1# This file is rendered by CFEngine
2# manual edits will be reverted.
3
4ServerSignature Off
5ServerTokens ProductOnly
6ServerName {{{vars.sys.fqhost}}}
7ServerRoot "{{{vars.sys.workdir}}}/httpd"
8Listen 80
9PidFile "{{{vars.sys.workdir}}}/httpd/httpd.pid"
10
11# Modules
12
13LoadModule authn_file_module modules/mod_authn_file.so
14LoadModule authn_dbm_module modules/mod_authn_dbm.so
15LoadModule authn_anon_module modules/mod_authn_anon.so
16LoadModule authn_dbd_module modules/mod_authn_dbd.so
17LoadModule authz_host_module modules/mod_authz_host.so
18LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
19LoadModule authz_user_module modules/mod_authz_user.so
20LoadModule authz_dbm_module modules/mod_authz_dbm.so
21LoadModule authz_owner_module modules/mod_authz_owner.so
22LoadModule auth_basic_module modules/mod_auth_basic.so
23LoadModule auth_digest_module modules/mod_auth_digest.so
24LoadModule dbd_module modules/mod_dbd.so
25LoadModule dumpio_module modules/mod_dumpio.so
26LoadModule reqtimeout_module modules/mod_reqtimeout.so
27LoadModule ext_filter_module modules/mod_ext_filter.so
28LoadModule include_module modules/mod_include.so
29LoadModule filter_module modules/mod_filter.so
30LoadModule substitute_module modules/mod_substitute.so
31LoadModule deflate_module modules/mod_deflate.so
32LoadModule log_config_module modules/mod_log_config.so
33LoadModule log_forensic_module modules/mod_log_forensic.so
34LoadModule logio_module modules/mod_logio.so
35LoadModule env_module modules/mod_env.so
36LoadModule mime_magic_module modules/mod_mime_magic.so
37LoadModule expires_module modules/mod_expires.so
38LoadModule headers_module modules/mod_headers.so
39LoadModule usertrack_module modules/mod_usertrack.so
40LoadModule unique_id_module modules/mod_unique_id.so
41LoadModule setenvif_module modules/mod_setenvif.so
42LoadModule version_module modules/mod_version.so
43LoadModule mime_module modules/mod_mime.so
44LoadModule dav_module modules/mod_dav.so
45LoadModule status_module modules/mod_status.so
46LoadModule autoindex_module modules/mod_autoindex.so
47LoadModule asis_module modules/mod_asis.so
48LoadModule info_module modules/mod_info.so
49LoadModule dav_fs_module modules/mod_dav_fs.so
50LoadModule vhost_alias_module modules/mod_vhost_alias.so
51LoadModule negotiation_module modules/mod_negotiation.so
52LoadModule dir_module modules/mod_dir.so
53LoadModule actions_module modules/mod_actions.so
54LoadModule speling_module modules/mod_speling.so
55LoadModule alias_module modules/mod_alias.so
56LoadModule rewrite_module modules/mod_rewrite.so
57LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
58LoadModule ldap_module modules/mod_ldap.so
59LoadModule ssl_module modules/mod_ssl.so
60
61# Required to drop privledges
62LoadModule unixd_module modules/mod_unixd.so
63
64# Required for use of Order and Require commands
65LoadModule access_compat_module modules/mod_access_compat.so
66
67# Required for SSL Session Caching
68LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
69
70# Required to log into mission portal
71LoadModule authz_core_module modules/mod_authz_core.so
72
73
74# TRACE can be useful for debugging, but can be abused to perform Cross-Site
75# Tracing (XST) attacheks in order to obtain access to user cooking via
76# malicious scripting on the client side.
77
78TraceEnable off
79
80# The 'HttpOnly' flag makes the cookie inaccessible to client-side scripts,
81# preventing it from being stolen using malicious client side scripts. The
82# absence of this flag increases the likelihood of an attacker being able to
83# compromise the user's cookie via a malicious script. When the 'secure' flag is
84# used, the cookie is only sent over an encrypted HTTPS channel, and not over
85# unencrypted HTTP.
