annotate modules/website/files/zzz-custom.conf @ 106:ef0926ee389a puppet-3.6

Lock down Apache headers for security, based on https://securityheaders.io/
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 May 2016 17:10:10 +0100
parents 5d6111879862
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
1 SSLProtocol ALL -SSLv2 -SSLv3
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
2 SSLHonorCipherOrder On
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
4
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
5 DirectoryIndex index.php index.html
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
6
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
7 AddType image/x-icon .ico
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
8
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
9 ExpiresActive On
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
10 ExpiresByType image/jpeg "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
11 ExpiresByType image/gif "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
12 ExpiresByType image/png "access plus 2 weeks"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
13 ExpiresByType text/css "access plus 1 week"
49
0c548d481c0a Make sure that we compress JavaScript that uses the OTHER mime type
IBBoard <dev@ibboard.co.uk>
parents: 30
diff changeset
14 ExpiresByType text/javascript "access plus 1 month"
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
15 ExpiresByType application/javascript "access plus 1 month"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
16 ExpiresByType application/x-javascript "access plus 1 month"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
17 ExpiresByType image/x-icon "access plus 1 month"
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
18
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
19 <ifModule mod_deflate.c>
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
20 AddOutputFilterByType DEFLATE text/plain
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
21 AddOutputFilterByType DEFLATE text/html
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
22 AddOutputFilterByType DEFLATE text/xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
23 AddOutputFilterByType DEFLATE text/css
49
0c548d481c0a Make sure that we compress JavaScript that uses the OTHER mime type
IBBoard <dev@ibboard.co.uk>
parents: 30
diff changeset
24 AddOutputFilterByType DEFLATE text/javascript
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
25 AddOutputFilterByType DEFLATE application/xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
26 AddOutputFilterByType DEFLATE application/xhtml+xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
27 AddOutputFilterByType DEFLATE application/rss+xml
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
28 AddOutputFilterByType DEFLATE application/javascript
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
29 AddOutputFilterByType DEFLATE application/x-javascript
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
30 </ifModule>
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
31
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
32 WSGISocketPrefix run/wsgi
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
33
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
34 BrowserMatch "Mozilla/2" nokeepalive
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
35 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
36 BrowserMatch "RealPlayer 4\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
37 BrowserMatch "Java/1\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
38 BrowserMatch "JDK/1\.0" force-response-1.0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
39 SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
40
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
41 KeepAlive On
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
42 KeepAliveTimeout 5
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
43 MaxKeepAliveRequests 50
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
44
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
45 Header unset ETag
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
46 FileETag None
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
47
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
48
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
49 <Location /.hg/>
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
50 <IfVersion < 2.4>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
51 Order Allow,Deny
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
52 Deny from all
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
53 </IfVersion>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
54 <IfVersion >= 2.4>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
55 Require all denied
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
56 </IfVersion>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
57 </Location>
60
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
58 <Location /.well-known>
73
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
59 <IfVersion < 2.4>
60
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
60 Order Deny,Allow
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
61 Allow from all
73
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
62 </IfVersion>
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
63 <IfVersion >= 2.4>
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
64 Require all granted
f413aba301be Fix differences in how we allow/deny between Apache 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 72
diff changeset
65 </IfVersion>
60
1e2f8966d0a6 Allow requests to ".well-known" so that we don't accidentally get blocked
IBBoard <dev@ibboard.co.uk>
parents: 49
diff changeset
66 </Location>
90
5d6111879862 Extend blocked files to include backup files
IBBoard <dev@ibboard.co.uk>
parents: 73
diff changeset
67 <FilesMatch "^((\.|~).*|.*(\.(dist|save|swo|swp|php_backup)|~)|backup\..*\.php)$">
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
68 <IfVersion < 2.4>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
69 Order Allow,Deny
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
70 Deny from all
25
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
71 </IfVersion>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
72 <IfVersion >= 2.4>
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
73 Require all denied
13adb555a7e2 Use "<IfVersion>" to handle auth differences between 2.2 and 2.4
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
74 </IfVersion>
0
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
75 </FilesMatch>
956e484adc12 Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff changeset
76
30
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
77 # "A man is not dead while his name is still spoken." - Going Postal, Chapter 4 prologue
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
78 <IfModule headers_module>
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
79 header set X-Clacks-Overhead "GNU Terry Pratchett"
6c63be9a0320 Put Sir Terry Pratchett's name on the Clacks, as the Smoking Gnu would do.
IBBoard <dev@ibboard.co.uk>
parents: 0
diff changeset
80 </IfModule>
106
ef0926ee389a Lock down Apache headers for security, based on https://securityheaders.io/
IBBoard <dev@ibboard.co.uk>
parents: 90
diff changeset
81
ef0926ee389a Lock down Apache headers for security, based on https://securityheaders.io/
IBBoard <dev@ibboard.co.uk>
parents: 90
diff changeset
82 ServerTokens Minor