heuzef
/
lesspass
mirror da https://github.com/lesspass/lesspass.git
1
0
Forka 0
Codice Problemi 0 Rilasci 67 Wiki Attività
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
2064 Commit
17 Rami (Branch)
382 MiB
 
 
 
 
 
 
Albero (Tree): 85c4565326
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '85c4565326'
${ noResults }
lesspass/containers/webserver/httpd-ssl.conf

167 righe
6.2 KiB
Originale Blame Cronologia 

  1. #

  2. # This is the Apache server configuration file providing SSL support.

  3. # It contains the configuration directives to instruct the server how to

  4. # serve pages over an https connection. For detailed information about these 

  5. # directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>

  6. # 

  7. # Do NOT simply read the instructions in here without understanding

  8. # what they do.  They're here only as hints or reminders.  If you are unsure

  9. # consult the online docs. You have been warned.  

  10. #

  11. # Required modules: mod_log_config, mod_setenvif, mod_ssl,

  12. #          socache_shmcb_module (for default value of SSLSessionCache)

  13. 

  14. #

  15. # Pseudo Random Number Generator (PRNG):

  16. # Configure one or more sources to seed the PRNG of the SSL library.

  17. # The seed data should be of good random quality.

  18. # WARNING! On some platforms /dev/random blocks if not enough entropy

  19. # is available. This means you then cannot use the /dev/random device

  20. # because it would lead to very long connection times (as long as

  21. # it requires to make more entropy available). But usually those

  22. # platforms additionally provide a /dev/urandom device which doesn't

  23. # block. So, if available, use this one instead. Read the mod_ssl User

  24. # Manual for more details.

  25. #

  26. #SSLRandomSeed startup file:/dev/random  512

  27. #SSLRandomSeed startup file:/dev/urandom 512

  28. #SSLRandomSeed connect file:/dev/random  512

  29. #SSLRandomSeed connect file:/dev/urandom 512

  30. 

  31. 

  32. #

  33. # When we also provide SSL we have to listen to the 

  34. # standard HTTP port (see above) and to the HTTPS port

  35. #

  36. Listen 443

  37. 

  38. ##

  39. ##  SSL Global Context

  40. ##

  41. ##  All SSL configuration in this context applies both to

  42. ##  the main server and all SSL-enabled virtual hosts.

  43. ##

  44. 

  45. #   SSL Cipher Suite:

  46. #   List the ciphers that the client is permitted to negotiate,

  47. #   and that httpd will negotiate as the client of a proxied server.

  48. #   See the OpenSSL documentation for a complete list of ciphers, and

  49. #   ensure these follow appropriate best practices for this deployment.

  50. #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,

  51. #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.

  52. SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

  53. SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES

  54. 

  55. #  By the end of 2016, only TLSv1.2 ciphers should remain in use.

  56. #  Older ciphers should be disallowed as soon as possible, while the

  57. #  kRSA ciphers do not offer forward secrecy.  These changes inhibit

  58. #  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy

  59. #  non-browser tooling) from successfully connecting.  

  60. #

  61. #  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable

  62. #  those protocols which do not support forward secrecy, replace

  63. #  the SSLCipherSuite and SSLProxyCipherSuite directives above with

  64. #  the following two directives, as soon as practical.

  65. # SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

  66. # SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA

  67. 

  68. #   User agents such as web browsers are not configured for the user's

  69. #   own preference of either security or performance, therefore this

  70. #   must be the prerogative of the web server administrator who manages

  71. #   cpu load versus confidentiality, so enforce the server's cipher order.

  72. SSLHonorCipherOrder on 

  73. 

  74. #   SSL Protocol support:

  75. #   List the protocol versions which clients are allowed to connect with.

  76. #   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be

  77. #   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2

  78. #   protocol or later should remain in use.

  79. SSLProtocol all -SSLv3

  80. SSLProxyProtocol all -SSLv3

  81. 

  82. #   Pass Phrase Dialog:

  83. #   Configure the pass phrase gathering process.

  84. #   The filtering dialog program (`builtin' is an internal

  85. #   terminal dialog) has to provide the pass phrase on stdout.

  86. SSLPassPhraseDialog  builtin

  87. 

  88. #   Inter-Process Session Cache:

  89. #   Configure the SSL Session Cache: First the mechanism 

  90. #   to use and second the expiring timeout (in seconds).

  91. #SSLSessionCache         "dbm:/usr/local/apache2/logs/ssl_scache"

  92. SSLSessionCache        "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"

  93. SSLSessionCacheTimeout  300

  94. 

  95. #   OCSP Stapling (requires OpenSSL 0.9.8h or later)

  96. #

  97. #   This feature is disabled by default and requires at least

  98. #   the two directives SSLUseStapling and SSLStaplingCache.

  99. #   Refer to the documentation on OCSP Stapling in the SSL/TLS

  100. #   How-To for more information.

  101. #

  102. #   Enable stapling for all SSL-enabled servers:

  103. #SSLUseStapling On

  104. 

  105. #   Define a relatively small cache for OCSP Stapling using

  106. #   the same mechanism that is used for the SSL session cache

  107. #   above.  If stapling is used with more than a few certificates,

  108. #   the size may need to be increased.  (AH01929 will be logged.)

  109. #SSLStaplingCache "shmcb:/usr/local/apache2/logs/ssl_stapling(32768)"

  110. 

  111. #   Seconds before valid OCSP responses are expired from the cache

  112. #SSLStaplingStandardCacheTimeout 3600

  113. 

  114. #   Seconds before invalid OCSP responses are expired from the cache

  115. #SSLStaplingErrorCacheTimeout 600

  116. 

  117. ##

  118. ## SSL Virtual Host Context

  119. ##

  120. 

  121. 

  122. 

  123. ErrorLog /proc/self/fd/2

  124. TransferLog /proc/self/fd/1

  125. ServerAdmin EMAIL

  126. 

  127. <VirtualHost *:443>

  128.     ServerName admin.FQDN

  129.     Alias /static/ /var/www/html/static/

  130.     <Directory /var/www/html/static>

  131.         Require all granted

  132.     </Directory>

  133.     ProxyPass /static/ !

  134.     ProxyPass / http://backend:8000/

  135.     ProxyPassReverse / http://backend:8000/

  136.     SSLEngine on

  137.     SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"

  138.     SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"

  139. </VirtualHost>

  140. 

  141. <VirtualHost *:443>

  142.     ServerName api.FQDN

  143.     Alias /static/ /var/www/html/static/

  144.     <Directory /var/www/html/static>

  145.         Require all granted

  146.     </Directory>

  147.     ProxyPass /static/ !

  148.     ProxyPass / http://backend:8000/api/

  149.     ProxyPassReverse / http://backend:8000/api/

  150.     SSLEngine on

  151.     SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"

  152.     SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"

  153. </VirtualHost>

  154. 

  155. <VirtualHost *:443>

  156.     ServerName FQDN

  157.     ServerAlias www.FQDN

  158. 

  159.     ProxyPass /api/ http://backend:8000/api/

  160.     ProxyPassReverse /api/ http://backend:8000/api/

  161.     ProxyPass / http://frontend/

  162.     ProxyPassReverse / http://frontend/

  163.     SSLEngine on

  164.     SSLCertificateFile "/usr/local/apache2/conf/CRT_PATH"

  165.     SSLCertificateKeyFile "/usr/local/apache2/conf/KEY_PATH"

  166. </VirtualHost>