Use modern ssl configuration and fix HSTS

4 years ago · 4bb32d9664
--- a/containers/webserver/Dockerfile
+++ b/containers/webserver/Dockerfile
@@ -2,7 +2,7 @@ FROM httpd:2.4
 LABEL maintainer="LessPass <contact@lesspass.com>"
 LABEL name="LessPass Web Server" 
 RUN sed -i 's/ServerTokens Full/ServerTokens Prod/g' /usr/local/apache2/conf/extra/httpd-default.conf
 COPY ./httpd-default.conf /usr/local/apache2/conf/extra/httpd-default.conf
 COPY ./httpd.conf /usr/local/apache2/conf/httpd.conf
 COPY ./httpd-ssl.conf /usr/local/apache2/conf/extra/httpd-ssl.conf
 COPY entrypoint.sh /entrypoint.sh
--- a/containers/webserver/httpd-default.conf
+++ b/containers/webserver/httpd-default.conf
@@ -0,0 +1,90 @@
 #
 # This configuration file reflects default settings for Apache HTTP Server.
 #
 # You may change these, but chances are that you may not need to.
 #
 #
 # Timeout: The number of seconds before receives and sends time out.
 #
 Timeout 60
 #
 # KeepAlive: Whether or not to allow persistent connections (more than
 # one request per connection). Set to "Off" to deactivate.
 #
 KeepAlive On
 #
 # MaxKeepAliveRequests: The maximum number of requests to allow
 # during a persistent connection. Set to 0 to allow an unlimited amount.
 # We recommend you leave this number high, for maximum performance.
 #
 MaxKeepAliveRequests 100
 #
 # KeepAliveTimeout: Number of seconds to wait for the next request from the
 # same client on the same connection.
 #
 KeepAliveTimeout 5
 #
 # UseCanonicalName: Determines how Apache constructs self-referencing 
 # URLs and the SERVER_NAME and SERVER_PORT variables.
 # When set "Off", Apache will use the Hostname and Port supplied
 # by the client.  When set "On", Apache will use the value of the
 # ServerName directive.
 #
 UseCanonicalName Off
 #
 # AccessFileName: The name of the file to look for in each directory
 # for additional configuration directives.  See also the AllowOverride 
 # directive.
 #
 AccessFileName .htaccess
 #
 # ServerTokens
 # This directive configures what you return as the Server HTTP response
 # Header. The default is 'Full' which sends information about the OS-Type
 # and compiled in modules.
 # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
 # where Full conveys the most information, and Prod the least.
 #
 ServerTokens Prod
 #
 # Optionally add a line containing the server version and virtual host
 # name to server-generated pages (internal error documents, FTP directory 
 # listings, mod_status and mod_info output etc., but not CGI generated 
 # documents or custom error documents).
 # Set to "EMail" to also include a mailto: link to the ServerAdmin.
 # Set to one of:  On | Off | EMail
 #
 ServerSignature Off
 #
 # HostnameLookups: Log the names of clients or just their IP addresses
 # e.g., www.apache.org (on) or 204.62.129.132 (off).
 # The default is off because it'd be overall better for the net if people
 # had to knowingly turn this feature on, since enabling it means that
 # each client request will result in AT LEAST one lookup request to the
 # nameserver.
 #
 HostnameLookups Off
 #
 # Set a timeout for how long the client may take to send the request header
 # and body.
 # The default for the headers is header=20-40,MinRate=500, which means wait
 # for the first byte of headers for 20 seconds. If some data arrives,
 # increase the timeout corresponding to a data rate of 500 bytes/s, but not
 # above 40 seconds.
 # The default for the request body is body=20,MinRate=500, which is the same
 # but has no upper limit for the timeout.
 # To disable, set to header=0 body=0
 #
 <IfModule reqtimeout_module>
  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
 </IfModule>
--- a/containers/webserver/httpd-ssl.conf
+++ b/containers/webserver/httpd-ssl.conf
@@ -1,3 +1,4 @@
 # https://ssl-config.mozilla.org/#server=apache&version=2.4.41&config=modern&openssl=1.1.1d&guideline=5.6
 #
 # This is the Apache server configuration file providing SSL support.
 # It contains the configuration directives to instruct the server how to
@@ -49,8 +50,8 @@ Listen 443
 #   ensure these follow appropriate best practices for this deployment.
 #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
 #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 # SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 # SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 #  By the end of 2016, only TLSv1.2 ciphers should remain in use.
 #  Older ciphers should be disallowed as soon as possible, while the
@@ -69,15 +70,17 @@ SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
 #   own preference of either security or performance, therefore this
 #   must be the prerogative of the web server administrator who manages
 #   cpu load versus confidentiality, so enforce the server's cipher order.
 SSLHonorCipherOrder on 
 SSLHonorCipherOrder off 
 SSLSessionTickets off
 #   SSL Protocol support:
 #   List the protocol versions which clients are allowed to connect with.
 #   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
 #   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
 #   protocol or later should remain in use.
 SSLProtocol all -SSLv3
 SSLProxyProtocol all -SSLv3
 SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
 SSLProxyProtocol        all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.
@@ -120,8 +123,6 @@ Protocols h2 h2c http/1.1
 ## SSL Virtual Host Context
 ##
 ErrorLog /proc/self/fd/2
 TransferLog /proc/self/fd/1
 ServerAdmin EMAIL
@@ -138,6 +139,7 @@ ServerAdmin EMAIL
    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
    SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
    Header always set Strict-Transport-Security "max-age=63072000"
 </VirtualHost>
 <VirtualHost *:443>
@@ -152,6 +154,7 @@ ServerAdmin EMAIL
    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
    SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
    Header always set Strict-Transport-Security "max-age=63072000"
 </VirtualHost>
 <VirtualHost *:443>
@@ -165,4 +168,5 @@ ServerAdmin EMAIL
    SSLEngine on
    SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"
    SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"
    Header always set Strict-Transport-Security "max-age=63072000"
 </VirtualHost>
--- a/containers/webserver/httpd.conf
+++ b/containers/webserver/httpd.conf
@@ -225,19 +225,8 @@ Group daemon
 #
 <VirtualHost *:80>
    ServerName www.FQDN
    ServerAlias FQDN
    Redirect / https://www.FQDN/
 </VirtualHost>
 <VirtualHost *:80>
    ServerName api.FQDN
    Redirect / https://api.FQDN/
 </VirtualHost>
 <VirtualHost *:80>
    ServerName admin.FQDN
    Redirect / https://admin.FQDN/
    RewriteEngine On
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
 </VirtualHost>
 #
@@ -360,7 +349,7 @@ LogLevel warn
    # logged therein and *not* in this file.
    #
    #CustomLog /proc/self/fd/1 common
    CustomLog /proc/self/fd/1 combined
    CustomLog /proc/self/fd/1 common
    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
@@ -565,4 +554,3 @@ Include conf/extra/httpd-ssl.conf
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin
 </IfModule>