41250d97d1
Adding a configuration parameter csp-options that, when set, adds a Content-Security-Policy header to the apache configuration. This header can prevent or minimize the risk of certain types of security threats by placing restrictions on the things the web page's code can do. Closes-Bug: #2118835 Change-Id: I06f0b1c2787fa56460e5a196d3ca07c0a85c14e3 Signed-off-by: Jorge Merlino <jorge.merlino@canonical.com>
78 lines
2.7 KiB
Plaintext
78 lines
2.7 KiB
Plaintext
{% if endpoints -%}
|
|
# Accept connections from non-SNI clients
|
|
SSLStrictSNIVHostCheck off
|
|
{% for ext_port in ext_ports -%}
|
|
NameVirtualHost *:{{ 443 }}
|
|
{% endfor -%}
|
|
{% for address, endpoint, ext, int in endpoints -%}
|
|
<VirtualHost {{ address }}:{{ ext }}>
|
|
ServerName {{ endpoint }}
|
|
|
|
ServerAdmin webmaster@localhost
|
|
|
|
DocumentRoot /var/www
|
|
<Directory />
|
|
Options FollowSymLinks
|
|
AllowOverride None
|
|
</Directory>
|
|
<Directory /var/www/>
|
|
Options Indexes FollowSymLinks MultiViews
|
|
AllowOverride None
|
|
Order allow,deny
|
|
allow from all
|
|
</Directory>
|
|
|
|
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
|
<Directory "/usr/lib/cgi-bin">
|
|
AllowOverride None
|
|
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
|
|
|
SSLEngine on
|
|
|
|
# This section is based on Mozilla's recommendation
|
|
# as the "intermediate" profile as of July 7th, 2020.
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
SSLHonorCipherOrder off
|
|
|
|
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
# See LP 1484489 - this is to support <= 2.4.7 and >= 2.4.8
|
|
SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
|
|
{% if enforce_ssl %}
|
|
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
|
|
# NOTE(ajkavanagh) due to Bug 1853173 the cookie can't be secure at this time, so disabling until a fix is found.
|
|
# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
|
|
{% endif %}
|
|
{% if csp_options %}
|
|
Header set Content-Security-Policy "{{ csp_options }}"
|
|
{% endif %}
|
|
Header set X-XSS-Protection "1; mode=block"
|
|
Header set X-Content-Type-Options "nosniff"
|
|
KeepAliveTimeout 75
|
|
MaxKeepAliveRequests 1000
|
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
|
SSLOptions +StdEnvVars
|
|
</FilesMatch>
|
|
<Directory /usr/lib/cgi-bin>
|
|
SSLOptions +StdEnvVars
|
|
</Directory>
|
|
BrowserMatch "MSIE [2-6]" \
|
|
nokeepalive ssl-unclean-shutdown \
|
|
downgrade-1.0 force-response-1.0
|
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
|
|
|
Header set X-Frame-Options: "sameorigin"
|
|
</VirtualHost>
|
|
{% endfor -%}
|
|
{% endif -%}
|