1# This file is rendered by CFEngine 2# manual edits will be reverted. 3 4ServerSignature Off 5ServerTokens ProductOnly 6ServerName {{{vars.sys.fqhost}}} 7ServerRoot "{{{vars.sys.workdir}}}/httpd" 8Listen 80 9PidFile "{{{vars.sys.workdir}}}/httpd/httpd.pid" 10 11# Modules 12 13LoadModule authn_file_module modules/mod_authn_file.so 14LoadModule authn_dbm_module modules/mod_authn_dbm.so 15LoadModule authn_anon_module modules/mod_authn_anon.so 16LoadModule authn_dbd_module modules/mod_authn_dbd.so 17LoadModule authz_host_module modules/mod_authz_host.so 18LoadModule authz_groupfile_module modules/mod_authz_groupfile.so 19LoadModule authz_user_module modules/mod_authz_user.so 20LoadModule authz_dbm_module modules/mod_authz_dbm.so 21LoadModule authz_owner_module modules/mod_authz_owner.so 22LoadModule auth_basic_module modules/mod_auth_basic.so 23LoadModule auth_digest_module modules/mod_auth_digest.so 24LoadModule dbd_module modules/mod_dbd.so 25LoadModule dumpio_module modules/mod_dumpio.so 26LoadModule reqtimeout_module modules/mod_reqtimeout.so 27LoadModule ext_filter_module modules/mod_ext_filter.so 28LoadModule include_module modules/mod_include.so 29LoadModule filter_module modules/mod_filter.so 30LoadModule substitute_module modules/mod_substitute.so 31LoadModule deflate_module modules/mod_deflate.so 32LoadModule log_config_module modules/mod_log_config.so 33LoadModule log_forensic_module modules/mod_log_forensic.so 34LoadModule logio_module modules/mod_logio.so 35LoadModule env_module modules/mod_env.so 36LoadModule mime_magic_module modules/mod_mime_magic.so 37LoadModule expires_module modules/mod_expires.so 38LoadModule headers_module modules/mod_headers.so 39LoadModule usertrack_module modules/mod_usertrack.so 40LoadModule unique_id_module modules/mod_unique_id.so 41LoadModule setenvif_module modules/mod_setenvif.so 42LoadModule version_module modules/mod_version.so 43LoadModule mime_module modules/mod_mime.so 44LoadModule dav_module modules/mod_dav.so 45LoadModule status_module modules/mod_status.so 46LoadModule autoindex_module modules/mod_autoindex.so 47LoadModule asis_module modules/mod_asis.so 48LoadModule info_module modules/mod_info.so 49LoadModule dav_fs_module modules/mod_dav_fs.so 50LoadModule vhost_alias_module modules/mod_vhost_alias.so 51LoadModule negotiation_module modules/mod_negotiation.so 52LoadModule dir_module modules/mod_dir.so 53LoadModule actions_module modules/mod_actions.so 54LoadModule speling_module modules/mod_speling.so 55LoadModule alias_module modules/mod_alias.so 56LoadModule rewrite_module modules/mod_rewrite.so 57LoadModule authnz_ldap_module modules/mod_authnz_ldap.so 58LoadModule ldap_module modules/mod_ldap.so 59LoadModule ssl_module modules/mod_ssl.so 60 61# Required to drop privledges 62LoadModule unixd_module modules/mod_unixd.so 63 64# Required for use of Order and Require commands 65LoadModule access_compat_module modules/mod_access_compat.so 66 67# Required for SSL Session Caching 68LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 69 70# Required to log into mission portal 71LoadModule authz_core_module modules/mod_authz_core.so 72 73 74# TRACE can be useful for debugging, but can be abused to perform Cross-Site 75# Tracing (XST) attacheks in order to obtain access to user cooking via 76# malicious scripting on the client side. 77 78TraceEnable off 79 80# The 'HttpOnly' flag makes the cookie inaccessible to client-side scripts, 81# preventing it from being stolen using malicious client side scripts. The 82# absence of this flag increases the likelihood of an attacker being able to 83# compromise the user's cookie via a malicious script. When the 'secure' flag is 84# used, the cookie is only sent over an encrypted HTTPS channel, and not over 85# unencrypted HTTP. 86 87Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure 88 89<IfModule userdir_module> 90# This module should not be loaded, this is just an extra measure. 