# # Django : 2015-10-29 # vHost power # # Variablen der Hostvariablen Define vhost power Define errors_log logs/${vhost}_error.log Define access_log logs/${vhost}_access.log Define ssl_log logs/${vhost}_ssl_request.log ServerAdmin webmaster@nausch.org ServerName ${vhost}.nausch.org RewriteEngine on RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} # Welche Logdateien sollen beschrieben werden SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog ErrorLog ${errors_log} CustomLog ${access_log} combined env=!dontlog ServerAdmin webmaster@nausch.org ServerName ${vhost}.nausch.org ServerPath / # Wer soll Zugriff auf die Webseite(n) bekommen? Options +FollowSymLinks +Multiviews -Indexes AllowOverride None AuthType Basic AuthName "Fuer den Zugriff auf den Webserver bitte Anmeldedaten eingeben!" AuthBasicProvider ldap AuthLDAPUrl ldaps://openldap.dmz.nausch.org:636/ou=People,dc=nausch,dc=org?uid AuthLDAPBindDN cn=TechnischerUser,dc=nausch,dc=org AuthLDAPBindPassword "MwDWrcdRnw95zMt7A5bS/dPnEHuuO7h0" AuthLDAPBindAuthoritative on Require ldap-user django # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests weitergeleitet werden? ProxyRequests Off ProxyPreserveHost On ProxyPass / http://10.0.0.127/ ProxyPassReverse / http://10.0.0.127/ # Welche Logdateien sollen beschrieben werden SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog ErrorLog ${errors_log} CustomLog ${access_log} combined env=!dontlog CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" # Absicherung der Übertragung mit Hilfe von TLS # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl SSLEngine on # Definition der anzubietenden Protokolle SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # Definition der Cipher SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384 # Schlüsseldatei, mit der der CSR erstellt wurde SSLCertificateKeyFile /etc/pki/tls/private/power.nausch.org.serverkey.pem # Zertifikatsdatei, die von der CA signiert wurde SSLCertificateFile /etc/pki/tls/certs/power.nausch.org.certificate_161118.pem # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s) SSLCertificateChainFile /etc/pki/tls/certs/AlphaSSL_Intermediate.certificate.pem # Änderung der Cipherorder der Clients verneinen SSLHonorCipherOrder on # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks) SSLCompression off # Online Certificate Status Protocol stapling zum Prüfen des Gültigkeitsstatus des Serverzertifikats. SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off # HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt, # dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll. Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers #Header set X-XSS-Protection "1; mode=block" Header always set X-Xss-Protection "1; mode=block" # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 # Sofern die Datei auch den entsprechenden MIME-Typ "text/css" entspricht, soll der Browser # CSS-Dateien nur als CSS interprätieren. Header always set X-Content-Type-Options nosniff # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options ###header set X-Frame-Options SAMEORIGIN header always set X-Frame-Options DENY # hide server header (apache and php version) Header always unset Server # Only allow JavaScript from the same domain to be run. # don't allow inline JavaScript to run. Header always set X-Content-Security-Policy "allow 'self';" # Add Secure and HTTP only attributes to cookies Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # prevent Clickjacking Attack #Header always append X-Frame-Options SAMEORIGIN Header always set X-Frame-Options "SAMEORIGIN" # hkpk-stuff Header always set Public-Key-Pins "pin-sha256=\"nMiOpb6vUnjCoWCkPkDaG4ND8SNWzFTsQf2ZfruLno0=\"; pin-sha256=\"INhxSQ38nCS6ijaAAyo4xAhAZj9xeL3Xaak+GGiM2fo=\"; max-age=2592000; report-uri=\"https://nausch.report-uri.io/r/default/hpkp/enforce\""