#
# Django : 2017-10-10
# vHost horde
#
# Variablen der Hostvariablen
Define vhost horde
Define errors_log logs/${vhost}_error.log
Define access_log logs/${vhost}_access.log
Define ssl_log logs/${vhost}_ssl_request.log
ServerAdmin webmaster@mailserver.guru
ServerName ${vhost}.mailserver.guru
ServerPath /
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# Welche Logdateien sollen beschrieben werden
SetEnvIf Remote_Addr "10\.0\.0\.117" dontlog
ErrorLog ${errors_log}
CustomLog ${access_log} combined env=!dontlog
ServerAdmin webmaster@mailserver.guru
ServerName ${vhost}.mailserver.guru
ServerPath /
# Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests weitergeleitet werden?
DocumentRoot "/srv/www/html/horde"
DirectoryIndex index.php
AddType application/x-httpd-php .php
# PHP-FPM UID/GID apache:apache auf Port 9000
SetHandler "proxy:fcgi://127.0.0.1:9000"
#SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
# Links zu den System-Bibliotheken
Alias /horde/js/scriptaculous /usr/share/scriptaculous
Alias /horde/js/prototype.js /usr/share/prototype/prototype.js
Alias /horde/js/syntaxhighlighter /usr/share/syntaxhighlighter
# Links für die Micro$oft Spezialsachen
Alias /Microsoft-Server-ActiveSync /srv/www/html/horde/rpc.php
Alias /autodiscover/autodiscover.xml /srv/www/html/horde/rpc.php
# Wer soll Zugriff auf die Webseite(n) bekommen?
# **IMPORTANT** By default, everyone accessing Horde is automatically logged
# in as 'Administrator'. This is a security risk! It is very important that
# you change the authentication backend under the 'Authentication' tab.
# For this reason, Horde is currently only accessible from localhost.
# Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben
Require host vml000017.dmz.nausch.org
# Zugriff generell erlauben
# Require all granted
# Django : 2017-10-10
# aus der Konfigurationsdatei php-horde-kronolith.conf übernommen
RewriteEngine On
RewriteBase /horde/
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ rampage.php [QSA,L]
Options +FollowSymLinks
#Options All
#AllowOverride All
# Rewrite the requestet URI, when it is with german "Umlaute".
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/$
RewriteCond %{HTTP_HOST} ^xn--bro-hoa.sec-mail.guru$ [NC]
RewriteRule ^$ https://horde.sec-mail.guru [L,R=301]
# Zugriff auch ohne Passwort Abfrage ermöglichen
SetEnvIf Request_URI "(rpc.php)$" allow
SetEnvIf Request_URI "(rpc.php/turba/mailsystem/)$" allow
SetEnvIf Request_URI "(rpc.php/nag/mailsystem/)$" allow
SetEnvIf Request_URI "(sapi/profile/client)$" allow
SetEnvIf Request_URI "(devinfo)$" allow
SetEnvIf Request_URI "(Microsoft-Server-ActiveSync)$" allow
# ActiveSync
RewriteEngine On
RewriteRule ^/Microsoft-Server-ActiveSync /rpc.php [PT,L,QSA]
RewriteRule .* - [E=HTTP_MS_ASPROTOCOLVERSION:%{HTTP:Ms-Asprotocolversion}]
RewriteRule .* - [E=HTTP_X_MS_POLICYKEY:%{HTTP:X-Ms-Policykey}]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
# Zugriff auf die Seite test.php beschränken, nur erlaubt vom berechtigten Host aus
# Django : 2017-10-10
# Zugriff generell verbieten
# Require all denied
# Zugriff nur vom Host vml000010.dmz.nausch.org aus erlauben
Require host vml000010.dmz.nausch.org
# Zugriffe von (Web)Clients dirt auf nachfolgende Verzeichnisse und Seiten unterbinden.
Require all denied
Require all denied
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php/$1 [QSA,L]
# Django : 2014-09-19
# aus der Konfigurationsdatei php-horde-content.conf übernommen
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
# Django : 2014-09-19
# aus der Konfigurationsdatei php-horde-kronolith.conf übernommen
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php?c=$1 [QSA,L]
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript
AddOutputFilterByType DEFLATE application/javascript application/x-javascriptl
SetOutputFilter DEFLATE
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
Header append Vary User-Agent env=!dont-vary
# Welche Logdateien sollen beschrieben werden
SetEnvIf Remote_Addr "10\.0\.0\.117" dontlog
ErrorLog ${errors_log}
CustomLog ${access_log} combined env=!dontlog
CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# Absicherung der Übertragung mit Hilfe von TLS
# Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
SSLEngine on
# Definition der anzubietenden Protokolle
SSLProtocol All All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Definition der Cipher
SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384
# Schlüsseldatei, mit der der CSR erstellt wurde
SSLCertificateKeyFile /etc/pki/tls/private/wildcard_2017.mailserver.guru.serverkey.pem
# Zertifikatsdatei, die von der CA signiert wurde
SSLCertificateFile /etc/pki/tls/certs/wildcard_2017.mailserver.guru.certificate.pem
# Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
SSLCertificateChainFile /etc/pki/tls/certs/AlphaSSL_Intermediate.certificate.pem
# Änderung der Cipherorder der Clienets verneinen
SSLHonorCipherOrder on
# TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
SSLCompression off
# Online Certificate Status Protocol stapling zum Prüfen des Gültigkeitsstatus des Serverzertifikats.
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# special stuff ###
# HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt,
# dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Header set X-XSS-Protection "1; mode=block"
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Header set X-Content-Type-Options nosniff
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
header set X-Frame-Options SAMEORIGIN