security.j2 5.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152
  1. {% if ansible_controlled is defined and ansible_controlled != "" %}
  2. #
  3. # {{ ansible_controlled }}
  4. #
  5. {% endif %}
  6. #
  7. # Disable access to the entire file system except for the directories that
  8. # are explicitly allowed later.
  9. #
  10. # This currently breaks the configurations that come with some web application
  11. # Debian packages.
  12. #
  13. #<Directory />
  14. # AllowOverride None
  15. # Order Deny,Allow
  16. # Deny from all
  17. #</Directory>
  18. # Changing the following options will not really affect the security of the
  19. # server, but might make attacks slightly more difficult in some cases.
  20. #
  21. # ServerTokens
  22. # This directive configures what you return as the Server HTTP response
  23. # Header. The default is 'Full' which sends information about the OS-Type
  24. # and compiled in modules.
  25. # Set to one of: Full | OS | Minimal | Minor | Major | Prod
  26. # where Full conveys the most information, and Prod the least.
  27. #
  28. #ServerTokens Minimal
  29. ServerTokens Prod
  30. #ServerTokens Full
  31. #
  32. # Optionally add a line containing the server version and virtual host
  33. # name to server-generated pages (internal error documents, FTP directory
  34. # listings, mod_status and mod_info output etc., but not CGI generated
  35. # documents or custom error documents).
  36. # Set to "EMail" to also include a mailto: link to the ServerAdmin.
  37. # Set to one of: On | Off | EMail
  38. #
  39. #ServerSignature Off
  40. ServerSignature Off
  41. #
  42. # Allow TRACE method
  43. #
  44. # Set to "extended" to also reflect the request body (only for testing and
  45. # diagnostic purposes).
  46. #
  47. # Set to one of: On | Off | extended
  48. #
  49. TraceEnable Off
  50. #TraceEnable On
  51. #
  52. # SSL enforcement
  53. #
  54. <IfModule mod_ssl.c>
  55. {% if apache2_ssl_strengthened %}
  56. SSLProtocol all -SSLv3 -SSLv2 -TLSv1
  57. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  58. {% else %}
  59. SSLProtocol all -SSLv3 -SSLv2
  60. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  61. {% endif %}
  62. SSLHonorCipherOrder on
  63. <IfVersion >= 2.4>
  64. SSLCompression off
  65. SSLUseStapling on
  66. SSLStaplingResponderTimeout 5
  67. SSLStaplingReturnResponderErrors off
  68. SSLStaplingCache shmcb:/var/run/ocsp(128000)
  69. </IfVersion>
  70. </IfModule>
  71. #
  72. # Forbid access to version control directories
  73. #
  74. # If you use version control systems in your document root, you should
  75. # probably deny access to their directories. For example, for subversion:
  76. #
  77. <DirectoryMatch "/\.(svn|git)">
  78. Deny from all
  79. Satisfy all
  80. </DirectoryMatch>
  81. #
  82. # Setting this header will prevent MSIE from interpreting files as something
  83. # else than declared by the content type in the HTTP headers.
  84. # Requires mod_headers to be enabled.
  85. #
  86. <IfModule mod_headers.c>
  87. Header set X-Content-Type-Options: "nosniff"
  88. </IfModule>
  89. #
  90. # Some browsers have a built-in XSS filter that will detect some cross site
  91. # scripting attacks. By default, these browsers modify the suspicious part of
  92. # the page and display the result. This behavior can create various problems
  93. # including new security issues. This header will tell the XSS filter to
  94. # completely block access to the page instead.
  95. # Requires mod_headers to be enabled.
  96. #
  97. <IfModule mod_headers.c>
  98. Header set X-XSS-Protection: "1; mode=block"
  99. </IfModule>
  100. #
  101. # Setting this header will prevent other sites from embedding pages from this
  102. # site as frames. This defends against clickjacking attacks.
  103. # Requires mod_headers to be enabled.
  104. #
  105. <IfModule mod_headers.c>
  106. Header set X-Frame-Options: "sameorigin"
  107. </IfModule>
  108. #
  109. # Prevent at least directory listing from everywhere
  110. #
  111. <Directory />
  112. Options -Indexes +FollowSymLinks
  113. AllowOverride None
  114. Require all granted
  115. </Directory>
  116. <Directory /var/www>
  117. Options -Indexes +FollowSymLinks
  118. AllowOverride None
  119. Require all granted
  120. </Directory>
  121. #
  122. # Various protections
  123. # - stuff that should not be accessible publicly
  124. # - PHP files that should be invoked
  125. #
  126. <DirectoryMatch "/atos/param/">
  127. Deny from all
  128. Satisfy all
  129. </DirectoryMatch>
  130. <LocationMatch "/wp-content/uploads/.*\.php.*">
  131. Deny from all
  132. Satisfy all
  133. </LocationMatch>
  134. <Location "/xmlrpc.php">
  135. Deny from all
  136. Satisfy all
  137. </Location>