Changeset 18316 in main


Ignore:
Timestamp:
03/26/19 21:35:11 (3 years ago)
Author:
Paul Leo
Message:

Removed ssl and keys, updated httpd-ssl.conf and httpd.conf

Location:
adopters/uset/trunk/src/main/reverse_proxy
Files:
1 deleted
2 edited

Legend:

Unmodified
Added
Removed
  • adopters/uset/trunk/src/main/reverse_proxy/extra/httpd-ssl.conf

    r10498 r18316  
    33# It contains the configuration directives to instruct the server how to
    44# serve pages over an https connection. For detailed information about these
    5 # directives see <URL:http://httpd.apache.org/docs/trunk/mod/mod_ssl.html>
     5# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
    66#
    77# Do NOT simply read the instructions in here without understanding
     
    99# consult the online docs. You have been warned. 
    1010#
     11# Required modules: mod_log_config, mod_setenvif, mod_ssl,
     12#          socache_shmcb_module (for default value of SSLSessionCache)
    1113
    1214#
     
    4446##
    4547
     48#   SSL Cipher Suite:
     49#   List the ciphers that the client is permitted to negotiate,
     50#   and that httpd will negotiate as the client of a proxied server.
     51#   See the OpenSSL documentation for a complete list of ciphers, and
     52#   ensure these follow appropriate best practices for this deployment.
     53#   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
     54#   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
     55SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
     56SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
     57
     58#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
     59#  Older ciphers should be disallowed as soon as possible, while the
     60#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
     61#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
     62#  non-browser tooling) from successfully connecting. 
     63#
     64#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
     65#  those protocols which do not support forward secrecy, replace
     66#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
     67#  the following two directives, as soon as practical.
     68# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
     69# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
     70
     71#   User agents such as web browsers are not configured for the user's
     72#   own preference of either security or performance, therefore this
     73#   must be the prerogative of the web server administrator who manages
     74#   cpu load versus confidentiality, so enforce the server's cipher order.
     75SSLHonorCipherOrder on
     76
     77#   SSL Protocol support:
     78#   List the protocol versions which clients are allowed to connect with.
     79#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
     80#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
     81#   protocol or later should remain in use.
     82SSLProxyProtocol all -SSLv3
     83SSLProtocol ALL -SSLv2 -SSLv3
     84SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
     85
    4686#   Pass Phrase Dialog:
    4787#   Configure the pass phrase gathering process.
    48 #   The filtering dialog program (`builtin' is a internal
     88#   The filtering dialog program (`builtin' is an internal
    4989#   terminal dialog) has to provide the pass phrase on stdout.
    5090SSLPassPhraseDialog  builtin
     
    5797SSLSessionCacheTimeout  300
    5898
     99#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
     100#
     101#   This feature is disabled by default and requires at least
     102#   the two directives SSLUseStapling and SSLStaplingCache.
     103#   Refer to the documentation on OCSP Stapling in the SSL/TLS
     104#   How-To for more information.
     105#
     106#   Enable stapling for all SSL-enabled servers:
     107#SSLUseStapling On
     108
     109#   Define a relatively small cache for OCSP Stapling using
     110#   the same mechanism that is used for the SSL session cache
     111#   above.  If stapling is used with more than a few certificates,
     112#   the size may need to be increased.  (AH01929 will be logged.)
     113#SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(32768)"
     114
     115#   Seconds before valid OCSP responses are expired from the cache
     116#SSLStaplingStandardCacheTimeout 3600
     117
     118#   Seconds before invalid OCSP responses are expired from the cache
     119#SSLStaplingErrorCacheTimeout 600
     120
    59121##
    60122## SSL Virtual Host Context
     
    76138SSLEngine on
    77139
    78 #   SSL Cipher Suite:
    79 #   List the ciphers that the client is permitted to negotiate.
    80 #   See the mod_ssl documentation for a complete list.
    81 #   Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC)
    82 #   cipher suites (see RFC 4492) as part of "ALL". Edit this line
    83 #   if you need to disable any of those ciphers.
    84 #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    85 SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
    86 SSLHonorCipherOrder on
    87140#   Server Certificate:
    88141#   Point SSLCertificateFile at a PEM encoded certificate.  If
     
    109162#SSLCertificateKeyFile "c:/Apache24/conf/server-dsa.key"
    110163#SSLCertificateKeyFile "c:/Apache24/conf/server-ecc.key"
    111 SSLCertificateKeyFile "c:/dataportal_info/dataportal.key"
     164SSLCertificateKeyFile "c:/dataportal_info/privatekey.key"
    112165
    113166#   Server Certificate Chain:
     