91 UserDir disabled 92</IfModule> 93 94<IfModule !mpm_netware_module> 95 <IfModule !mpm_winnt_module> 96 User cfapache 97 Group cfapache 98 </IfModule> 99</IfModule> 100 101# Server configuration 102# ServerAdmin root@localhost 103DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}" 104 105<Directory /> 106 Order deny,allow 107 Deny from all 108 Options FollowSymLinks 109 110 AllowOverride None 111</Directory> 112 113<IfModule dir_module> 114 DirectoryIndex index.html index.php 115</IfModule> 116 117<FilesMatch "^\.ht"> 118 Order allow,deny 119 Deny from all 120 Satisfy All 121</FilesMatch> 122 123ErrorLog "logs/error_log" 124LogLevel warn 125 126<IfModule log_config_module> 127 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined 128 LogFormat "%h %l %u %t \"%r\" %>s %b" common 129 LogFormat "%h %l %{username}n %t \"%r\" %>s %b" common_with_apache_notes_username 130 131 <IfModule logio_module> 132 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio 133 </IfModule> 134 135 CustomLog "logs/access_log" common_with_apache_notes_username 136</IfModule> 137 138<IfModule mime_module> 139 TypesConfig conf/mime.types 140 AddType application/x-compress .Z 141 AddType application/x-gzip .gz .tgz 142</IfModule> 143 144<IfModule ssl_module> 145 # Include conf/extra/httpd-ssl.conf 146 # This content used to be included from an external file 147 # /var/cfengine/httpd/conf/extra/httpd-ssl.conf 148 149 Listen 443 150 151 AddType application/x-x509-ca-cert .crt 152 AddType application/x-pkcs7-crl .crl 153 154 SSLPassPhraseDialog builtin 155 SSLSessionCache "shmcb:{{{vars.sys.workdir}}}/httpd/logs/ssl_scache(512000)" 156 SSLSessionCacheTimeout 300 157 SSLSessionTickets Off 158 159 # OCSP stapling is an extension that aims to improve SSL negotiation 160 # performance while mainting visitor privacy. Disabled because of 161 # issues with self signed certs. 162 163 SSLUseStapling off 164 # SSLStaplingCache "shmcb:logs/stabling-cache(150000)" 165 166 # TLS Compression should be disabled to avoid CRIME 167 # https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929 168 SSLCompression off 169 170 # This is not explicitly enabled to allow the requesting client the first 171 # choice of support ciphers 172 # SSLHonorCipherOrder On 173 174 # We expect that openssl is upgraded with each release and that the most 175 # recent openssl version possible will be used and that it defines ciphers 176 # considered HIGH appropriately. We use HIGH to get a good balance between 177 # browser compatibility and security. Use ~{{vars.sys.workdir}}/openssl ciphers 178 # -v HIGH~ to see what ciphers are considered HIGH security. 179 180 SSLCipherSuite HIGH 181 182 # A more secure setting might be: 183 # SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH 184 185 # Some versions of SSL and TLS are known to be insecure, so we disable them by default 186 SSLProtocol all -SSLv2 -SSLv3 -TLSv1 187 188 SSLRandomSeed startup builtin 189 SSLRandomSeed connect builtin 190 191 <VirtualHost _default_:443> 192 DocumentRoot "{{{vars.cfe_internal_hub_vars.public_docroot}}}" 193 Alias "/api" "{{{vars.cfe_internal_hub_vars.docroot}}}/api" 194 Alias "/api/static" "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static" 195 Alias "/ldap" "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap" 196 ServerName {{{vars.sys.fqhost}}}:443 197 # ServerAdmin root@localhost 198 ErrorLog "{{{vars.cfe_internal_hub_vars.error_log}}}" 199 LogFormat "%h %l %{username}n %t \"%r\" %>s %b" 200 TransferLog "{{{vars.cfe_internal_hub_vars.access_log}}}" 201 202 SSLEngine on 203 SSLCertificateFile "{{{vars.cfe_internal_hub_vars.SSLCertificateFile}}}" 204 SSLCertificateKeyFile "{{{vars.cfe_internal_hub_vars.SSLCertificateKeyFile}}}" 205 206 # Enable Strict Transport Security to prevent HTTPS users from 207 # accessing http content. 