadModule socache_shmcb_module modules/mod_socache_shmcb.so # Required to log into mission portal LoadModule authz_core_module modules/mod_authz_core.so # TRACE can be useful for debugging, but can be abused to perform Cross-Site # Tracing (XST) attacheks in order to obtain access to user cooking via # malicious scripting on the client side. TraceEnable off # The 'HttpOnly' flag makes the cookie inaccessible to client-side scripts, # preventing it from being stolen using malicious client side scripts. The # absence of this flag increases the likelihood of an attacker being able to # compromise the user's cookie via a malicious script. When the 'secure' flag is # used, the cookie is only sent over an encrypted HTTPS channel, and not over # unencrypted HTTP. Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # This module should not be loaded, this is just an extra measure. UserDir disabled User cfapache Group cfapache # Server configuration # ServerAdmin root@localhost DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}" Order deny,allow Deny from all Options FollowSymLinks AllowOverride None DirectoryIndex index.html index.php Order allow,deny Deny from all Satisfy All ErrorLog "logs/error_log" LogLevel warn LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%h %l %{username}n %t \"%r\" %>s %b" common_with_apache_notes_username LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio CustomLog "logs/access_log" common_with_apache_notes_username TypesConfig conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # Include conf/extra/httpd-ssl.conf # This content used to be included from an external file # /var/cfengine/httpd/conf/extra/httpd-ssl.conf Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:{{{vars.sys.workdir}}}/httpd/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLSessionTickets Off # OCSP stapling is an extension that aims to improve SSL negotiation # performance while mainting visitor privacy. Disabled because of # issues with self signed certs. SSLUseStapling off # SSLStaplingCache "shmcb:logs/stabling-cache(150000)" # TLS Compression should be disabled to avoid CRIME # https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929 SSLCompression off # This is not explicitly enabled to allow the requesting client the first # choice of support ciphers # SSLHonorCipherOrder On # We expect that openssl is upgraded with each release and that the most # recent openssl version possible will be used and that it defines ciphers # considered HIGH appropriately. We use HIGH to get a good balance between # browser compatibility and security. Use ~{{vars.sys.workdir}}/openssl ciphers # -v HIGH~ to see what ciphers are considered HIGH security. SSLCipherSuite HIGH # A more secure setting might be: # SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH # Some versions of SSL and TLS are known to be insecure, so we disable them by default SSLProtocol all -SSLv2 -SSLv3 -TLSv1 SSLRandomSeed startup builtin SSLRandomSeed connect builtin DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}" Alias "/api" "{{{vars.cfe_internal_hub_vars.docroot}}}/api" Alias "/api/static" "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static" Alias "/ldap" "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap" ServerName {{{vars.sys.fqhost}}}:443 # ServerAdmin root@localhost ErrorLog "{{{vars.cfe_internal_hub_vars.error_log}}}" LogFormat "%h %l %{username}n %t \"%r\" %>s %b" TransferLog "{{{vars.cfe_internal_hub_vars.access_log}}}" SSLEngine on SSLCertificateFile "{{{vars.cfe_internal_hub_vars.SSLCertificateFile}}}" SSLCertificateKeyFile "{{{vars.cfe_internal_hub_vars.SSLCertificateKeyFile}}}" # Enable Strict Transport Security to prevent HTTPS users from # accessing http content. Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff SSLOptions +StdEnvVars SSLOptions +StdEnvVars AllowOverride None BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "{{{vars.cfe_internal_hub_vars.ssl_request_log}}}" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" LoadModule php{{{vars.cfe_internal_hub_vars.php_version}}}_module modules/libphp{{{vars.cfe_internal_hub_vars.php_version}}}.so AddHandler php{{{vars.cfe_internal_hub_vars.php_version}}}-script .php AddType application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_version}}} Options -Indexes +FollowSymLinks +MultiViews Order deny,allow AllowOverride None RewriteEngine On {{^classes.cfe_enterprise_enable_plain_http}} # Force https with redirection RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] {{/classes.cfe_enterprise_enable_plain_http}} {{#classes.mission_portal_index_php_redirect_enabled}} # redirect from `index.php/path` to `/path` RewriteCond %{REQUEST_URI} !(.*)/api/(.*) [NC] #do not apply redirect to internal APIs for backward compatibility RewriteCond %{THE_REQUEST} /index\.php/(.+)\sHTTP [NC] RewriteRule ^ /%1 [NE,L,R] {{/classes.mission_portal_index_php_redirect_enabled}} RewriteCond %{REQUEST_FILENAME} -s [OR] RewriteCond %{REQUEST_FILENAME} -l [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^.*$ - [NC,L] RewriteRule ^(.*)$ /index.php/$1 [NC,L] Order deny,allow AllowOverride None RewriteEngine On RewriteRule ^static/(.+)$ static/$1 [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^(.*)$ dispatch.php [QSA,L] Order deny,allow AllowOverride None # What do we use mod_mime for? AddType text/csv .csv AddType application/pdf .pdf AddType application/json .json Order deny,allow AllowOverride None RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [QSA,L] # Whats in here that got a specific deny? Deny from all AllowOverride None