#
# Django : 2017-02-14
#          vHost graylog
#

# Variablen der Hostvariablen
Define vhost graylog
Define errors_log logs/${vhost}_error.log
Define access_log logs/${vhost}_access.log
Define ssl_log logs/${vhost}_ssl_request.lo


<VirtualHost 10.0.0.97:80>
    ServerAdmin webmaster@nausch.org
    ServerName ${vhost}.nausch.org

    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    # Welche Logdateien sollen beschrieben werden
    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
    ErrorLog  ${errors_log}
    CustomLog ${access_log} combined env=!dontlog
</VirtualHost>
<VirtualHost 10.0.0.97:443>
    ServerAdmin webmaster@nausch.org
    ServerName ${vhost}.nausch.org
    ServerPath /

    # Wer soll Zugriff auf die Webseite(n) bekommen?
    <Proxy *>
        Options +FollowSymLinks +Multiviews -Indexes
        AllowOverride None                          
        AuthType Basic                              
        AuthName "Fuer den Zugriff auf den Webserver bitte Anmeldedaten eingeben!"
        AuthBasicProvider ldap                                                    
        AuthLDAPUrl ldaps://openldap.dmz.nausch.org:636/ou=People,dc=nausch,dc=org?uid
        AuthLDAPBindDN cn=Technischer_User,dc=nausch,dc=org                           
        AuthLDAPBindPassword "e1n531f!D4xIi57n38103034u!"                       
        AuthLDAPBindAuthoritative on                                                  
        Require ldap-user graylog-admin
    </Proxy>

    # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests weitergeleitet werden?
    ProxyRequests Off
    ProxyPass / https://10.0.0.117/
    ProxyPassReverse / https://10.0.0.117/ 

    <Location />
        RequestHeader set X-Graylog-Server-URL "https://graylog.nausch.org/api/"
        ProxyPass  http://10.0.0.117:9000/
        ProxyPassReverse http://10.0.0.117:9000/
    </Location>

    <Location /api/>
        ProxyPass http://10.0.0.117:9000/api/
        ProxyPassReverse http://10.0.0.117:9000/api/
    </Location> 

    # Welche Logdateien sollen beschrieben werden
    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
    ErrorLog  ${errors_log}
    CustomLog ${access_log} combined env=!dontlog
    CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    # Absicherung der Übertragung mit Hilfe von TLS
    # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
    SSLEngine on
    # Definition der anzubietenden Protokolle
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    # Definition der Cipher
    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384
    # Schlüsseldatei, mit der der CSR erstellt wurde
    SSLCertificateKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
    # Zertifikatsdatei, die von der CA signiert wurde
    SSLCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificate_161118.pem
    # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
    SSLCertificateChainFile /etc/pki/tls/certs/AlphaSSL_Intermediate.certificate.pem
    # Änderung der Cipherorder der Clients verneinen 
    SSLHonorCipherOrder on
    # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
    SSLCompression off
    # Online Certificate Status Protocol stapling zum Prüfen des Gültigkeitsstatus des Serverzertifikats.
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off

    # HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt,
    # dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    Header always set X-Xss-Protection "1; mode=block"

    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
    # Sofern die Datei auch den entsprechenden MIME-Typ "text/css" entspricht, soll der Browser 
    # CSS-Dateien nur als CSS interprätieren.
    Header always set X-Content-Type-Options nosniff

    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    header always set X-Frame-Options DENY

    # hide server header (apache and php version)
    Header always unset Server

    # Only allow JavaScript from the same domain to be run.
    # don't allow inline JavaScript to run.
    Header always set X-Content-Security-Policy "allow 'self';"

    # Add Secure and HTTP only attributes to cookies
    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

    # prevent Clickjacking Attack
    Header always set X-Frame-Options "SAMEORIGIN"

    # hkpk-stuff
    Header always set Public-Key-Pins "pin-sha256=\"nMiOpb6vUnjCoWCkPZkDaG4D8SNWzFTsQf2ZfruLno0=\"; pin-sha256=\"INhxSQ38nCS6ijaAAyo4xAhAZj9xeL3X4ak+GGiM2fo=\"; max-age=2592000; report-uri=\"https://nausch.report-uri.io/r/default/hpkp/enforce\""
</VirtualHost>