Procházet zdrojové kódy

Use modern ssl configuration and fix HSTS

pull/573/head
Guillaume Vincent před 4 roky
rodič
revize
4bb32d9664
4 změnil soubory, kde provedl 105 přidání a 23 odebrání
  1. +1
    -1
      containers/webserver/Dockerfile
  2. +90
    -0
      containers/webserver/httpd-default.conf
  3. +11
    -7
      containers/webserver/httpd-ssl.conf
  4. +3
    -15
      containers/webserver/httpd.conf

+ 1
- 1
containers/webserver/Dockerfile Zobrazit soubor

@@ -2,7 +2,7 @@ FROM httpd:2.4
LABEL maintainer="LessPass <contact@lesspass.com>"
LABEL name="LessPass Web Server"

RUN sed -i 's/ServerTokens Full/ServerTokens Prod/g' /usr/local/apache2/conf/extra/httpd-default.conf
COPY ./httpd-default.conf /usr/local/apache2/conf/extra/httpd-default.conf
COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
COPY ./httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf
COPY entrypoint.sh /entrypoint.sh


+ 90
- 0
containers/webserver/httpd-default.conf Zobrazit soubor

@@ -0,0 +1,90 @@
#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 60

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives. See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
#
ServerSignature Off

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

#
# Set a timeout for how long the client may take to send the request header
# and body.
# The default for the headers is header=20-40,MinRate=500, which means wait
# for the first byte of headers for 20 seconds. If some data arrives,
# increase the timeout corresponding to a data rate of 500 bytes/s, but not
# above 40 seconds.
# The default for the request body is body=20,MinRate=500, which is the same
# but has no upper limit for the timeout.
# To disable, set to header=0 body=0
#
<IfModule reqtimeout_module>
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

+ 11
- 7
containers/webserver/httpd-ssl.conf Zobrazit soubor

@@ -1,3 +1,4 @@
# https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
@@ -49,8 +50,8 @@ Listen 443
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
# SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
# SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

# By the end of 2016, only TLSv1.2 ciphers should remain in use.
# Older ciphers should be disallowed as soon as possible, while the
@@ -69,15 +70,17 @@ SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on
SSLHonorCipherOrder off

SSLSessionTickets off

# SSL Protocol support:
# List the protocol versions which clients are allowed to connect with.
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use.
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
@@ -120,8 +123,6 @@ Protocols h2 h2c http/1.1
## SSL Virtual Host Context
##



ErrorLog /proc/self/fd/2
TransferLog /proc/self/fd/1
ServerAdmin EMAIL
@@ -138,6 +139,7 @@ ServerAdmin EMAIL
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

<VirtualHost *:443>
@@ -152,6 +154,7 @@ ServerAdmin EMAIL
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

<VirtualHost *:443>
@@ -165,4 +168,5 @@ ServerAdmin EMAIL
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
Header always set Strict-Transport-Security "max-age=63072000"
</VirtualHost>

+ 3
- 15
containers/webserver/httpd.conf Zobrazit soubor

@@ -225,19 +225,8 @@ Group daemon
#

<VirtualHost *:80>
ServerName www.FQDN
ServerAlias FQDN
Redirect / https://www.FQDN/
</VirtualHost>

<VirtualHost *:80>
ServerName api.FQDN
Redirect / https://api.FQDN/
</VirtualHost>

<VirtualHost *:80>
ServerName admin.FQDN
Redirect / https://admin.FQDN/
RewriteEngine On
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>

#
@@ -360,7 +349,7 @@ LogLevel warn
# logged therein and *not* in this file.
#
#CustomLog /proc/self/fd/1 common
CustomLog /proc/self/fd/1 combined
CustomLog /proc/self/fd/1 common
#
# If you prefer a logfile with access, agent, and referer information
# (Combined Logfile Format) you can use the following directive.
@@ -565,4 +554,3 @@ Include conf/extra/httpd-ssl.conf
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>


Načítá se…
Zrušit
Uložit