86
87Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
88
89<IfModule userdir_module>
90# This module should not be loaded, this is just an extra measure.
91  UserDir disabled
92</IfModule>
93
94<IfModule !mpm_netware_module>
95  <IfModule !mpm_winnt_module>
96    User cfapache
97    Group cfapache
98  </IfModule>
99</IfModule>
100
101# Server configuration
102# ServerAdmin root@localhost
103DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
104
105<Directory />
106    Order deny,allow
107    Deny from all
108    Options FollowSymLinks
109
110    AllowOverride None
111</Directory>
112
113<IfModule dir_module>
114    DirectoryIndex index.html index.php
115</IfModule>
116
117<FilesMatch "^\.ht">
118    Order allow,deny
119    Deny from all
120    Satisfy All
121</FilesMatch>
122
123ErrorLog "logs/error_log"
124LogLevel warn
125
126<IfModule log_config_module>
127    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
128    LogFormat "%h %l %u %t \"%r\" %>s %b" common
129    LogFormat "%h %l %{username}n %t \"%r\" %>s %b" common_with_apache_notes_username
130
131    <IfModule logio_module>
132      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
133    </IfModule>
134
135    CustomLog "logs/access_log" common_with_apache_notes_username
136</IfModule>
137
138<IfModule mime_module>
139    TypesConfig conf/mime.types
140    AddType application/x-compress .Z
141    AddType application/x-gzip .gz .tgz
142</IfModule>
143
144<IfModule ssl_module>
145  # Include conf/extra/httpd-ssl.conf
146  # This content used to be included from an external file
147  # /var/cfengine/httpd/conf/extra/httpd-ssl.conf
148
149  Listen 443
150
151  AddType application/x-x509-ca-cert .crt
152  AddType application/x-pkcs7-crl    .crl
153
154  SSLPassPhraseDialog  builtin
155  SSLSessionCache        "shmcb:{{{vars.sys.workdir}}}/httpd/logs/ssl_scache(512000)"
156  SSLSessionCacheTimeout  300
157  SSLSessionTickets Off
158
159  # OCSP stapling is an extension that aims to improve SSL negotiation
160  # performance while mainting visitor privacy. Disabled because of
161  # issues with self signed certs.
162
163  SSLUseStapling off
164  # SSLStaplingCache "shmcb:logs/stabling-cache(150000)"
165
166  # TLS Compression should be disabled to avoid CRIME
167  # https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
168  SSLCompression off
169
170  # This is not explicitly enabled to allow the requesting client the first
171  # choice of support ciphers
172  #  SSLHonorCipherOrder On
173
174  # We expect that openssl is upgraded with each release and that the most
175  # recent openssl version possible will be used and that it defines ciphers
176  # considered HIGH appropriately. We use HIGH to get a good balance between
177  # browser compatibility and security. Use ~{{vars.sys.workdir}}/openssl ciphers
178  # -v HIGH~ to see what ciphers are considered HIGH security.
179
180  SSLCipherSuite HIGH
181
182  # A more secure setting might be:
183  # SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
184
185  # Some versions of SSL and TLS are known to be insecure, so we disable them by default
186  SSLProtocol all -SSLv2 -SSLv3 -TLSv1
187
188  SSLRandomSeed startup builtin
189  SSLRandomSeed connect builtin
190
191  <VirtualHost _default_:443>
192    DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}"
193    Alias "/api" "{{{vars.cfe_internal_hub_vars.docroot}}}/api"
194    Alias "/api/static" "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static"
195    Alias "/ldap" "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap"
196    ServerName {{{vars.sys.fqhost}}}:443
197    # ServerAdmin root@localhost
198    ErrorLog "{{{vars.cfe_internal_hub_vars.error_log}}}"
199    LogFormat "%h %l %{username}n %t \"%r\" %>s %b"
200    TransferLog "{{{vars.cfe_internal_hub_vars.access_log}}}"
201
202    SSLEngine on
203    SSLCertificateFile "{{{vars.cfe_internal_hub_vars.SSLCertificateFile}}}"
204    SSLCertificateKeyFile "{{{vars.cfe_internal_hub_vars.SSLCertificateKeyFile}}}"
205
206    # Enable Strict Transport Security to prevent HTTPS users from
207    # accessing http content.
