config/httpd/vhosts.d/ipfire-interface-ssl.conf

   1 <VirtualHost *:444>
   2
   3     RewriteEngine on
   4     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
   5     RewriteRule .* - [F]
   6
   7     DocumentRoot /srv/web/ipfire/html
   8     ServerAdmin root@localhost
   9     ErrorLog /var/log/httpd/error_log
  10     TransferLog /var/log/httpd/access_log
  11
  12     SSLEngine on
  13     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  14     SSLCipherSuite AESGCM+EECDH:CHACHA20+EECDH:@STRENGTH:+aRSA
  15     SSLHonorCipherOrder on
  16     SSLCompression off
  17     SSLSessionTickets off
  18     SSLCertificateFile /etc/httpd/server.crt
  19     SSLCertificateKeyFile /etc/httpd/server.key
  20     SSLCertificateFile /etc/httpd/server-ecdsa.crt
  21     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
  22
  23     Header always set X-Content-Type-Options nosniff
  24     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
  25     Header always set Referrer-Policy strict-origin
  26     Header always set X-Frame-Options sameorigin
  27
  28     <Directory /srv/web/ipfire/html>
  29         Options ExecCGI
  30         AllowOverride None
  31         Require all granted
  32     </Directory>
  33     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
  34         AuthName "IPFire - Restricted"
  35         AuthType Basic
  36         AuthUserFile /var/ipfire/auth/users
  37         <RequireAll>
  38             Require user admin
  39             Require ssl
  40         </RequireAll>
  41     </DirectoryMatch>
  42     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
  43     <Directory /srv/web/ipfire/cgi-bin>
  44         AllowOverride None
  45         Options ExecCGI
  46         AuthName "IPFire - Restricted"
  47         AuthType Basic
  48         AuthUserFile /var/ipfire/auth/users
  49         <RequireAll>
  50             Require user admin
  51             Require ssl
  52         </RequireAll>
  53         <Files chpasswd.cgi>
  54             Require all granted
  55         </Files>
  56         <Files webaccess.cgi>
  57             Require all granted
  58         </Files>
  59     </Directory>
  60     <Files ~ "\.(cgi|shtml?)$">
  61         SSLOptions +StdEnvVars
  62     </Files>
  63     <Directory /srv/web/ipfire/cgi-bin>
  64         SSLOptions +StdEnvVars
  65     </Directory>
  66     SetEnv HOME /home/nobody
  67     SetEnvIf User-Agent ".*MSIE.*" \
  68         nokeepalive ssl-unclean-shutdown \
  69         downgrade-1.0 force-response-1.0
  70     CustomLog /var/log/httpd/ssl_request_log \
  71         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  72
  73     Alias /updatecache/ /var/updatecache/
  74         <Directory /var/updatecache>
  75                  Options ExecCGI
  76                  AllowOverride None
  77                  Require all granted
  78         </Directory>
  79
  80     Alias /repository/ /var/urlrepo/
  81         <Directory /var/urlrepo>
  82                  Options ExecCGI
  83                  AllowOverride None
  84                  Require all granted
  85         </Directory>
  86
  87     Alias /proxy-reports/ /var/log/sarg/
  88     <Directory /var/log/sarg>
  89         AllowOverride None
  90         Options None
  91         AuthName "IPFire - Restricted"
  92         AuthType Basic
  93         AuthUserFile /var/ipfire/auth/users
  94         <RequireAll>
  95             Require user admin
  96             Require ssl
  97         </RequireAll>
  98     </Directory>
  99 </VirtualHost>