apache: Update cipher suite that is used for the web user interface.

[people/teissler/ipfire-2.x.git] / config / httpd / vhosts.d / ipfire-interface-ssl.conf

diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index 830d3125c836cef395ce7fe9113e875c0036b34f..dc6bb21ed5db166b6b00c076bb80fab40964c97d 100644 (file)
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -3,31 +3,33 @@
     RewriteEngine on
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
-    DocumentRoot /home/httpd/html
+    DocumentRoot /srv/web/ipfire/html
     ServerAdmin root@localhost
     ErrorLog /var/log/httpd/error_log
     TransferLog /var/log/httpd/access_log
     SSLEngine on
     SSLProtocol all -SSLv2
-    SSLCipherSuite ALL:!ADH:!EXPORT56:!eNULL:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
+    SSLHonorCipherOrder on
     SSLCertificateFile /etc/httpd/server.crt
     SSLCertificateKeyFile /etc/httpd/server.key
-    <Directory /home/httpd/html>
+
+    <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
         Order allow,deny
         Allow from all
     </Directory>
-    <DirectoryMatch "/home/httpd/html/(graphs|sgraph)">
+    <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
     </DirectoryMatch>
-    ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
-    <Directory /home/httpd/cgi-bin>
+    ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
+    <Directory /srv/web/ipfire/cgi-bin>
         AllowOverride None
-        Options None
+        Options ExecCGI
         AuthName "IPFire - Restricted"
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
@@ -48,7 +50,7 @@
             Require user admin
         </Files>
     </Directory>
-    <Directory /home/httpd/cgi-bin/dial>
+    <Directory /srv/web/ipfire/cgi-bin/dial>
         AllowOverride None
         Options None
         AuthName "IPFire - Restricted"
@@ -59,7 +61,7 @@
     <Files ~ "\.(cgi|shtml?)$">
        SSLOptions +StdEnvVars
     </Files>
-    <Directory /home/httpd/cgi-bin>
+    <Directory /srv/web/ipfire/cgi-bin>
        SSLOptions +StdEnvVars
     </Directory>
     SetEnv HOME /home/nobody
@@ -68,4 +70,30 @@
        downgrade-1.0 force-response-1.0
     CustomLog /var/log/httpd/ssl_request_log \
        "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+
+    Alias /updatecache/ /var/updatecache/
+       <Directory /var/updatecache>
+                Options ExecCGI
+                AllowOverride None
+                Order deny,allow
+                Allow from all
+       </Directory>
+
+    Alias /repository/ /var/urlrepo/
+       <Directory /var/urlrepo>
+                Options ExecCGI
+                AllowOverride None
+                Order deny,allow
+                Allow from all
+       </Directory>
+
+    Alias /proxy-reports/ /var/log/sarg/
+    <Directory /var/log/sarg>
+        AllowOverride None
+        Options None
+        AuthName "IPFire - Restricted"
+        AuthType Basic
+        AuthUserFile /var/ipfire/auth/users
+        Require user admin
+    </Directory>
 </VirtualHost>