208 Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" 209 Header always set X-Frame-Options DENY 210 Header always set X-Content-Type-Options nosniff 211 212 <FilesMatch "\.(cgi|shtml|phtml|php)$"> 213 SSLOptions +StdEnvVars 214 </FilesMatch> 215 216 <Directory "{{{vars.sys.workdir}}}/httpd/cgi-bin"> 217 SSLOptions +StdEnvVars 218 AllowOverride None 219 </Directory> 220 221 BrowserMatch "MSIE [2-5]" \ 222 nokeepalive ssl-unclean-shutdown \ 223 downgrade-1.0 force-response-1.0 224 225 CustomLog "{{{vars.cfe_internal_hub_vars.ssl_request_log}}}" \ 226 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 227 </VirtualHost> 228 229</IfModule> 230 231 232LoadModule php{{{vars.cfe_internal_hub_vars.php_version}}}_module modules/libphp{{{vars.cfe_internal_hub_vars.php_version}}}.so 233AddHandler php{{{vars.cfe_internal_hub_vars.php_version}}}-script .php 234AddType application/x-httpd-php-source php{{{vars.cfe_internal_hub_vars.php_version}}} 235 236 237<Directory "{{{vars.cfe_internal_hub_vars.public_docroot}}}"> 238 239 Options -Indexes +FollowSymLinks +MultiViews 240 Order deny,allow 241 242 AllowOverride None 243 244 <IfModule rewrite_module> 245 RewriteEngine On 246 247 {{^classes.cfe_enterprise_enable_plain_http}} 248 # Force https with redirection 249 RewriteCond %{HTTPS} off 250 RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 251 {{/classes.cfe_enterprise_enable_plain_http}} 252 253 {{#classes.mission_portal_index_php_redirect_enabled}} 254 # redirect from `index.php/path` to `/path` 255 RewriteCond %{REQUEST_URI} !(.*)/api/(.*) [NC] #do not apply redirect to internal APIs for backward compatibility 256 RewriteCond %{THE_REQUEST} /index\.php/(.+)\sHTTP [NC] 257 RewriteRule ^ /%1 [NE,L,R] 258 {{/classes.mission_portal_index_php_redirect_enabled}} 259 260 RewriteCond %{REQUEST_FILENAME} -s [OR] 261 RewriteCond %{REQUEST_FILENAME} -l [OR] 262 RewriteCond %{REQUEST_FILENAME} -d 263 RewriteRule ^.*$ - [NC,L] 264 RewriteRule ^(.*)$ /index.php/$1 [NC,L] 265 </IfModule> 266</Directory> 267 268<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/api"> 269 270 Order deny,allow 271 AllowOverride None 272 273 <IfModule mod_rewrite.c> 274 RewriteEngine On 275 RewriteRule ^static/(.+)$ static/$1 [L] 276 RewriteCond %{REQUEST_FILENAME} !-f 277 RewriteRule ^(.*)$ dispatch.php [QSA,L] 278 </IfModule> 279</Directory> 280 281<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/api/static"> 282 283 Order deny,allow 284 AllowOverride None 285 286 # What do we use mod_mime for? 287 <IfModule mod_mime.c> 288 AddType text/csv .csv 289 AddType application/pdf .pdf 290 AddType application/json .json 291 </IfModule> 292</Directory> 293 294<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/ldap"> 295 296 Order deny,allow 297 AllowOverride None 298 299 <IfModule mod_rewrite.c> 300 RewriteEngine On 301 RewriteCond %{REQUEST_FILENAME} !-f 302 RewriteRule ^ index.php [QSA,L] 303 </IfModule> 304</Directory> 305 306<Directory "{{{vars.cfe_internal_hub_vars.docroot}}}/system"> 307 # Whats in here that got a specific deny? 308 Deny from all 309 AllowOverride None 310</Directory> 311