httpd: include TLS 1.3 cipher suites
[ipfire-2.x.git] / config / httpd / vhosts.d / ipfire-interface-ssl.conf
1 <VirtualHost *:444>
2
3     RewriteEngine on
4     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
5     RewriteRule .* - [F]
6
7     DocumentRoot /srv/web/ipfire/html
8     ServerAdmin root@localhost
9     ErrorLog /var/log/httpd/error_log
10     TransferLog /var/log/httpd/access_log
11
12     SSLEngine on
13     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
14     SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
15     SSLHonorCipherOrder on
16     SSLCompression off
17     SSLSessionTickets off
18     SSLCertificateFile /etc/httpd/server.crt
19     SSLCertificateKeyFile /etc/httpd/server.key
20     SSLCertificateFile /etc/httpd/server-ecdsa.crt
21     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
22
23     Header always set X-Content-Type-Options nosniff
24     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
25
26     <Directory /srv/web/ipfire/html>
27         Options ExecCGI
28         AllowOverride None
29         Require all granted
30     </Directory>
31     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
32         AuthName "IPFire - Restricted"
33         AuthType Basic
34         AuthUserFile /var/ipfire/auth/users
35         <RequireAll>
36             Require user admin
37             Require ssl
38         </RequireAll>
39     </DirectoryMatch>
40     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
41     <Directory /srv/web/ipfire/cgi-bin>
42         AllowOverride None
43         Options ExecCGI
44         AuthName "IPFire - Restricted"
45         AuthType Basic
46         AuthUserFile /var/ipfire/auth/users
47         <RequireAll>
48             Require user admin
49             Require ssl
50         </RequireAll>
51         <Files chpasswd.cgi>
52             Require all granted
53         </Files>
54         <Files webaccess.cgi>
55             Require all granted
56         </Files>
57     </Directory>
58     <Files ~ "\.(cgi|shtml?)$">
59         SSLOptions +StdEnvVars
60     </Files>
61     <Directory /srv/web/ipfire/cgi-bin>
62         SSLOptions +StdEnvVars
63     </Directory>
64     SetEnv HOME /home/nobody
65     SetEnvIf User-Agent ".*MSIE.*" \
66         nokeepalive ssl-unclean-shutdown \
67         downgrade-1.0 force-response-1.0
68     CustomLog /var/log/httpd/ssl_request_log \
69         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
70
71     Alias /updatecache/ /var/updatecache/
72         <Directory /var/updatecache>
73                  Options ExecCGI
74                  AllowOverride None
75                  Require all granted
76         </Directory>
77
78     Alias /repository/ /var/urlrepo/
79         <Directory /var/urlrepo>
80                  Options ExecCGI
81                  AllowOverride None
82                  Require all granted
83         </Directory>
84
85     Alias /proxy-reports/ /var/log/sarg/
86     <Directory /var/log/sarg>
87         AllowOverride None
88         Options None
89         AuthName "IPFire - Restricted"
90         AuthType Basic
91         AuthUserFile /var/ipfire/auth/users
92         <RequireAll>
93             Require user admin
94             Require ssl
95         </RequireAll>
96     </Directory>
97 </VirtualHost>