-
Notifications
You must be signed in to change notification settings - Fork 0
/
httpd-ssl.conf.patch
214 lines (198 loc) · 8.51 KB
/
httpd-ssl.conf.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
--- image-httpd-ssl.conf 2022-01-31 08:19:20.000000000 -0800
+++ httpd-ssl.conf 2022-02-02 14:33:41.000000000 -0800
@@ -1,12 +1,12 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailed information about these
+# serve pages over an https connection. For detailed information about these
# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
-#
+#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
-# consult the online docs. You have been warned.
+# consult the online docs. You have been warned.
#
# Required modules: mod_log_config, mod_setenvif, mod_ssl,
# socache_shmcb_module (for default value of SSLSessionCache)
@@ -30,10 +30,10 @@
#
-# When we also provide SSL we have to listen to the
+# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
-Listen 443
+Listen ${HTTPS_PORT}
##
## SSL Global Context
@@ -49,14 +49,16 @@
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
-SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
-SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
+
+# Disables insecure encryption ciphers
+SSLCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!RSA+AESGCM:!RSA+AES:!aNULL:!MD5:!DSS
+SSLProxyCipherSuite ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!RSA+AESGCM:!RSA+AES:!aNULL:!MD5:!DSS
# By the end of 2016, only TLSv1.2 ciphers should remain in use.
# Older ciphers should be disallowed as soon as possible, while the
# kRSA ciphers do not offer forward secrecy. These changes inhibit
# older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
-# non-browser tooling) from successfully connecting.
+# non-browser tooling) from successfully connecting.
#
# To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
# those protocols which do not support forward secrecy, replace
@@ -69,15 +71,17 @@
# own preference of either security or performance, therefore this
# must be the prerogative of the web server administrator who manages
# cpu load versus confidentiality, so enforce the server's cipher order.
-SSLHonorCipherOrder on
+SSLHonorCipherOrder on
# SSL Protocol support:
# List the protocol versions which clients are allowed to connect with.
# Disable SSLv3 by default (cf. RFC 7525 3.1.1). TLSv1 (1.0) should be
# disabled as quickly as practical. By the end of 2016, only the TLSv1.2
# protocol or later should remain in use.
-SSLProtocol all -SSLv3
-SSLProxyProtocol all -SSLv3
+
+# Disables SSL and TLS older than 1.2:
+SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
+SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
@@ -86,7 +90,7 @@
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First the mechanism
+# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache "dbm:/usr/local/apache2/logs/ssl_scache"
SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)"
@@ -118,14 +122,15 @@
## SSL Virtual Host Context
##
-<VirtualHost _default_:443>
+<VirtualHost _default_:${HTTPS_PORT}>
# General setup for the virtual host
DocumentRoot "/usr/local/apache2/htdocs"
-ServerName www.example.com:443
+ServerName ${METACAT_UI_DOMAIN}:${HTTPS_PORT}
ServerAdmin [email protected]
-ErrorLog /proc/self/fd/2
-TransferLog /proc/self/fd/1
+#ErrorLog /proc/self/fd/2
+#TransferLog /proc/self/fd/1
+
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
@@ -141,7 +146,7 @@
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
-SSLCertificateFile "/usr/local/apache2/conf/server.crt"
+SSLCertificateFile ${SSL_SERVER_CERT}
#SSLCertificateFile "/usr/local/apache2/conf/server-dsa.crt"
#SSLCertificateFile "/usr/local/apache2/conf/server-ecc.crt"
@@ -151,7 +156,7 @@
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
-SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
+SSLCertificateKeyFile ${SSL_SERVER_KEY}
#SSLCertificateKeyFile "/usr/local/apache2/conf/server-dsa.key"
#SSLCertificateKeyFile "/usr/local/apache2/conf/server-ecc.key"
@@ -162,7 +167,9 @@
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
-#SSLCertificateChainFile "/usr/local/apache2/conf/server-ca.crt"
+
+SSLCertificateChainFile ${SSL_SERVER_CHAIN}
+
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
@@ -172,7 +179,7 @@
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/usr/local/apache2/conf/ssl.crt"
-#SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt"
+SSLCACertificateFile "/usr/local/apache2/conf/ssl.crt/ca-bundle.crt"
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
@@ -197,7 +204,7 @@
# TLS-SRP mutual authentication:
# Enable TLS-SRP and set the path to the OpenSSL SRP verifier
-# file (containing login information for SRP user accounts).
+# file (containing login information for SRP user accounts).
# Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
# detailed instructions on creating this file. Example:
# "openssl srp -srpvfile /usr/local/apache2/conf/passwd.srpv -add username"
@@ -244,7 +251,7 @@
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
-# directives are used in per-directory context.
+# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
@@ -270,7 +277,7 @@
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
-# works correctly.
+# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
@@ -284,7 +291,45 @@
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
-CustomLog /proc/self/fd/1 \
+#CustomLog /proc/self/fd/1 \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-</VirtualHost>
+# Forward the Client Certificate to Tomcat
+SSLVerifyClient optional
+SSLVerifyDepth 10
+SSLOptions +StdEnvVars +StrictRequire +ExportCertData
+
+# Turns on HSTS (we should be careful about production rollout here;
+# it forces an internal, browser-based redirect to HTTPS after
+# it is encountered (!):
+Header always set Strict-Transport-Security "max-age=31536000;"
+
+AllowEncodedSlashes On
+AcceptPathInfo On
+
+# AddDefaultCharset will be needed when exporting
+# cert data to the proxy
+<Proxy *>
+ AddDefaultCharset Off
+</Proxy>
+
+RewriteEngine on
+RewriteRule "^/datasets(.*)" "https://%{SERVER_NAME}/view$1" [R,L]
+RewriteRule "^/(sitemap.+)" "https://%{SERVER_NAME}/${METACAT_APP_CONTEXT}/sitemaps$1" [R=303,L]
+
+ProxyPass "/${METACAT_APP_CONTEXT}/" "ajp://${METACAT_MN_DOMAIN}:8009/${METACAT_APP_CONTEXT}/" nocanon retry=0 timeout=300
+ProxyPassReverse "/${METACAT_APP_CONTEXT}/" "ajp:/${METACAT_MN_DOMAIN}:8009/${METACAT_APP_CONTEXT}/"
+
+<IfDefine EnableReverseProxy>
+
+ RemoteIPProxyProtocol On
+
+ # Requests to this virtual host must have a PROXY protocol
+ # header provided. If it is missing, the connection will
+ # be aborted
+
+</IfDefine>
+
+
+
+</VirtualHost>