Mercurial > repos > other > Puppet

annotate modules/website/files/zzz-0-custom.conf @ 236:4519b727cc4c puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Make Content-Security-Policy cleaner and easier to set
author IBBoard <dev@ibboard.co.uk>
date Wed, 18 Dec 2019 21:22:50 +0000
parents e1ee7a74d30f
children c90dc847246b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
212
e1ee7a74d30f Update SSL config for newer, more secure browsers
IBBoard <dev@ibboard.co.uk>
parents: 204
diff changeset
1 SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
e1ee7a74d30f Update SSL config for newer, more secure browsers
IBBoard <dev@ibboard.co.uk>
parents: 204
diff changeset
2 SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
e1ee7a74d30f Update SSL config for newer, more secure browsers
IBBoard <dev@ibboard.co.uk>
parents: 204
diff changeset
3 SSLHonorCipherOrder off
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
4
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
5 DirectoryIndex index.php index.html
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
6
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
7 AddType image/x-icon .ico
116
3c4f495d4eac Make sure that we're detecting and serving 7zip and RAR files correctly
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
8 AddType application/x-7z-compressed .7z
3c4f495d4eac Make sure that we're detecting and serving 7zip and RAR files correctly
IBBoard <dev@ibboard.co.uk>
parents: 115
diff changeset
9 AddType application/x-rar .rar
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
10
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
11 ExpiresActive On
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
12 ExpiresByType image/jpeg "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
13 ExpiresByType image/gif "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
14 ExpiresByType image/png "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
15 ExpiresByType text/css "access plus 1 week"
49
0c548d481c0a Make sure that we compress JavaScript that uses the OTHER mime type
IBBoard <dev@ibboard.co.uk>
parents: 30
diff changeset
16 ExpiresByType text/javascript "access plus 1 month"
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
17 ExpiresByType application/javascript "access plus 1 month"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
18 ExpiresByType application/x-javascript "access plus 1 month"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
19 ExpiresByType image/x-icon "access plus 1 month"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
20
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
21 <ifModule mod_deflate.c>
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
22 AddOutputFilterByType DEFLATE text/plain
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
23 AddOutputFilterByType DEFLATE text/html
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
24 AddOutputFilterByType DEFLATE text/xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
25 AddOutputFilterByType DEFLATE text/css
49
0c548d481c0a Make sure that we compress JavaScript that uses the OTHER mime type
IBBoard <dev@ibboard.co.uk>
parents: 30
diff changeset
26 AddOutputFilterByType DEFLATE text/javascript
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
27 AddOutputFilterByType DEFLATE application/xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
28 AddOutputFilterByType DEFLATE application/xhtml+xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
29 AddOutputFilterByType DEFLATE application/rss+xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
30 AddOutputFilterByType DEFLATE application/javascript
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
31 AddOutputFilterByType DEFLATE application/x-javascript
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
32 </ifModule>
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
33
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
34 WSGISocketPrefix run/wsgi
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
35
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
36 BrowserMatch "Mozilla/2" nokeepalive
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
37 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
38 BrowserMatch "RealPlayer 4\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
39 BrowserMatch "Java/1\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
40 BrowserMatch "JDK/1\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
41 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
42
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
43 KeepAlive On
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
44 KeepAliveTimeout 5
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
45 MaxKeepAliveRequests 50
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
46
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
47 Header unset ETag
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
48 FileETag None
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
49
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
50
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
51 <Location /.hg/>
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
52 <IfVersion < 2.4>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
53 Order Allow,Deny
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
54 Deny from all
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
55 </IfVersion>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
56 <IfVersion >= 2.4>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
57 Require all denied
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
58 </IfVersion>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
59 </Location>
60
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
60 <Location /.well-known>
73
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
61 <IfVersion < 2.4>
60
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
62 Order Deny,Allow
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
63 Allow from all
73
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
64 </IfVersion>
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
65 <IfVersion >= 2.4>
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
66 Require all granted
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
67 </IfVersion>
60
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
68 </Location>
90
5d6111879862 Extend blocked files to include backup files
IBBoard <dev@ibboard.co.uk>
parents: 73
diff changeset
69 <FilesMatch "^((\.|~).*|.*(\.(dist|save|swo|swp|php_backup)|~)|backup\..*\.php)$">
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
70 <IfVersion < 2.4>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
71 Order Allow,Deny
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
72 Deny from all
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
73 </IfVersion>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
74 <IfVersion >= 2.4>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
75 Require all denied
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
76 </IfVersion>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
77 </FilesMatch>
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
78
30
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
79 # "A man is not dead while his name is still spoken." - Going Postal, Chapter 4 prologue
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
80 <IfModule headers_module>
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
81 header set X-Clacks-Overhead "GNU Terry Pratchett"
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
82 </IfModule>
106
ef0926ee389a Lock down Apache headers for security, based on https://securityheaders.io/
IBBoard <dev@ibboard.co.uk>
parents: 90
diff changeset
83
115
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 106
diff changeset
84 <Location />
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 106
diff changeset
85 <LimitExcept HEAD POST GET OPTIONS>
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 106
diff changeset
86 Require all denied
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 106
diff changeset
87 </LimitExcept>
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 106
diff changeset
88 </Location>
b35a9df52965 Make sure that custom config comes before site configs
IBBoard <dev@ibboard.co.uk>
parents: 106
diff changeset
89
174
1457b5365c79 Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents: 116
diff changeset
90 ServerTokens Minor
1457b5365c79 Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents: 116
diff changeset
91
1457b5365c79 Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents: 116
diff changeset
92 Header always set Referrer-Policy "no-referrer-when-downgrade"
236
4519b727cc4c Make Content-Security-Policy cleaner and easier to set
IBBoard <dev@ibboard.co.uk>
parents: 212
diff changeset
93 # FIXME: This shouldn't be a fixed URL!
174
1457b5365c79 Add extra headers for improved security practice
IBBoard <dev@ibboard.co.uk>
parents: 116
diff changeset
94 Header always set Expect-CT "max-age=0, report-uri='https://ibboard.report-uri.io/r/default/ct/reportOnly'"