# This file is rendered by CFEngine
# manual edits will be reverted.
ServerSignature Off
ServerTokens ProductOnly
ServerName {{{vars.sys.fqhost}}}
ServerRoot "{{{vars.sys.workdir}}}/httpd"
Listen 80
PidFile "{{{vars.sys.workdir}}}/httpd/httpd.pid"
# Modules
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule ssl_module modules/mod_ssl.so
# Required to drop privledges
LoadModule unixd_module modules/mod_unixd.so
# Required for use of Order and Require commands
LoadModule access_compat_module modules/mod_access_compat.so
# Required for SSL Session Caching
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
# Required to log into mission portal
LoadModule authz_core_module modules/mod_authz_core.so
# TRACE can be useful for debugging, but can be abused to perform Cross-Site
# Tracing (XST) attacheks in order to obtain access to user cooking via
# malicious scripting on the client side.
TraceEnable off
# The 'HttpOnly' flag makes the cookie inaccessible to client-side scripts,
# preventing it from being stolen using malicious client side scripts. The
# absence of this flag increases the likelihood of an attacker being able to
# compromise the user's cookie via a malicious script. When the 'secure' flag is
# used, the cookie is only sent over an encrypted HTTPS channel, and not over
# unencrypted HTTP.
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# This module should not be loaded, this is just an extra measure.
UserDir disabled
User cfapache
Group cfapache
# Server configuration
# ServerAdmin root@localhost
DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
Order deny,allow
Deny from all
Options FollowSymLinks
AllowOverride None
DirectoryIndex index.html index.php
Order allow,deny
Deny from all
Satisfy All
ErrorLog "logs/error_log"
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%h %l %{username}n %t \"%r\" %>s %b" common_with_apache_notes_username
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
CustomLog "logs/access_log" common_with_apache_notes_username
TypesConfig conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# Include conf/extra/httpd-ssl.conf
# This content used to be included from an external file
# /var/cfengine/httpd/conf/extra/httpd-ssl.conf
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:{{{vars.sys.workdir}}}/httpd/logs/ssl_scache(512000)"
SSLSessionCacheTimeout 300
SSLSessionTickets Off
# OCSP stapling is an extension that aims to improve SSL negotiation
# performance while mainting visitor privacy. Disabled because of
# issues with self signed certs.
SSLUseStapling off
# SSLStaplingCache "shmcb:logs/stabling-cache(150000)"
# TLS Compression should be disabled to avoid CRIME
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
SSLCompression off
# This is not explicitly enabled to allow the requesting client the first
# choice of support ciphers
# SSLHonorCipherOrder On
# We expect that openssl is upgraded with each release and that the most
# recent openssl version possible will be used and that it defines ciphers
# considered HIGH appropriately. We use HIGH to get a good balance between
# browser compatibility and security. Use ~{{vars.sys.workdir}}/openssl ciphers
# -v HIGH~ to see what ciphers are considered HIGH security.
SSLCipherSuite HIGH
# A more secure setting might be:
# SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
# Some versions of SSL and TLS are known to be insecure, so we disable them by default
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
Alias "/api" "{{{vars.cfe_internal_hub_vars.docroot}}}/api"
Alias "/api/static" "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static"
Alias "/ldap" "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap"
ServerName {{{vars.sys.fqhost}}}:443
# ServerAdmin root@localhost
ErrorLog "{{{vars.cfe_internal_hub_vars.error_log}}}"
LogFormat "%h %l %{username}n %t \"%r\" %>s %b"
TransferLog "{{{vars.cfe_internal_hub_vars.access_log}}}"
SSLEngine on
SSLCertificateFile "{{{vars.cfe_internal_hub_vars.SSLCertificateFile}}}"
SSLCertificateKeyFile "{{{vars.cfe_internal_hub_vars.SSLCertificateKeyFile}}}"
# Enable Strict Transport Security to prevent HTTPS users from
# accessing http content.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
AllowOverride None
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog "{{{vars.cfe_internal_hub_vars.ssl_request_log}}}" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
LoadModule php{{{vars.cfe_internal_hub_vars.php_version}}}_module modules/libphp{{{vars.cfe_internal_hub_vars.php_version}}}.so
AddHandler php{{{vars.cfe_internal_hub_vars.php_version}}}-script .php
AddType application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_version}}}
Options -Indexes +FollowSymLinks +MultiViews
Order deny,allow
AllowOverride None
RewriteEngine On
{{^classes.cfe_enterprise_enable_plain_http}}
# Force https with redirection
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
{{/classes.cfe_enterprise_enable_plain_http}}
{{#classes.mission_portal_index_php_redirect_enabled}}
# redirect from `index.php/path` to `/path`
RewriteCond %{REQUEST_URI} !(.*)/api/(.*) [NC] #do not apply redirect to internal APIs for backward compatibility
RewriteCond %{THE_REQUEST} /index\.php/(.+)\sHTTP [NC]
RewriteRule ^ /%1 [NE,L,R]
{{/classes.mission_portal_index_php_redirect_enabled}}
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^(.*)$ /index.php/$1 [NC,L]
Order deny,allow
AllowOverride None
RewriteEngine On
RewriteRule ^static/(.+)$ static/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ dispatch.php [QSA,L]
Order deny,allow
AllowOverride None
# What do we use mod_mime for?
AddType text/csv .csv
AddType application/pdf .pdf
AddType application/json .json
Order deny,allow
AllowOverride None
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [QSA,L]
# Whats in here that got a specific deny?
Deny from all
AllowOverride None