123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 |
- {% if ansible_prolog -%}
- {% from 'templates/ansible/prolog.j2' import prolog with context %}
- {{ prolog() }}
- {% endif -%}
- #
- # Disable access to the entire file system except for the directories that
- # are explicitly allowed later.
- #
- # This currently breaks the configurations that come with some web application
- # Debian packages.
- #
- #<Directory />
- # AllowOverride None
- # Order Deny,Allow
- # Deny from all
- #</Directory>
- # Changing the following options will not really affect the security of the
- # server, but might make attacks slightly more difficult in some cases.
- #
- # ServerTokens
- # This directive configures what you return as the Server HTTP response
- # Header. The default is 'Full' which sends information about the OS-Type
- # and compiled in modules.
- # Set to one of: Full | OS | Minimal | Minor | Major | Prod
- # where Full conveys the most information, and Prod the least.
- #
- #ServerTokens Minimal
- ServerTokens Prod
- #ServerTokens Full
- #
- # Optionally add a line containing the server version and virtual host
- # name to server-generated pages (internal error documents, FTP directory
- # listings, mod_status and mod_info output etc., but not CGI generated
- # documents or custom error documents).
- # Set to "EMail" to also include a mailto: link to the ServerAdmin.
- # Set to one of: On | Off | EMail
- #
- #ServerSignature Off
- ServerSignature Off
- #
- # Allow TRACE method
- #
- # Set to "extended" to also reflect the request body (only for testing and
- # diagnostic purposes).
- #
- # Set to one of: On | Off | extended
- #
- TraceEnable Off
- #TraceEnable On
- #
- # SSL enforcement
- #
- <IfModule mod_ssl.c>
- {% if apache2_ssl_strengthened %}
- SSLProtocol all -SSLv3 -SSLv2 -TLSv1
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
- {% else %}
- SSLProtocol all -SSLv3 -SSLv2
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
- {% endif %}
- SSLHonorCipherOrder on
- <IfVersion >= 2.4>
- SSLCompression off
- SSLUseStapling on
- SSLStaplingResponderTimeout 5
- SSLStaplingReturnResponderErrors off
- SSLStaplingCache shmcb:/var/run/ocsp(128000)
- </IfVersion>
- </IfModule>
- #
- # Forbid access to version control directories
- #
- # If you use version control systems in your document root, you should
- # probably deny access to their directories. For example, for subversion:
- #
- <DirectoryMatch "/\.(svn|git)">
- Deny from all
- Satisfy all
- </DirectoryMatch>
- #
- # Setting this header will prevent MSIE from interpreting files as something
- # else than declared by the content type in the HTTP headers.
- # Requires mod_headers to be enabled.
- #
- <IfModule mod_headers.c>
- Header set X-Content-Type-Options: "nosniff"
- </IfModule>
- #
- # Some browsers have a built-in XSS filter that will detect some cross site
- # scripting attacks. By default, these browsers modify the suspicious part of
- # the page and display the result. This behavior can create various problems
- # including new security issues. This header will tell the XSS filter to
- # completely block access to the page instead.
- # Requires mod_headers to be enabled.
- #
- <IfModule mod_headers.c>
- Header set X-XSS-Protection: "1; mode=block"
- </IfModule>
- #
- # Setting this header will prevent other sites from embedding pages from this
- # site as frames. This defends against clickjacking attacks.
- # Requires mod_headers to be enabled.
- #
- <IfModule mod_headers.c>
- Header set X-Frame-Options: "sameorigin"
- </IfModule>
- #
- # Prevent at least directory listing from everywhere
- #
- <Directory />
- Options -Indexes +FollowSymLinks
- AllowOverride None
- Require all granted
- </Directory>
- <Directory /var/www>
- Options -Indexes +FollowSymLinks
- AllowOverride None
- Require all granted
- </Directory>
- #
- # Various protections
- # - stuff that should not be accessible publicly
- # - PHP files that should be invoked
- #
- <DirectoryMatch "/atos/param/">
- Deny from all
- Satisfy all
- </DirectoryMatch>
- <LocationMatch "/wp-content/uploads/.*\.php.*">
- Deny from all
- Satisfy all
- </LocationMatch>
- <Location "/xmlrpc.php">
- Deny from all
- Satisfy all
- </Location>
|