208    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
209    Header always set X-Frame-Options DENY
210    Header always set X-Content-Type-Options nosniff
211
212    <FilesMatch "\.(cgi|shtml|phtml|php)$">
213        SSLOptions +StdEnvVars
214    </FilesMatch>
215
216    <Directory "{{{vars.sys.workdir}}}/httpd/cgi-bin">
217        SSLOptions +StdEnvVars
218        AllowOverride None
219    </Directory>
220
221    BrowserMatch "MSIE [2-5]" \
222         nokeepalive ssl-unclean-shutdown \
223         downgrade-1.0 force-response-1.0
224
225    CustomLog "{{{vars.cfe_internal_hub_vars.ssl_request_log}}}" \
226          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
227  </VirtualHost>
228
229</IfModule>
230
231
232LoadModule php{{{vars.cfe_internal_hub_vars.php_version}}}_module       modules/libphp{{{vars.cfe_internal_hub_vars.php_version}}}.so
233AddHandler php{{{vars.cfe_internal_hub_vars.php_version}}}-script       .php
234AddType    application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_version}}}
235
236
237<Directory "{{{vars.cfe_internal_hub_vars.public_docroot}}}">
238
239    Options -Indexes +FollowSymLinks +MultiViews
240    Order deny,allow
241
242    AllowOverride None
243
244  <IfModule rewrite_module>
245    RewriteEngine On
246
247    {{^classes.cfe_enterprise_enable_plain_http}}
248    # Force https with redirection
249    RewriteCond %{HTTPS} off
250    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
251    {{/classes.cfe_enterprise_enable_plain_http}}
252
253    {{#classes.mission_portal_index_php_redirect_enabled}}
254    # redirect from `index.php/path` to `/path`
255    RewriteCond %{REQUEST_URI} !(.*)/api/(.*) [NC]  #do not apply redirect to internal APIs for backward compatibility
256    RewriteCond %{THE_REQUEST} /index\.php/(.+)\sHTTP [NC]
257    RewriteRule ^ /%1 [NE,L,R]
258    {{/classes.mission_portal_index_php_redirect_enabled}}
259
260    RewriteCond %{REQUEST_FILENAME} -s [OR]
261    RewriteCond %{REQUEST_FILENAME} -l [OR]
262    RewriteCond %{REQUEST_FILENAME} -d
263    RewriteRule ^.*$ - [NC,L]
264    RewriteRule ^(.*)$ /index.php/$1 [NC,L]
265  </IfModule>
266</Directory>
267
268<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/api">
269
270    Order deny,allow
271    AllowOverride None
272
273  <IfModule mod_rewrite.c>
274    RewriteEngine On
275    RewriteRule ^static/(.+)$ static/$1 [L]
276    RewriteCond %{REQUEST_FILENAME} !-f
277    RewriteRule ^(.*)$ dispatch.php [QSA,L]
278  </IfModule>
279</Directory>
280
281<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static">
282
283    Order deny,allow
284    AllowOverride None
285
286  # What do we use mod_mime for?
287  <IfModule mod_mime.c>
288    AddType text/csv .csv
289    AddType application/pdf .pdf
290    AddType application/json .json
291  </IfModule>
292</Directory>
293
294<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap">
295
296    Order deny,allow
297    AllowOverride None
298
299  <IfModule mod_rewrite.c>
300    RewriteEngine On
301    RewriteCond %{REQUEST_FILENAME} !-f
302    RewriteRule ^ index.php [QSA,L]
303  </IfModule>
304</Directory>
305
306<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/system">
307  # Whats in here that got a specific deny?
308  Deny from all
309  AllowOverride None
310</Directory>
311