74 lines
2.6 KiB
Plaintext
74 lines
2.6 KiB
Plaintext
{% if endpoints -%}
|
|
# Accept connections from non-SNI clients
|
|
SSLStrictSNIVHostCheck off
|
|
{% for ext_port in ext_ports -%}
|
|
NameVirtualHost *:{{ 443 }}
|
|
{% endfor -%}
|
|
{% for address, endpoint, ext, int in endpoints -%}
|
|
<VirtualHost {{ address }}:{{ ext }}>
|
|
ServerName {{ endpoint }}
|
|
|
|
ServerAdmin webmaster@localhost
|
|
|
|
DocumentRoot /var/www
|
|
<Directory />
|
|
Options FollowSymLinks
|
|
AllowOverride None
|
|
</Directory>
|
|
<Directory /var/www/>
|
|
Options Indexes FollowSymLinks MultiViews
|
|
AllowOverride None
|
|
Order allow,deny
|
|
allow from all
|
|
</Directory>
|
|
|
|
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
|
|
<Directory "/usr/lib/cgi-bin">
|
|
AllowOverride None
|
|
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
|
|
Order allow,deny
|
|
Allow from all
|
|
</Directory>
|
|
|
|
ErrorLog ${APACHE_LOG_DIR}/error.log
|
|
LogLevel warn
|
|
|
|
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
|
|
|
|
SSLEngine on
|
|
|
|
# This section is based on Mozilla's recommendation
|
|
# as the "intermediate" profile as of July 7th, 2020.
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
|
SSLHonorCipherOrder off
|
|
|
|
SSLCertificateFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
# See LP 1484489 - this is to support <= 2.4.7 and >= 2.4.8
|
|
SSLCertificateChainFile /etc/apache2/ssl/{{ namespace }}/cert_{{ endpoint }}
|
|
SSLCertificateKeyFile /etc/apache2/ssl/{{ namespace }}/key_{{ endpoint }}
|
|
{% if enforce_ssl %}
|
|
Header set Strict-Transport-Security "max-age={{ hsts_max_age_seconds }}"
|
|
# NOTE(ajkavanagh) due to Bug 1853173 the cookie can't be secure at this time, so disabling until a fix is found.
|
|
# Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
|
|
{% endif %}
|
|
Header set X-XSS-Protection "1; mode=block"
|
|
Header set X-Content-Type-Options "nosniff"
|
|
KeepAliveTimeout 75
|
|
MaxKeepAliveRequests 1000
|
|
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
|
SSLOptions +StdEnvVars
|
|
</FilesMatch>
|
|
<Directory /usr/lib/cgi-bin>
|
|
SSLOptions +StdEnvVars
|
|
</Directory>
|
|
BrowserMatch "MSIE [2-6]" \
|
|
nokeepalive ssl-unclean-shutdown \
|
|
downgrade-1.0 force-response-1.0
|
|
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
|
|
|
</VirtualHost>
|
|
{% endfor -%}
|
|
{% endif -%}
|