Mercurial > repos > other > Puppet
annotate modules/website/files/zzz-0-custom.conf @ 174:1457b5365c79 puppet-3.6
Add extra headers for improved security practice
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 03 Mar 2018 14:20:06 +0000 |
parents | 3c4f495d4eac |
children | 1b93429d28b8 |
rev | line source |
---|---|
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
1 SSLProtocol ALL -SSLv2 -SSLv3 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
2 SSLHonorCipherOrder On |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
4 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
5 DirectoryIndex index.php index.html |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
6 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
7 AddType image/x-icon .ico |
116
3c4f495d4eac
Make sure that we're detecting and serving 7zip and RAR files correctly
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
8 AddType application/x-7z-compressed .7z |
3c4f495d4eac
Make sure that we're detecting and serving 7zip and RAR files correctly
IBBoard <dev@ibboard.co.uk>
parents:
115
diff
changeset
|
9 AddType application/x-rar .rar |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
10 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
11 ExpiresActive On |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
12 ExpiresByType image/jpeg "access plus 2 weeks" |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
13 ExpiresByType image/gif "access plus 2 weeks" |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
14 ExpiresByType image/png "access plus 2 weeks" |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
15 ExpiresByType text/css "access plus 1 week" |
49
0c548d481c0a
Make sure that we compress JavaScript that uses the OTHER mime type
IBBoard <dev@ibboard.co.uk>
parents:
30
diff
changeset
|
16 ExpiresByType text/javascript "access plus 1 month" |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
17 ExpiresByType application/javascript "access plus 1 month" |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
18 ExpiresByType application/x-javascript "access plus 1 month" |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
19 ExpiresByType image/x-icon "access plus 1 month" |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 <ifModule mod_deflate.c> |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
22 AddOutputFilterByType DEFLATE text/plain |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
23 AddOutputFilterByType DEFLATE text/html |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
24 AddOutputFilterByType DEFLATE text/xml |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
25 AddOutputFilterByType DEFLATE text/css |
49
0c548d481c0a
Make sure that we compress JavaScript that uses the OTHER mime type
IBBoard <dev@ibboard.co.uk>
parents:
30
diff
changeset
|
26 AddOutputFilterByType DEFLATE text/javascript |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
27 AddOutputFilterByType DEFLATE application/xml |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
28 AddOutputFilterByType DEFLATE application/xhtml+xml |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
29 AddOutputFilterByType DEFLATE application/rss+xml |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
30 AddOutputFilterByType DEFLATE application/javascript |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
31 AddOutputFilterByType DEFLATE application/x-javascript |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 </ifModule> |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 WSGISocketPrefix run/wsgi |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
35 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
36 BrowserMatch "Mozilla/2" nokeepalive |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
37 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 BrowserMatch "RealPlayer 4\.0" force-response-1.0 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
39 BrowserMatch "Java/1\.0" force-response-1.0 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
40 BrowserMatch "JDK/1\.0" force-response-1.0 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
42 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
43 KeepAlive On |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
44 KeepAliveTimeout 5 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
45 MaxKeepAliveRequests 50 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
46 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
47 Header unset ETag |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
48 FileETag None |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
49 |
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
50 |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
51 <Location /.hg/> |
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
52 <IfVersion < 2.4> |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
53 Order Allow,Deny |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
54 Deny from all |
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
55 </IfVersion> |
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
56 <IfVersion >= 2.4> |
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
57 Require all denied |
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
58 </IfVersion> |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
59 </Location> |
60
1e2f8966d0a6
Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents:
49
diff
changeset
|
60 <Location /.well-known> |
73
f413aba301be
Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
61 <IfVersion < 2.4> |
60
1e2f8966d0a6
Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents:
49
diff
changeset
|
62 Order Deny,Allow |
1e2f8966d0a6
Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents:
49
diff
changeset
|
63 Allow from all |
73
f413aba301be
Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
64 </IfVersion> |
f413aba301be
Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
65 <IfVersion >= 2.4> |
f413aba301be
Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
66 Require all granted |
f413aba301be
Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
72
diff
changeset
|
67 </IfVersion> |
60
1e2f8966d0a6
Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents:
49
diff
changeset
|
68 </Location> |
90
5d6111879862
Extend blocked files to include backup files
IBBoard <dev@ibboard.co.uk>
parents:
73
diff
changeset
|
69 <FilesMatch "^((\.|~).*|.*(\.(dist|save|swo|swp|php_backup)|~)|backup\..*\.php)$"> |
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
70 <IfVersion < 2.4> |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
71 Order Allow,Deny |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 Deny from all |
25
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
73 </IfVersion> |
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
74 <IfVersion >= 2.4> |
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
75 Require all denied |
13adb555a7e2
Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
76 </IfVersion> |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 </FilesMatch> |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
78 |
30
6c63be9a0320
Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
79 # "A man is not dead while his name is still spoken." - Going Postal, Chapter 4 prologue |
6c63be9a0320
Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
80 <IfModule headers_module> |
6c63be9a0320
Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
81 header set X-Clacks-Overhead "GNU Terry Pratchett" |
6c63be9a0320
Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
82 </IfModule> |
106
ef0926ee389a
Lock down Apache headers for security, based on https://securityheaders.io/
IBBoard <dev@ibboard.co.uk>
parents:
90
diff
changeset
|
83 |
115
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
106
diff
changeset
|
84 <Location /> |
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
106
diff
changeset
|
85 <LimitExcept HEAD POST GET OPTIONS> |
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
106
diff
changeset
|
86 Require all denied |
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
106
diff
changeset
|
87 </LimitExcept> |
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
106
diff
changeset
|
88 </Location> |
b35a9df52965
Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents:
106
diff
changeset
|
89 |
174
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
90 ServerTokens Minor |
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
91 |
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
92 Header always set Referrer-Policy "no-referrer-when-downgrade" |
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
93 Header always set Expect-CT "max-age=0, report-uri='https://ibboard.report-uri.io/r/default/ct/reportOnly'" |
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
94 Header always set Content-Security-Policy "upgrade-insecure-requests" |
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
95 Header always set Content-Security-Policy-Report-Only "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'" |
1457b5365c79
Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents:
116
diff
changeset
|
96 #; report-uri https://ibboard.report-uri.com/r/d/csp/reportOnly" |