config/httpd/vhosts.d/ipfire-interface-ssl.conf

   1 <VirtualHost *:444>
   2
   3     RewriteEngine on
   4     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
   5     RewriteRule .* - [F]
   6
   7     DocumentRoot /srv/web/ipfire/html
   8     ServerAdmin root@localhost
   9     ErrorLog /var/log/httpd/error_log
  10     TransferLog /var/log/httpd/access_log
  11
  12     SSLEngine on
  13     SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
  14     SSLCipherSuite AESGCM+EECDH:CHACHA20+EECDH:@STRENGTH:+aRSA
  15     SSLHonorCipherOrder on
  16     SSLCompression off
  17     SSLSessionTickets off
  18     SSLCertificateFile /etc/httpd/server.crt
  19     SSLCertificateKeyFile /etc/httpd/server.key
  20     SSLCertificateFile /etc/httpd/server-ecdsa.crt
  21     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
  22
  23     Header always set X-Content-Type-Options nosniff
  24     Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:"
  25     Header always set Referrer-Policy strict-origin
  26     Header always set X-Frame-Options sameorigin
  27
  28     <Directory /srv/web/ipfire/html>
  29         Options ExecCGI
  30         AllowOverride None
  31         Require all granted
  32     </Directory>
  33     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
  34         AuthName "IPFire - Restricted"
  35         AuthType Basic
  36         AuthUserFile /var/ipfire/auth/users
  37         <RequireAll>
  38             Require user admin
  39             Require ssl
  40         </RequireAll>
  41     </DirectoryMatch>
  42     ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
  43     <Directory /srv/web/ipfire/cgi-bin>
  44         AllowOverride None
  45         Options ExecCGI
  46         AuthName "IPFire - Restricted"
  47         AuthType Basic
  48         AuthUserFile /var/ipfire/auth/users
  49         <RequireAll>
  50             Require user admin
  51             Require ssl
  52         </RequireAll>
  53         <Files chpasswd.cgi>
  54             Require all granted
  55         </Files>
  56         <Files webaccess.cgi>
  57             Require all granted
  58         </Files>
  59     </Directory>
  60     <Files ~ "\.(cgi|shtml?)$">
  61         SSLOptions +StdEnvVars
  62     </Files>
  63     <Directory /srv/web/ipfire/cgi-bin>
  64         SSLOptions +StdEnvVars
  65     </Directory>
  66     SetEnv HOME /home/nobody
  67     CustomLog /var/log/httpd/ssl_request_log \
  68         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
  69
  70     Alias /updatecache/ /var/updatecache/
  71         <Directory /var/updatecache>
  72                  Options ExecCGI
  73                  AllowOverride None
  74                  Require all granted
  75         </Directory>
  76
  77     Alias /repository/ /var/urlrepo/
  78         <Directory /var/urlrepo>
  79                  Options ExecCGI
  80                  AllowOverride None
  81                  Require all granted
  82         </Directory>
  83
  84     Alias /proxy-reports/ /var/log/sarg/
  85     <Directory /var/log/sarg>
  86         AllowOverride None
  87         Options None
  88         AuthName "IPFire - Restricted"
  89         AuthType Basic
  90         AuthUserFile /var/ipfire/auth/users
  91         <RequireAll>
  92             Require user admin
  93             Require ssl
  94         </RequireAll>
  95     </Directory>
  96 </VirtualHost>