config/httpd/vhosts.d/ipfire-interface-ssl.conf

   1 <VirtualHost *:444>
   2
   3     RewriteEngine on
   4     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
   5     RewriteRule .* - [F]
   6
   7     DocumentRoot /srv/web/ipfire/html
   8     ServerAdmin root@localhost
   9     ErrorLog /var/log/httpd/error_log
  10     TransferLog /var/log/httpd/access_log
  11
  12     SSLEngine on
  13     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  14     SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
  15     SSLHonorCipherOrder on
  16     SSLCompression off
  17     SSLSessionTickets off
  18     SSLCertificateFile /etc/httpd/server.crt
  19     SSLCertificateKeyFile /etc/httpd/server.key
  20     SSLCertificateFile /etc/httpd/server-ecdsa.crt
  21     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
  22
  23     Header always set X-Content-Type-Options nosniff
  24     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
  25
  26     <Directory /srv/web/ipfire/html>
  27         Options ExecCGI
  28         AllowOverride None
  29         Require all granted
  30     </Directory>
  31     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
  32         AuthName "IPFire - Restricted"
  33         AuthType Basic
  34         AuthUserFile /var/ipfire/auth/users
  35         <RequireAll>
  36             Require user admin
  37             Require ssl
  38         </RequireAll>
  39     </DirectoryMatch>
  40     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
  41     <Directory /srv/web/ipfire/cgi-bin>
  42         AllowOverride None
  43         Options ExecCGI
  44         AuthName "IPFire - Restricted"
  45         AuthType Basic
  46         AuthUserFile /var/ipfire/auth/users
  47         <RequireAll>
  48             Require user admin
  49             Require ssl
  50         </RequireAll>
  51         <Files chpasswd.cgi>
  52             Require all granted
  53         </Files>
  54         <Files webaccess.cgi>
  55             Require all granted
  56         </Files>
  57     </Directory>
  58     <Files ~ "\.(cgi|shtml?)$">
  59         SSLOptions +StdEnvVars
  60     </Files>
  61     <Directory /srv/web/ipfire/cgi-bin>
  62         SSLOptions +StdEnvVars
  63     </Directory>
  64     SetEnv HOME /home/nobody
  65     SetEnvIf User-Agent ".*MSIE.*" \
  66         nokeepalive ssl-unclean-shutdown \
  67         downgrade-1.0 force-response-1.0
  68     CustomLog /var/log/httpd/ssl_request_log \
  69         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  70
  71     Alias /updatecache/ /var/updatecache/
  72         <Directory /var/updatecache>
  73                  Options ExecCGI
  74                  AllowOverride None
  75                  Require all granted
  76         </Directory>
  77
  78     Alias /repository/ /var/urlrepo/
  79         <Directory /var/urlrepo>
  80                  Options ExecCGI
  81                  AllowOverride None
  82                  Require all granted
  83         </Directory>
  84
  85     Alias /proxy-reports/ /var/log/sarg/
  86     <Directory /var/log/sarg>
  87         AllowOverride None
  88         Options None
  89         AuthName "IPFire - Restricted"
  90         AuthType Basic
  91         AuthUserFile /var/ipfire/auth/users
  92         <RequireAll>
  93             Require user admin
  94             Require ssl
  95         </RequireAll>
  96     </Directory>
  97 </VirtualHost>