Mercurial > repos > other > Puppet

view modules/website/files/zzz-0-custom.conf @ 353:e046606cf218

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fix access control rules Also makes use of newer "mod_allowedmethods" rather than LimitExcept
author IBBoard <dev@ibboard.co.uk>
date Sat, 03 Oct 2020 11:58:27 +0100
parents 03a9bab1a56a
children df5ad1612af7
line wrap: on
line source

SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off

DirectoryIndex index.php index.html

AddType image/x-icon .ico
AddType application/x-7z-compressed     .7z
AddType application/x-rar .rar

ExpiresActive On
ExpiresByType image/jpeg "access plus 2 weeks"
ExpiresByType image/gif "access plus 2 weeks"
ExpiresByType image/png "access plus 2 weeks"
ExpiresByType text/css "access plus 1 week"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType image/x-icon "access plus 1 month"

<ifModule mod_deflate.c>
	AddOutputFilterByType DEFLATE text/plain
	AddOutputFilterByType DEFLATE text/html
	AddOutputFilterByType DEFLATE text/xml
	AddOutputFilterByType DEFLATE text/css
	AddOutputFilterByType DEFLATE text/javascript
	AddOutputFilterByType DEFLATE application/xml
	AddOutputFilterByType DEFLATE application/xhtml+xml
	AddOutputFilterByType DEFLATE application/rss+xml
	AddOutputFilterByType DEFLATE application/javascript
	AddOutputFilterByType DEFLATE application/x-javascript
</ifModule>

<IfModule mod_wsgi.c>
	WSGISocketPrefix run/wsgi
</IfModule>

BrowserMatch "Mozilla/2"       nokeepalive
BrowserMatch "MSIE 4\.0b2;"    nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0"       force-response-1.0
BrowserMatch "JDK/1\.0"        force-response-1.0
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

KeepAlive On
KeepAliveTimeout 5
MaxKeepAliveRequests 50

Header unset ETag
FileETag None

<Location />
	AllowMethods HEAD POST GET OPTIONS
</Location>
<Files ".well-known">
    Require all granted
</Files>
<FilesMatch "^((\.|~).*|.*(\.(dist|save|swo|swp|php_backup)|~)|backup\..*\.php)$">
    Require all denied
</FilesMatch>

# "A man is not dead while his name is still spoken." - Going Postal, Chapter 4 prologue
<IfModule headers_module>
	header set X-Clacks-Overhead "GNU Terry Pratchett"
</IfModule>

ServerTokens Minor

Header always set Referrer-Policy "no-referrer-when-downgrade"
# FIXME: This shouldn't be a fixed URL!
Header always set Expect-CT "max-age=0, report-uri='https://ibboard.report-uri.io/r/default/ct/reportOnly'"

# We can't just use IPV6 because we're proxying, so look for a colon to tell IPv4 from v6
<If "%{REMOTE_ADDR} =~ /:/">
	Header always set X-The-Future "Welcome to the future with IPv6!"
</If>