ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
- SSLProtocol all -SSLv2
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+ SSLProtocol all -SSLv2 -SSLv3
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLSessionTickets off
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
+ SSLCertificateFile /etc/httpd/server-ecdsa.crt
+ SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
<Directory /srv/web/ipfire/html>
Options ExecCGI
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
</Directory>
<DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
</DirectoryMatch>
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
<Directory /srv/web/ipfire/cgi-bin>
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
- <Files chpasswd.cgi>
- Satisfy Any
- Allow from All
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
+ <Files chpasswd.cgi>
+ Require all granted
</Files>
<Files webaccess.cgi>
- Satisfy Any
- Allow from All
- </Files>
- <Files credits.cgi>
- Satisfy Any
- Allow from All
+ Require all granted
</Files>
- <Files dial.cgi>
- Require user admin
- </Files>
- </Directory>
- <Directory /srv/web/ipfire/cgi-bin/dial>
- AllowOverride None
- Options None
- AuthName "IPFire - Restricted"
- AuthType Basic
- AuthUserFile /var/ipfire/auth/users
- Require user dial admin
</Directory>
<Files ~ "\.(cgi|shtml?)$">
SSLOptions +StdEnvVars
<Directory /var/updatecache>
Options ExecCGI
AllowOverride None
- Order deny,allow
- Allow from all
+ Require all granted
</Directory>
Alias /repository/ /var/urlrepo/
<Directory /var/urlrepo>
Options ExecCGI
AllowOverride None
- Order deny,allow
- Allow from all
+ Require all granted
</Directory>
Alias /proxy-reports/ /var/log/sarg/
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+ <RequireAll>
+ Require user admin
+ Require ssl
+ </RequireAll>
</Directory>
</VirtualHost>