[ipfire-2.x.git] / config / httpd / vhosts.d / ipfire-interface-ssl.conf

<VirtualHost *:444>

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
    RewriteRule .* - [F]

    DocumentRoot /srv/web/ipfire/html
    ServerAdmin root@localhost
    ErrorLog /var/log/httpd/error_log
    TransferLog /var/log/httpd/access_log

    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
    SSLHonorCipherOrder on
    SSLCompression off
    SSLSessionTickets off
    SSLCertificateFile /etc/httpd/server.crt
    SSLCertificateKeyFile /etc/httpd/server.key
    SSLCertificateFile /etc/httpd/server-ecdsa.crt
    SSLCertificateKeyFile /etc/httpd/server-ecdsa.key

    Header always set X-Content-Type-Options nosniff

    <Directory /srv/web/ipfire/html>
        Options ExecCGI
        AllowOverride None
        Require all granted
    </Directory>
    <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
        AuthName "IPFire - Restricted"
        AuthType Basic
        AuthUserFile /var/ipfire/auth/users
        <RequireAll>
            Require user admin
            Require ssl
        </RequireAll>
    </DirectoryMatch>
    ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
    <Directory /srv/web/ipfire/cgi-bin>
        AllowOverride None
        Options ExecCGI
        AuthName "IPFire - Restricted"
        AuthType Basic
        AuthUserFile /var/ipfire/auth/users
        <RequireAll>
            Require user admin
            Require ssl
        </RequireAll>
        <Files chpasswd.cgi>
            Require all granted
        </Files>
        <Files webaccess.cgi>
            Require all granted
        </Files>
    </Directory>
    <Files ~ "\.(cgi|shtml?)$">
	SSLOptions +StdEnvVars
    </Files>
    <Directory /srv/web/ipfire/cgi-bin>
	SSLOptions +StdEnvVars
    </Directory>
    SetEnv HOME /home/nobody
    SetEnvIf User-Agent ".*MSIE.*" \
	nokeepalive ssl-unclean-shutdown \
	downgrade-1.0 force-response-1.0
    CustomLog /var/log/httpd/ssl_request_log \
	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    Alias /updatecache/ /var/updatecache/
	<Directory /var/updatecache>
		 Options ExecCGI
		 AllowOverride None
		 Require all granted
	</Directory>

    Alias /repository/ /var/urlrepo/
	<Directory /var/urlrepo>
		 Options ExecCGI
		 AllowOverride None
		 Require all granted
	</Directory>

    Alias /proxy-reports/ /var/log/sarg/
    <Directory /var/log/sarg>
        AllowOverride None
        Options None
        AuthName "IPFire - Restricted"
        AuthType Basic
        AuthUserFile /var/ipfire/auth/users
        <RequireAll>
            Require user admin
            Require ssl
        </RequireAll>
    </Directory>
</VirtualHost>
Commit	Line	Data
90c973a6 MT	1	<VirtualHost *:444>
	2
	3	RewriteEngine on
	4	RewriteCond %{REQUEST_METHOD} ^(TRACE\|TRACK\|OPTIONS)
	5	RewriteRule .* - [F]
0cabaf35	6
d733119b	7	DocumentRoot /srv/web/ipfire/html
90c973a6 MT	8	ServerAdmin root@localhost
	9	ErrorLog /var/log/httpd/error_log
	10	TransferLog /var/log/httpd/access_log
0cabaf35	11
90c973a6	12	SSLEngine on
a7006325	13	SSLProtocol all -SSLv2 -SSLv3
f227ae4f	14	SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
69776cc4	15	SSLHonorCipherOrder on
a57f4a9f PM	16	SSLCompression off
a57f4a9f PM	17	SSLSessionTickets off
90c973a6 MT	18	SSLCertificateFile /etc/httpd/server.crt
90c973a6 MT	19	SSLCertificateKeyFile /etc/httpd/server.key
73ba2286 PM	20	SSLCertificateFile /etc/httpd/server-ecdsa.crt
73ba2286 PM	21	SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
810a7ea2	22
0cabaf35 PM	23	Header always set X-Content-Type-Options nosniff
0cabaf35 PM	24
d733119b	25	<Directory /srv/web/ipfire/html>
90c973a6 MT	26	Options ExecCGI
90c973a6 MT	27	AllowOverride None
d41fe99f	28	Require all granted
90c973a6	29	</Directory>
d733119b	30	<DirectoryMatch "/srv/web/ipfire/html/(graphs\|sgraph)">
90c973a6 MT	31	AuthName "IPFire - Restricted"
	32	AuthType Basic
	33	AuthUserFile /var/ipfire/auth/users
50846453 PM	34	<RequireAll>
	35	Require user admin
	36	Require ssl
	37	</RequireAll>
90c973a6	38	</DirectoryMatch>
d733119b MT	39	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
d733119b MT	40	<Directory /srv/web/ipfire/cgi-bin>
90c973a6	41	AllowOverride None
810a7ea2	42	Options ExecCGI
90c973a6 MT	43	AuthName "IPFire - Restricted"
	44	AuthType Basic
	45	AuthUserFile /var/ipfire/auth/users
50846453 PM	46	<RequireAll>
	47	Require user admin
	48	Require ssl
	49	</RequireAll>
d41fe99f WA	50	<Files chpasswd.cgi>
d41fe99f WA	51	Require all granted
90c973a6 MT	52	</Files>
90c973a6 MT	53	<Files webaccess.cgi>
d41fe99f	54	Require all granted
90c973a6	55	</Files>
90c973a6 MT	56	</Directory>
	57	<Files ~ "\.(cgi\|shtml?)$">
	58	SSLOptions +StdEnvVars
	59	</Files>
d733119b	60	<Directory /srv/web/ipfire/cgi-bin>
90c973a6 MT	61	SSLOptions +StdEnvVars
	62	</Directory>
	63	SetEnv HOME /home/nobody
	64	SetEnvIf User-Agent ".MSIE." \
	65	nokeepalive ssl-unclean-shutdown \
	66	downgrade-1.0 force-response-1.0
	67	CustomLog /var/log/httpd/ssl_request_log \
	68	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
0bc58278 AF	69
	70	Alias /updatecache/ /var/updatecache/
	71	<Directory /var/updatecache>
	72	Options ExecCGI
	73	AllowOverride None
d41fe99f	74	Require all granted
0bc58278	75	</Directory>
7e620487	76
a4c76879	77	Alias /repository/ /var/urlrepo/
7e620487 CS	78	<Directory /var/urlrepo>
	79	Options ExecCGI
	80	AllowOverride None
d41fe99f	81	Require all granted
7e620487	82	</Directory>
f8716194 MT	83
	84	Alias /proxy-reports/ /var/log/sarg/
	85	<Directory /var/log/sarg>
	86	AllowOverride None
	87	Options None
	88	AuthName "IPFire - Restricted"
	89	AuthType Basic
	90	AuthUserFile /var/ipfire/auth/users
50846453 PM	91	<RequireAll>
	92	Require user admin
	93	Require ssl
	94	</RequireAll>
f8716194	95	</Directory>
90c973a6	96	</VirtualHost>