httpd: include TLS 1.3 cipher suites
[ipfire-2.x.git] / config / httpd / vhosts.d / ipfire-interface-ssl.conf
CommitLineData
90c973a6
MT
1<VirtualHost *:444>
2
3 RewriteEngine on
4 RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
5 RewriteRule .* - [F]
0cabaf35 6
d733119b 7 DocumentRoot /srv/web/ipfire/html
90c973a6
MT
8 ServerAdmin root@localhost
9 ErrorLog /var/log/httpd/error_log
10 TransferLog /var/log/httpd/access_log
0cabaf35 11
90c973a6 12 SSLEngine on
63b515dc 13 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
535dab60 14 SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
69776cc4 15 SSLHonorCipherOrder on
a57f4a9f
PM
16 SSLCompression off
17 SSLSessionTickets off
90c973a6
MT
18 SSLCertificateFile /etc/httpd/server.crt
19 SSLCertificateKeyFile /etc/httpd/server.key
73ba2286
PM
20 SSLCertificateFile /etc/httpd/server-ecdsa.crt
21 SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
810a7ea2 22
0cabaf35 23 Header always set X-Content-Type-Options nosniff
eb6d7151 24 Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
0cabaf35 25
d733119b 26 <Directory /srv/web/ipfire/html>
90c973a6
MT
27 Options ExecCGI
28 AllowOverride None
d41fe99f 29 Require all granted
90c973a6 30 </Directory>
d733119b 31 <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
90c973a6
MT
32 AuthName "IPFire - Restricted"
33 AuthType Basic
34 AuthUserFile /var/ipfire/auth/users
50846453
PM
35 <RequireAll>
36 Require user admin
37 Require ssl
38 </RequireAll>
90c973a6 39 </DirectoryMatch>
d733119b
MT
40 ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
41 <Directory /srv/web/ipfire/cgi-bin>
90c973a6 42 AllowOverride None
810a7ea2 43 Options ExecCGI
90c973a6
MT
44 AuthName "IPFire - Restricted"
45 AuthType Basic
46 AuthUserFile /var/ipfire/auth/users
50846453
PM
47 <RequireAll>
48 Require user admin
49 Require ssl
50 </RequireAll>
d41fe99f
WA
51 <Files chpasswd.cgi>
52 Require all granted
90c973a6
MT
53 </Files>
54 <Files webaccess.cgi>
d41fe99f 55 Require all granted
90c973a6 56 </Files>
90c973a6
MT
57 </Directory>
58 <Files ~ "\.(cgi|shtml?)$">
59 SSLOptions +StdEnvVars
60 </Files>
d733119b 61 <Directory /srv/web/ipfire/cgi-bin>
90c973a6
MT
62 SSLOptions +StdEnvVars
63 </Directory>
64 SetEnv HOME /home/nobody
65 SetEnvIf User-Agent ".*MSIE.*" \
66 nokeepalive ssl-unclean-shutdown \
67 downgrade-1.0 force-response-1.0
68 CustomLog /var/log/httpd/ssl_request_log \
69 "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
0bc58278
AF
70
71 Alias /updatecache/ /var/updatecache/
72 <Directory /var/updatecache>
73 Options ExecCGI
74 AllowOverride None
d41fe99f 75 Require all granted
0bc58278 76 </Directory>
7e620487 77
a4c76879 78 Alias /repository/ /var/urlrepo/
7e620487
CS
79 <Directory /var/urlrepo>
80 Options ExecCGI
81 AllowOverride None
d41fe99f 82 Require all granted
7e620487 83 </Directory>
f8716194
MT
84
85 Alias /proxy-reports/ /var/log/sarg/
86 <Directory /var/log/sarg>
87 AllowOverride None
88 Options None
89 AuthName "IPFire - Restricted"
90 AuthType Basic
91 AuthUserFile /var/ipfire/auth/users
50846453
PM
92 <RequireAll>
93 Require user admin
94 Require ssl
95 </RequireAll>
f8716194 96 </Directory>
90c973a6 97</VirtualHost>