#
# Django : 2015-10-30
# vHost hk-forum
#
# Variablen der Hostvariablen
Define vhost hk-forum
Define errors_log logs/${vhost}_error.log
Define access_log logs/${vhost}_access.log
Define ssl_log logs/${vhost}_ssl_request.log
ServerAdmin webmaster@nausch.org
ServerName ${vhost}.nausch.org
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
# Welche Logdateien sollen beschrieben werden
SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
ErrorLog ${errors_log}
CustomLog ${access_log} combined env=!dontlog
ServerAdmin webmaster@nausch.org
ServerName ${vhost}.nausch.org
ServerPath /
# Wer soll Zugriff auf die Webseite(n) bekommen?
#
# Options +FollowSymLinks +Multiviews -Indexes
# AllowOverride None
# AuthType Basic
# AuthName "Fuer den Zugriff auf den Webserver bitte Anmeldedaten eingeben!"
# AuthBasicProvider ldap
# AuthLDAPUrl ldaps://openldap.dmz.nausch.org:636/ou=People,dc=nausch,dc=org?uid
# AuthLDAPBindDN cn=Technischeruser,dc=nausch,dc=org
# AuthLDAPBindPassword "M52wFn0r0w95z5bn/\EU64FE!"
# AuthLDAPBindAuthoritative on
# Require ldap-user accessuser
#
# Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests
#weitergeleitet werden?
DocumentRoot "/srv/www/html/${vhost}/"
DirectoryIndex index.php
Options none
AllowOverride Limit
Require all granted
Require all denied
# Welche Logdateien sollen beschrieben werden
SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
ErrorLog ${errors_log}
CustomLog ${access_log} combined env=!dontlog
CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# Absicherung der Übertragung mit Hilfe von TLS
# Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
SSLEngine on
# Definition der anzubietenden Protokolle
SSLProtocol All -SSLv2 -SSLv3
# Definition der Cipher
SSLCipherSuite "AES256+EECDH +AEAD"
# Schlüsseldatei, mit der der CSR erstellt wurde
SSLCertificateKeyFile /etc/pki/tls/private/${vhost}.nausch.org.serverkey.pem
# Zertifikatsdatei , die von der CA signiert wurde
SSLCertificateFile /etc/pki/tls/certs/${vhost}.nausch.org.certificate.pem
# Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
SSLCertificateChainFile /etc/pki/tls/certs/Intermediate.certificate.pem
# Änderung der Cipherorder der Clienets verneinen
SSLHonorCipherOrder on
# TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
SSLCompression off
# Online Certificate Status Protocol stapling zum Prüfen des
# Gültigkeitsstatus des Serverzertifikats.
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
# ist in der ssl.conf
# SSLStaplingCache shmcb:/var/run/ocsp(128000)
# special stuff ###
# HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header
# mitteilt, dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# This header enables the Cross-site scripting (XSS) filter built into most recent
# web browsers. It's usually enabled by default anyway, so the role of this header
# is to re-enable the filter for this particular website if it was disabled by the
# user. https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Header set X-XSS-Protection "1; mode=block"
# when serving user-supplied content, include a X-Content-Type-Options: nosniff
# header along with the Content-Type: header, to disable content-type sniffing on
# some browsers. https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8
# http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Header set X-Content-Type-Options nosniff
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with
# ALLOW-FROM uri https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
header set X-Frame-Options DENY
# hide server header (apache and php version)
Header unset Server
# Only allow JavaScript from the same domain to be run.
# don't allow inline JavaScript to run.
Header set X-Content-Security-Policy "allow 'self';"
# Add Secure and HTTP only attributes to cookies
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
# prevent Clickjacking Attack
#Header always append X-Frame-Options SAMEORIGIN
Header set Content-Security-Policy "default-src 'self';"