diff --git a/containers/webserver/Dockerfile b/containers/webserver/Dockerfile index 6c39cc4..7e92a67 100644 --- a/containers/webserver/Dockerfile +++ b/containers/webserver/Dockerfile @@ -2,7 +2,7 @@ FROM httpd:2.4 LABEL maintainer="LessPass " LABEL name="LessPass Web Server" -RUN sed -i 's/ServerTokens Full/ServerTokens Prod/g' /usr/local/apache2/conf/extra/httpd-default.conf +COPY ./httpd-default.conf /usr/local/apache2/conf/extra/httpd-default.conf COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf COPY ./httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf COPY entrypoint.sh /entrypoint.sh diff --git a/containers/webserver/httpd-default.conf b/containers/webserver/httpd-default.conf new file mode 100644 index 0000000..d96baf6 --- /dev/null +++ b/containers/webserver/httpd-default.conf @@ -0,0 +1,90 @@ +# +# This configuration file reflects default settings for Apache HTTP Server. +# +# You may change these, but chances are that you may not need to. +# + +# +# Timeout: The number of seconds before receives and sends time out. +# +Timeout 60 + +# +# KeepAlive: Whether or not to allow persistent connections (more than +# one request per connection). Set to "Off" to deactivate. +# +KeepAlive On + +# +# MaxKeepAliveRequests: The maximum number of requests to allow +# during a persistent connection. Set to 0 to allow an unlimited amount. +# We recommend you leave this number high, for maximum performance. +# +MaxKeepAliveRequests 100 + +# +# KeepAliveTimeout: Number of seconds to wait for the next request from the +# same client on the same connection. +# +KeepAliveTimeout 5 + +# +# UseCanonicalName: Determines how Apache constructs self-referencing +# URLs and the SERVER_NAME and SERVER_PORT variables. +# When set "Off", Apache will use the Hostname and Port supplied +# by the client. When set "On", Apache will use the value of the +# ServerName directive. +# +UseCanonicalName Off + +# +# AccessFileName: The name of the file to look for in each directory +# for additional configuration directives. See also the AllowOverride +# directive. +# +AccessFileName .htaccess + +# +# ServerTokens +# This directive configures what you return as the Server HTTP response +# Header. The default is 'Full' which sends information about the OS-Type +# and compiled in modules. +# Set to one of: Full | OS | Minor | Minimal | Major | Prod +# where Full conveys the most information, and Prod the least. +# +ServerTokens Prod + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (internal error documents, FTP directory +# listings, mod_status and mod_info output etc., but not CGI generated +# documents or custom error documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature Off + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# +# Set a timeout for how long the client may take to send the request header +# and body. +# The default for the headers is header=20-40,MinRate=500, which means wait +# for the first byte of headers for 20 seconds. If some data arrives, +# increase the timeout corresponding to a data rate of 500 bytes/s, but not +# above 40 seconds. +# The default for the request body is body=20,MinRate=500, which is the same +# but has no upper limit for the timeout. +# To disable, set to header=0 body=0 +# + + RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 + \ No newline at end of file diff --git a/containers/webserver/httpd-ssl.conf b/containers/webserver/httpd-ssl.conf index 4a11d34..a0fc4be 100644 --- a/containers/webserver/httpd-ssl.conf +++ b/containers/webserver/httpd-ssl.conf @@ -1,3 +1,4 @@ +# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6 # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to @@ -49,8 +50,8 @@ Listen 443 # ensure these follow appropriate best practices for this deployment. # httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers, # while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a. -SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES -SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES +# SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES +# SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES # By the end of 2016, only TLSv1.2 ciphers should remain in use. # Older ciphers should be disallowed as soon as possible, while the @@ -69,15 +70,17 @@ SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES # own preference of either security or performance, therefore this # must be the prerogative of the web server administrator who manages # cpu load versus confidentiality, so enforce the server's cipher order. -SSLHonorCipherOrder on +SSLHonorCipherOrder off + +SSLSessionTickets off # SSL Protocol support: # List the protocol versions which clients are allowed to connect with. # Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be # disabled as quickly as practical. By the end of 2016, only the TLSv1.2 # protocol or later should remain in use. -SSLProtocol all -SSLv3 -SSLProxyProtocol all -SSLv3 +SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 +SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 # Pass Phrase Dialog: # Configure the pass phrase gathering process. @@ -120,8 +123,6 @@ Protocols h2 h2c http/1.1 ## SSL Virtual Host Context ## - - ErrorLog /proc/self/fd/2 TransferLog /proc/self/fd/1 ServerAdmin EMAIL @@ -138,6 +139,7 @@ ServerAdmin EMAIL SSLEngine on SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH" SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH" + Header always set Strict-Transport-Security "max-age=63072000" @@ -152,6 +154,7 @@ ServerAdmin EMAIL SSLEngine on SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH" SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH" + Header always set Strict-Transport-Security "max-age=63072000" @@ -165,4 +168,5 @@ ServerAdmin EMAIL SSLEngine on SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH" SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH" + Header always set Strict-Transport-Security "max-age=63072000" diff --git a/containers/webserver/httpd.conf b/containers/webserver/httpd.conf index 43303a8..e357241 100644 --- a/containers/webserver/httpd.conf +++ b/containers/webserver/httpd.conf @@ -225,19 +225,8 @@ Group daemon # - ServerName www.FQDN - ServerAlias FQDN - Redirect / https://www.FQDN/ - - - - ServerName api.FQDN - Redirect / https://api.FQDN/ - - - - ServerName admin.FQDN - Redirect / https://admin.FQDN/ + RewriteEngine On + RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L] # @@ -360,7 +349,7 @@ LogLevel warn # logged therein and *not* in this file. # #CustomLog /proc/self/fd/1 common - CustomLog /proc/self/fd/1 combined + CustomLog /proc/self/fd/1 common # # If you prefer a logfile with access, agent, and referer information # (Combined Logfile Format) you can use the following directive. @@ -565,4 +554,3 @@ Include conf/extra/httpd-ssl.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin -