Changeset 18316 in main

Timestamp:

03/26/19 21:35:11 (4 years ago)

Author:

Paul Leo

Message:

Removed ssl and keys, updated httpd-ssl.conf and httpd.conf

Location:

adopters/uset/trunk/src/main/reverse_proxy

Files:

• extra/httpd-ssl.conf (modified) (10 diffs)
• httpd.conf (modified) (8 diffs)
• ssl (deleted)

adopters/uset/trunk/src/main/reverse_proxy/extra/httpd-ssl.conf

@@ -3 +3 @@
 # It contains the configuration directives to instruct the server how to
 # serve pages over an https connection. For detailed information about these 
-# directives see <URL:http://httpd.apache.org/docs/trunk/mod/mod_ssl.html>
+# directives see <URL:http://httpd.apache.org/docs/2.4/mod/mod_ssl.html>
 # 
 # Do NOT simply read the instructions in here without understanding
@@ -9 +9 @@
 # consult the online docs. You have been warned.  
 #
+# Required modules: mod_log_config, mod_setenvif, mod_ssl,
+#          socache_shmcb_module (for default value of SSLSessionCache)
 
 #
@@ -44 +46 @@
 ##
 
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate,
+#   and that httpd will negotiate as the client of a proxied server.
+#   See the OpenSSL documentation for a complete list of ciphers, and
+#   ensure these follow appropriate best practices for this deployment.
+#   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
+#   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
+SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
+SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
+
+#  By the end of 2016, only TLSv1.2 ciphers should remain in use.
+#  Older ciphers should be disallowed as soon as possible, while the
+#  kRSA ciphers do not offer forward secrecy.  These changes inhibit
+#  older clients (such as IE6 SP2 or IE8 on Windows XP, or other legacy
+#  non-browser tooling) from successfully connecting.  
+#
+#  To restrict mod_ssl to use only TLSv1.2 ciphers, and disable
+#  those protocols which do not support forward secrecy, replace
+#  the SSLCipherSuite and SSLProxyCipherSuite directives above with
+#  the following two directives, as soon as practical.
+# SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
+# SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on 
+
+#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to connect with.
+#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
+#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
+#   protocol or later should remain in use.
+SSLProxyProtocol all -SSLv3
+SSLProtocol ALL -SSLv2 -SSLv3
+SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+
 #   Pass Phrase Dialog:
 #   Configure the pass phrase gathering process.
-#   The filtering dialog program (`builtin' is a internal
+#   The filtering dialog program (`builtin' is an internal
 #   terminal dialog) has to provide the pass phrase on stdout.
 SSLPassPhraseDialog  builtin
@@ -57 +97 @@
 SSLSessionCacheTimeout  300
 
+#   OCSP Stapling (requires OpenSSL 0.9.8h or later)
+#
+#   This feature is disabled by default and requires at least
+#   the two directives SSLUseStapling and SSLStaplingCache.
+#   Refer to the documentation on OCSP Stapling in the SSL/TLS
+#   How-To for more information.
+#
+#   Enable stapling for all SSL-enabled servers:
+#SSLUseStapling On
+
+#   Define a relatively small cache for OCSP Stapling using
+#   the same mechanism that is used for the SSL session cache
+#   above.  If stapling is used with more than a few certificates,
+#   the size may need to be increased.  (AH01929 will be logged.)
+#SSLStaplingCache "shmcb:${SRVROOT}/logs/ssl_stapling(32768)"
+
+#   Seconds before valid OCSP responses are expired from the cache
+#SSLStaplingStandardCacheTimeout 3600
+
+#   Seconds before invalid OCSP responses are expired from the cache
+#SSLStaplingErrorCacheTimeout 600
+
 ##
 ## SSL Virtual Host Context
@@ -76 +138 @@
 SSLEngine on
 
-#   SSL Cipher Suite:
-#   List the ciphers that the client is permitted to negotiate.
-#   See the mod_ssl documentation for a complete list.
-#   Recent OpenSSL snapshots include Elliptic Curve Cryptograhpy (ECC) 
-#   cipher suites (see RFC 4492) as part of "ALL". Edit this line
-#   if you need to disable any of those ciphers.
-#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-SSLHonorCipherOrder on
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -109 +162 @@
 #SSLCertificateKeyFile "c:/Apache24/conf/server-dsa.key"
 #SSLCertificateKeyFile "c:/Apache24/conf/server-ecc.key"
-SSLCertificateKeyFile "c:/dataportal_info/dataportal.key"
+SSLCertificateKeyFile "c:/dataportal_info/privatekey.key"
 
 #   Server Certificate Chain:
@@ -120 +173 @@
 #SSLCertificateChainFile "c:/Apache24/conf/server-ca.crt"
 #SSLCertificateChainFile "C:\Cert_apache24\dataportal.crt"
-SSLCertificateChainFile "c:/dataportal_info/Apache_Plesk_Install.txt"
+SSLCertificateChainFile "C:\dataportal_info\bundle.txt"
 
 
@@ -136 +189 @@
 #   Set the CA revocation path where to find CA CRLs for client
 #   authentication or alternatively one huge file containing all
-#   of them (file must be PEM encoded)
+#   of them (file must be PEM encoded).
+#   The CRL checking mode needs to be configured explicitly
+#   through SSLCARevocationCheck (defaults to "none" otherwise).
 #   Note: Inside SSLCARevocationPath you need hash symlinks
 #         to point to the certificate files. Use the provided
@@ -142 +197 @@
 #SSLCARevocationPath "${SRVROOT}/conf/ssl.crl"
 #SSLCARevocationFile "${SRVROOT}/conf/ssl.crl/ca-bundle.crl"
+#SSLCARevocationCheck chain
 
 #   Client Authentication (Type):
@@ -150 +206 @@
 #SSLVerifyClient require
 #SSLVerifyDepth  10
+
+#   TLS-SRP mutual authentication:
+#   Enable TLS-SRP and set the path to the OpenSSL SRP verifier
+#   file (containing login information for SRP user accounts). 
+#   Requires OpenSSL 1.0.1 or newer. See the mod_ssl FAQ for
+#   detailed instructions on creating this file. Example:
+#   "openssl srp -srpvfile ${SRVROOT}/conf/passwd.srpv -add username"
+#SSLSRPVerifierFile "${SRVROOT}/conf/passwd.srpv"
 
 #   Access Control:

adopters/uset/trunk/src/main/reverse_proxy/httpd.conf

@@ -35 +35 @@
 # least PidFile.
 #
-
 Define SRVROOT "c:/Apache24"
+
 ServerRoot "${SRVROOT}"
 
@@ -100 +100 @@
 LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule autoindex_module modules/mod_autoindex.so
+#LoadModule brotli_module modules/mod_brotli.so
 #LoadModule buffer_module modules/mod_buffer.so
 #LoadModule cache_module modules/mod_cache.so
@@ -120 +121 @@
 #LoadModule file_cache_module modules/mod_file_cache.so
 #LoadModule filter_module modules/mod_filter.so
+#LoadModule http2_module modules/mod_http2.so
 #LoadModule headers_module modules/mod_headers.so
 #LoadModule heartbeat_module modules/mod_heartbeat.so
 #LoadModule heartmonitor_module modules/mod_heartmonitor.so
-#LoadModule http2_module modules/mod_http2.so
 #LoadModule ident_module modules/mod_ident.so
 #LoadModule imagemap_module modules/mod_imagemap.so
@@ -140 +141 @@
 #LoadModule lua_module modules/mod_lua.so
 #LoadModule macro_module modules/mod_macro.so
+#LoadModule md_module modules/mod_md.so
 LoadModule mime_module modules/mod_mime.so
 #LoadModule mime_magic_module modules/mod_mime_magic.so
@@ -150 +152 @@
 #LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
 #LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
+#LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
 LoadModule proxy_html_module modules/mod_proxy_html.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
+#LoadModule proxy_http2_module modules/mod_proxy_http2.so
 #LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
+#LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so
 #LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
 #LoadModule ratelimit_module modules/mod_ratelimit.so
@@ -372 +377 @@
     # directives as to Alias.
     #
-    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"
+    ScriptAlias /cgi-bin/ "${SRVROOT}/cgi-bin/"
 
 </IfModule>
@@ -393 +398 @@
     Require all denied
 </Directory>
+
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
 
 <IfModule mime_module>
@@ -532 +546 @@
 SSLRandomSeed connect builtin
 </IfModule>
-<IfModule http2_module>
-    ProtocolsHonorOrder On
-    Protocols h2 h2c http/1.1
-</IfModule>
-#
-# uncomment out the below to deal with user agents that deliberately
-# violate open standards by misusing DNT (DNT *must* be a specific
-# end-user choice)
-#
-#<IfModule setenvif_module>
-#BrowserMatch "MSIE 10.0;" bad_DNT
-#</IfModule>
-#<IfModule headers_module>
-#RequestHeader unset DNT env=bad_DNT
-#</IfModule>
 
 RemoteIPHeader X-Client-IP