    120173#SSLCertificateChainFile "c:/Apache24/conf/server-ca.crt"
    121174#SSLCertificateChainFile "C:\Cert_apache24\dataportal.crt"
    122 SSLCertificateChainFile "c:/dataportal_info/Apache_Plesk_Install.txt"
     175SSLCertificateChainFile "C:\dataportal_info\bundle.txt"
    123176
    124177
     
    136189#   Set the CA revocation path where to find CA CRLs for client
    137190#   authentication or alternatively one huge file containing all
    138 #   of them (file must be PEM encoded)
     191#   of them (file must be PEM encoded).
     192#   The CRL checking mode needs to be configured explicitly
     193#   through SSLCARevocationCheck (defaults to "none" otherwise).
    139194#   Note: Inside SSLCARevocationPath you need hash symlinks
    140195#         to point to the certificate files. Use the provided
     
    142197#SSLCARevocationPath "${SRVROOT}/conf/ssl.crl"
    143198#SSLCARevocationFile "${SRVROOT}/conf/ssl.crl/ca-bundle.crl"
     199#SSLCARevocationCheck chain
    144200
    145201#   Client Authentication (Type):
     
    150206#SSLVerifyClient require
    151207#SSLVerifyDepth  10
     208
     209#   TLS-SRP mutual authentication:
     210#   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
     211#   file (containing login information for SRP user accounts).
     212#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
     213#   detailed instructions on creating this file. Example:
     214#   "openssl srp -srpvfile ${SRVROOT}/conf/passwd.srpv -add username"
     215#SSLSRPVerifierFile "${SRVROOT}/conf/passwd.srpv"
    152216
    153217#   Access Control:
  • adopters/uset/trunk/src/main/reverse_proxy/httpd.conf

    r10498 r18316  
    3535# least PidFile.
    3636#
    37 
    3837Define SRVROOT "c:/Apache24"
     38
    3939ServerRoot "${SRVROOT}"
    4040
     
    100100LoadModule authz_user_module modules/mod_authz_user.so
    101101LoadModule autoindex_module modules/mod_autoindex.so
     102#LoadModule brotli_module modules/mod_brotli.so
    102103#LoadModule buffer_module modules/mod_buffer.so
    103104#LoadModule cache_module modules/mod_cache.so
     
    120121#LoadModule file_cache_module modules/mod_file_cache.so
    121122#LoadModule filter_module modules/mod_filter.so
     123#LoadModule http2_module modules/mod_http2.so
    122124#LoadModule headers_module modules/mod_headers.so
    123125#LoadModule heartbeat_module modules/mod_heartbeat.so
    124126#LoadModule heartmonitor_module modules/mod_heartmonitor.so
    125 #LoadModule http2_module modules/mod_http2.so
    126127#LoadModule ident_module modules/mod_ident.so
    127128#LoadModule imagemap_module modules/mod_imagemap.so
     
    140141#LoadModule lua_module modules/mod_lua.so
    141142#LoadModule macro_module modules/mod_macro.so
     143#LoadModule md_module modules/mod_md.so
    142144LoadModule mime_module modules/mod_mime.so
    143145#LoadModule mime_magic_module modules/mod_mime_magic.so
     
    150152#LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
    151153#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
     154#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
    152155LoadModule proxy_html_module modules/mod_proxy_html.so
    153156LoadModule proxy_http_module modules/mod_proxy_http.so
     157#LoadModule proxy_http2_module modules/mod_proxy_http2.so
    154158#LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
     159#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
    155160#LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
    156161#LoadModule ratelimit_module modules/mod_ratelimit.so
     
    372377    # directives as to Alias.
    373378    #
    374     ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"
     379    ScriptAlias /cgi-bin/ "${SRVROOT}/cgi-bin/"
    375380
    376381</IfModule>
     
    393398    Require all denied
    394399</Directory>
     400
     401<IfModule headers_module>
     402    #
     403    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
     404    # backend servers which have lingering "httpoxy" defects.
     405    # 'Proxy' request header is undefined by the IETF, not listed by IANA
     406    #
     407    RequestHeader unset Proxy early
     408</IfModule>
    395409
    396410<IfModule mime_module>
     
    532546SSLRandomSeed connect builtin
    533547</IfModule>
    534 <IfModule http2_module>
    535     ProtocolsHonorOrder On
    536     Protocols h2 h2c http/1.1
    537 </IfModule>
    538 #
    539 # uncomment out the below to deal with user agents that deliberately
    540 # violate open standards by misusing DNT (DNT *must* be a specific
    541 # end-user choice)
    542 #
    543 #<IfModule setenvif_module>
    544 #BrowserMatch "MSIE 10.0;" bad_DNT
    545 #</IfModule>
    546 #<IfModule headers_module>
    547 #RequestHeader unset DNT env=bad_DNT
    548 #</IfModule>
    549548
    550549RemoteIPHeader X-Client-IP
Note: See TracChangeset for help on using the changeset viewer.