Merge branch 'next'

[people/pmueller/ipfire-2.x.git] / config / httpd / vhosts.d / ipfire-interface.conf

diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 85dea4c72f115a4518fd09485d20c668a86593ea..2cf57dd29637d5aebcb49d718e3ea250012654a4 100644 (file)
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -1,54 +1,45 @@
 <VirtualHost *:81>
 
-    DocumentRoot /home/httpd/html
+    DocumentRoot /srv/web/ipfire/html
 
     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
 
-    <Directory /home/httpd/html>
+    Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+    Header always set Referrer-Policy strict-origin
+    Header always set X-Frame-Options sameorigin
+
+    <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
-    <DirectoryMatch "/home/httpd/html/(graphs|sgraph)">
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
+    <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </DirectoryMatch>
-    ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
-    <Directory /home/httpd/cgi-bin>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
-        <Files webaccess.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
-        <Files dial.cgi>
-            Require user admin
-        </Files>
+    ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
+    <Directory /srv/web/ipfire/cgi-bin>
+        Options SymLinksIfOwnerMatch
+        RewriteEngine on
+        RewriteCond %{HTTPS} off
+        RewriteRule (.*) https://%{SERVER_NAME}:444/$1 [R=301,L]
     </Directory>
-    <Directory /home/httpd/cgi-bin/dial>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user dial admin
-    </Directory>
-
-</VirtualHost>
\ No newline at end of file
+    Alias /updatecache/ /var/updatecache/
+       <Directory /var/updatecache>
+                Options ExecCGI
+                AllowOverride None
+                Require all granted
+       </Directory>
+    Alias /repository/ /var/urlrepo/
+       <Directory /var/urlrepo>
+                Options ExecCGI
+                AllowOverride None
+                Require all granted
+       </Directory>
+    Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
+</VirtualHost>