X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=config%2Fhttpd%2Fvhosts.d%2Fipfire-interface-ssl.conf;h=f88a6a52a74116e2e64d70d3c1a1c09a5b8def93;hp=ebbd8d964038c2a757e0cc13c8bec8ea56d64b6f;hb=535dab60d61f86d78e8c6753c4d6c69bd0f3cbcc;hpb=07bfc29212778c7feaa338a358bfd3b195995af4

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index ebbd8d9640..f88a6a52a7 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -3,66 +3,58 @@
     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
+
     DocumentRoot /srv/web/ipfire/html
     ServerAdmin root@localhost
     ErrorLog /var/log/httpd/error_log
     TransferLog /var/log/httpd/access_log
+
     SSLEngine on
-    SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP
+    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
+    SSLCipherSuite TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256
+    SSLHonorCipherOrder on
+    SSLCompression off
+    SSLSessionTickets off
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key
+    SSLCertificateFile /etc/httpd/server-ecdsa.crt
+    SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
-    PerlRequire /usr/lib/apache/startup.pl
-    PerlWarn On
+    Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
+        <RequireAll>
+            Require user admin
+            Require ssl
+        </RequireAll>
     </DirectoryMatch>
     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
     <Directory /srv/web/ipfire/cgi-bin>
         AllowOverride None
         Options ExecCGI
-	SetHandler perl-script
-	PerlSendHeader On
-	PerlHandler ModPerl::Registry
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
-        Require user admin
-         <Files chpasswd.cgi>
-            Satisfy Any
-            Allow from All
+        <RequireAll>
+            Require user admin
+            Require ssl
+        </RequireAll>
+        <Files chpasswd.cgi>
+            Require all granted
         </Files>
         <Files webaccess.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
-        <Files credits.cgi>
-            Satisfy Any
-            Allow from All
-        </Files>
-        <Files dial.cgi>
-            Require user admin
+            Require all granted
         </Files>
     </Directory>
-    <Directory /srv/web/ipfire/cgi-bin/dial>
-        AllowOverride None
-        Options None
-        AuthName "IPFire - Restricted"
-        AuthType Basic
-        AuthUserFile /var/ipfire/auth/users
-        Require user dial admin
-    </Directory>
     <Files ~ "\.(cgi|shtml?)$">
 	SSLOptions +StdEnvVars
     </Files>
@@ -75,4 +67,31 @@
 	downgrade-1.0 force-response-1.0
     CustomLog /var/log/httpd/ssl_request_log \
 	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+    Alias /updatecache/ /var/updatecache/
+	<Directory /var/updatecache>
+		 Options ExecCGI
+		 AllowOverride None
+		 Require all granted
+	</Directory>
+
+    Alias /repository/ /var/urlrepo/
+	<Directory /var/urlrepo>
+		 Options ExecCGI
+		 AllowOverride None
+		 Require all granted
+	</Directory>
+
+    Alias /proxy-reports/ /var/log/sarg/
+    <Directory /var/log/sarg>
+        AllowOverride None
+        Options None
+        AuthName "IPFire - Restricted"
+        AuthType Basic
+        AuthUserFile /var/ipfire/auth/users
+        <RequireAll>
+            Require user admin
+            Require ssl
+        </RequireAll>
+    </Directory>
 </VirtualHost>