security.j2 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. #
  6. # Disable access to the entire file system except for the directories that
  7. # are explicitly allowed later.
  8. #
  9. # This currently breaks the configurations that come with some web application
  10. # Debian packages.
  11. #
  12. #<Directory />
  13. # AllowOverride None
  14. # Order Deny,Allow
  15. # Deny from all
  16. #</Directory>
  17. # Changing the following options will not really affect the security of the
  18. # server, but might make attacks slightly more difficult in some cases.
  19. #
  20. # ServerTokens
  21. # This directive configures what you return as the Server HTTP response
  22. # Header. The default is 'Full' which sends information about the OS-Type
  23. # and compiled in modules.
  24. # Set to one of: Full | OS | Minimal | Minor | Major | Prod
  25. # where Full conveys the most information, and Prod the least.
  26. #
  27. #ServerTokens Minimal
  28. ServerTokens Prod
  29. #ServerTokens Full
  30. #
  31. # Optionally add a line containing the server version and virtual host
  32. # name to server-generated pages (internal error documents, FTP directory
  33. # listings, mod_status and mod_info output etc., but not CGI generated
  34. # documents or custom error documents).
  35. # Set to "EMail" to also include a mailto: link to the ServerAdmin.
  36. # Set to one of: On | Off | EMail
  37. #
  38. #ServerSignature Off
  39. ServerSignature Off
  40. #
  41. # Allow TRACE method
  42. #
  43. # Set to "extended" to also reflect the request body (only for testing and
  44. # diagnostic purposes).
  45. #
  46. # Set to one of: On | Off | extended
  47. #
  48. TraceEnable Off
  49. #TraceEnable On
  50. #
  51. # SSL enforcement
  52. #
  53. <IfModule mod_ssl.c>
  54. {% if apache2_ssl_strengthened %}
  55. SSLProtocol all -SSLv3 -SSLv2 -TLSv1
  56. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  57. {% else %}
  58. SSLProtocol all -SSLv3 -SSLv2
  59. SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
  60. {% endif %}
  61. SSLHonorCipherOrder on
  62. <IfVersion >= 2.4>
  63. SSLCompression off
  64. SSLUseStapling on
  65. SSLStaplingResponderTimeout 5
  66. SSLStaplingReturnResponderErrors off
  67. SSLStaplingCache shmcb:/var/run/ocsp(128000)
  68. </IfVersion>
  69. </IfModule>
  70. #
  71. # Forbid access to version control directories
  72. #
  73. # If you use version control systems in your document root, you should
  74. # probably deny access to their directories. For example, for subversion:
  75. #
  76. <DirectoryMatch "/\.(svn|git)">
  77. Deny from all
  78. Satisfy all
  79. </DirectoryMatch>
  80. #
  81. # Setting this header will prevent MSIE from interpreting files as something
  82. # else than declared by the content type in the HTTP headers.
  83. # Requires mod_headers to be enabled.
  84. #
  85. <IfModule mod_headers.c>
  86. Header set X-Content-Type-Options: "nosniff"
  87. </IfModule>
  88. #
  89. # Some browsers have a built-in XSS filter that will detect some cross site
  90. # scripting attacks. By default, these browsers modify the suspicious part of
  91. # the page and display the result. This behavior can create various problems
  92. # including new security issues. This header will tell the XSS filter to
  93. # completely block access to the page instead.
  94. # Requires mod_headers to be enabled.
  95. #
  96. <IfModule mod_headers.c>
  97. Header set X-XSS-Protection: "1; mode=block"
  98. </IfModule>
  99. #
  100. # Setting this header will prevent other sites from embedding pages from this
  101. # site as frames. This defends against clickjacking attacks.
  102. # Requires mod_headers to be enabled.
  103. #
  104. <IfModule mod_headers.c>
  105. Header set X-Frame-Options: "sameorigin"
  106. </IfModule>
  107. #
  108. # Prevent at least directory listing from everywhere
  109. #
  110. <Directory />
  111. Options FollowSymLinks
  112. AllowOverride None
  113. Require all granted
  114. </Directory>
  115. #
  116. # Various protections
  117. # - stuff that should not be accessible publicly
  118. # - PHP files that should be invoked
  119. #
  120. <DirectoryMatch "/atos/param/">
  121. Deny from all
  122. Satisfy all
  123. </DirectoryMatch>
  124. <LocationMatch "/wp-content/uploads/.*\.php.*">
  125. Deny from all
  126. Satisfy all
  127. </LocationMatch>
  128. <Location "/xmlrpc.php">
  129. Deny from all
  130. Satisfy all
  131. </Location>