#
# Django : 2026-02-08
# vHost example.nausch.org
#
ServerAdmin webmaster@nausch.org
ServerName example.nausch.org
ServerPath /
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
ErrorLog "/var/log/httpd/example.nausch.org_error.log"
CustomLog "/var/log/httpd/example.nausch.org_access.log" combined
ServerAdmin webmaster@nausch.org
ServerName example.nausch.org
ServerPath /
# Anti Bot Check
Define BOTCHECK_DIR /srv/http/botcheck/apache/
Include ${BOTCHECK_DIR}/botcheck.conf
# Wer soll Zugriff auf die Webseite(n) bekommen?
Options -Indexes +FollowSymLinks
Require all granted
# Welcher Inhalt soll angezeigt werden?
DocumentRoot "/srv/http/example"
DirectoryIndex index.php
Options +FollowSymLinks
AllowOverride All
Require all granted
Require all denied
SetHandler "proxy:unix:/run/php-fpm/php-fpm.sock|fcgi://localhost"
# /run/php-fpm/php-fpm.sock
# Absicherung der Übertragung mit Hilfe von TLS
# Django : 2026-02-09 - TLS-Verschlüsselung mit Hilfe von mod_ssl
SSLEngine on
# Definition der anzubietenden Protokolle
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
# Definition der Cipher
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# Schlüsseldatei, mit der der CSR erstellt wurde
SSLCertificateKeyFile "/etc/httpd/conf/serverkey.pem"
# Zertifikatsdatei, die von der CA signiert wurde
SSLCertificateFile "/etc/httpd/conf/certificate_chain.pem"
# Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
# deprecated!
# Änderung der Cipherorder der Clienets verneinen
SSLHonorCipherOrder on
# TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
SSLCompression off
# special stuff ###
# HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt,
# dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
Header set X-XSS-Protection "1; mode=block"
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
Header set X-Content-Type-Options nosniff
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
header set X-Frame-Options SAMEORIGIN
ErrorLog "/var/log/httpd/example.nausch.org_error.log"
CustomLog "/var/log/httpd/example.nausch.org_access.log" combined