other/Puppet: modules/website/files/zzz-0-custom.conf annotate

annotate modules/website/files/zzz-0-custom.conf @ 174:1457b5365c79 puppet-3.6

Add extra headers for improved security practice

author	IBBoard <dev@ibboard.co.uk>
date	Sat, 03 Mar 2018 14:20:06 +0000
parents	3c4f495d4eac
children	1b93429d28b8

rev	line source
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	1 SSLProtocol ALL -SSLv2 -SSLv3
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	2 SSLHonorCipherOrder On
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	4
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	5 DirectoryIndex index.php index.html
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	6
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	7 AddType image/x-icon .ico
116 3c4f495d4eac Make sure that we're detecting and serving 7zip and RAR files correctly IBBoard <dev@ibboard.co.uk> parents: 115 diff changeset	8 AddType application/x-7z-compressed .7z
3c4f495d4eac Make sure that we're detecting and serving 7zip and RAR files correctly IBBoard <dev@ibboard.co.uk> parents: 115 diff changeset	9 AddType application/x-rar .rar
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	10
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	11 ExpiresActive On
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	12 ExpiresByType image/jpeg "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	13 ExpiresByType image/gif "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	14 ExpiresByType image/png "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	15 ExpiresByType text/css "access plus 1 week"
49 0c548d481c0a Make sure that we compress JavaScript that uses the OTHER mime type IBBoard <dev@ibboard.co.uk> parents: 30 diff changeset	16 ExpiresByType text/javascript "access plus 1 month"
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	17 ExpiresByType application/javascript "access plus 1 month"
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	18 ExpiresByType application/x-javascript "access plus 1 month"
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	19 ExpiresByType image/x-icon "access plus 1 month"
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	20
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	21 <ifModule mod_deflate.c>
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	22 AddOutputFilterByType DEFLATE text/plain
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	23 AddOutputFilterByType DEFLATE text/html
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	24 AddOutputFilterByType DEFLATE text/xml
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	25 AddOutputFilterByType DEFLATE text/css
49 0c548d481c0a Make sure that we compress JavaScript that uses the OTHER mime type IBBoard <dev@ibboard.co.uk> parents: 30 diff changeset	26 AddOutputFilterByType DEFLATE text/javascript
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	27 AddOutputFilterByType DEFLATE application/xml
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	28 AddOutputFilterByType DEFLATE application/xhtml+xml
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	29 AddOutputFilterByType DEFLATE application/rss+xml
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	30 AddOutputFilterByType DEFLATE application/javascript
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	31 AddOutputFilterByType DEFLATE application/x-javascript
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	32 </ifModule>
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	33
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	34 WSGISocketPrefix run/wsgi
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	35
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	36 BrowserMatch "Mozilla/2" nokeepalive
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	37 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	38 BrowserMatch "RealPlayer 4\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	39 BrowserMatch "Java/1\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	40 BrowserMatch "JDK/1\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	41 SetEnvIf User-Agent ".MSIE." nokeepalive ssl-unclean-shutdown
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	42
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	43 KeepAlive On
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	44 KeepAliveTimeout 5
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	45 MaxKeepAliveRequests 50
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	46
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	47 Header unset ETag
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	48 FileETag None
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	49
25 13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	50
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	51 <Location /.hg/>
25 13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	52 <IfVersion < 2.4>
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	53 Order Allow,Deny
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	54 Deny from all
25 13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	55 </IfVersion>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	56 <IfVersion >= 2.4>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	57 Require all denied
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	58 </IfVersion>
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	59 </Location>
60 1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked IBBoard <dev@ibboard.co.uk> parents: 49 diff changeset	60 <Location /.well-known>
73 f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 72 diff changeset	61 <IfVersion < 2.4>
60 1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked IBBoard <dev@ibboard.co.uk> parents: 49 diff changeset	62 Order Deny,Allow
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked IBBoard <dev@ibboard.co.uk> parents: 49 diff changeset	63 Allow from all
73 f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 72 diff changeset	64 </IfVersion>
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 72 diff changeset	65 <IfVersion >= 2.4>
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 72 diff changeset	66 Require all granted
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 72 diff changeset	67 </IfVersion>
60 1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked IBBoard <dev@ibboard.co.uk> parents: 49 diff changeset	68 </Location>
90 5d6111879862 Extend blocked files to include backup files IBBoard <dev@ibboard.co.uk> parents: 73 diff changeset	69 <FilesMatch "^((\.\|~).\|.(\.(dist\|save\|swo\|swp\|php_backup)\|~)\|backup\..*\.php)$">
25 13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	70 <IfVersion < 2.4>
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	71 Order Allow,Deny
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	72 Deny from all
25 13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	73 </IfVersion>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	74 <IfVersion >= 2.4>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	75 Require all denied
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4 IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	76 </IfVersion>
0 956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	77 </FilesMatch>
956e484adc12 Initial public release of Puppet configs IBBoard <dev@ibboard.co.uk> parents: diff changeset	78
30 6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do. IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	79 # "A man is not dead while his name is still spoken." - Going Postal, Chapter 4 prologue
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do. IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	80 <IfModule headers_module>
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do. IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	81 header set X-Clacks-Overhead "GNU Terry Pratchett"
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do. IBBoard <dev@ibboard.co.uk> parents: 0 diff changeset	82 </IfModule>
106 ef0926ee389a Lock down Apache headers for security, based on https://securityheaders.io/ IBBoard <dev@ibboard.co.uk> parents: 90 diff changeset	83
115 b35a9df52965 Make sure that custom config comes before site configs IBBoard <dev@ibboard.co.uk> parents: 106 diff changeset	84 <Location />
b35a9df52965 Make sure that custom config comes before site configs IBBoard <dev@ibboard.co.uk> parents: 106 diff changeset	85 <LimitExcept HEAD POST GET OPTIONS>
b35a9df52965 Make sure that custom config comes before site configs IBBoard <dev@ibboard.co.uk> parents: 106 diff changeset	86 Require all denied
b35a9df52965 Make sure that custom config comes before site configs IBBoard <dev@ibboard.co.uk> parents: 106 diff changeset	87 </LimitExcept>
b35a9df52965 Make sure that custom config comes before site configs IBBoard <dev@ibboard.co.uk> parents: 106 diff changeset	88 </Location>
b35a9df52965 Make sure that custom config comes before site configs IBBoard <dev@ibboard.co.uk> parents: 106 diff changeset	89
174 1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	90 ServerTokens Minor
1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	91
1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	92 Header always set Referrer-Policy "no-referrer-when-downgrade"
1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	93 Header always set Expect-CT "max-age=0, report-uri='https://ibboard.report-uri.io/r/default/ct/reportOnly'"
1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	94 Header always set Content-Security-Policy "upgrade-insecure-requests"
1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	95 Header always set Content-Security-Policy-Report-Only "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'"
1457b5365c79 Add extra headers for improved security practice IBBoard <dev@ibboard.co.uk> parents: 116 diff changeset	96 #; report-uri https://ibboard.report-uri.com/r/d/csp/reportOnly"

Mercurial > repos > other > Puppet

annotate modules/website/files/zzz-0-custom.conf @ 174:1457b5365c79 puppet-3.6