X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=config%2Fhttpd%2Fvhosts.d%2Fipfire-interface-ssl.conf;h=f88a6a52a74116e2e64d70d3c1a1c09a5b8def93;hp=daac75742dd095ea8e82003ff6d74099d5b98aca;hb=535dab60d61f86d78e8c6753c4d6c69bd0f3cbcc;hpb=4091a94508e8d4485c98dd64c5a3fe1c7282986c
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index daac75742d..f88a6a52a7 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -3,28 +3,39 @@
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
+
DocumentRoot /srv/web/ipfire/html
ServerAdmin root@localhost
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
+
SSLEngine on
- SSLProtocol all -SSLv2 -SSLv3
- SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+ SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+ SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
+ SSLCompression off
+ SSLSessionTickets off
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
+ SSLCertificateFile /etc/httpd/server-ecdsa.crt
+ SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+
+ Header always set X-Content-Type-Options nosniff
+ Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
Options ExecCGI
AllowOverride None
- Order allow,deny
- Allow from all
+ Require all granted
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+
+ Require user admin
+ Require ssl
+
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
@@ -33,31 +44,17 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
-
- Satisfy Any
- Allow from All
+
+ Require user admin
+ Require ssl
+
+
+ Require all granted
- Satisfy Any
- Allow from All
-
-
- Satisfy Any
- Allow from All
-
-
- Require user admin
+ Require all granted
-
- AllowOverride None
- Options None
- AuthName "IPFire - Restricted"
- AuthType Basic
- AuthUserFile /var/ipfire/auth/users
- Require user dial admin
-
SSLOptions +StdEnvVars
@@ -75,16 +72,14 @@
Options ExecCGI
AllowOverride None
- Order deny,allow
- Allow from all
+ Require all granted
Alias /repository/ /var/urlrepo/
Options ExecCGI
AllowOverride None
- Order deny,allow
- Allow from all
+ Require all granted
Alias /proxy-reports/ /var/log/sarg/
@@ -94,6 +89,9 @@
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
- Require user admin
+
+ Require user admin
+ Require ssl
+