webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 03:07:43 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
d952f7557ea4b1e552bb0f893ad50a99f83d669e
bpfire/config/httpd/vhosts.d/ipfire-interface-ssl.conf
Peter Müller eb6d71514a prevent loading resources from external sites 
Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.

This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2017-12-16 12:18:39 +00:00

98 lines
3.1 KiB
Plaintext
Raw Blame History

<VirtualHost *:444>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
RewriteRule .* - [F]
DocumentRoot /srv/web/ipfire/html
ServerAdmin root@localhost
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLCertificateFile /etc/httpd/server-ecdsa.crt
SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
<Directory /srv/web/ipfire/html>
Options ExecCGI
AllowOverride None
Require all granted
</Directory>
<DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
<RequireAll>
Require user admin
Require ssl
</RequireAll>
</DirectoryMatch>
ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/
<Directory /srv/web/ipfire/cgi-bin>
AllowOverride None
Options ExecCGI
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
<RequireAll>
Require user admin
Require ssl
</RequireAll>
<Files chpasswd.cgi>
Require all granted
</Files>
<Files webaccess.cgi>
Require all granted
</Files>
</Directory>
<Files ~ "\.(cgi|shtml?)$">
SSLOptions +StdEnvVars
</Files>
<Directory /srv/web/ipfire/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
SetEnv HOME /home/nobody
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Alias /updatecache/ /var/updatecache/
<Directory /var/updatecache>
Options ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /repository/ /var/urlrepo/
<Directory /var/urlrepo>
Options ExecCGI
AllowOverride None
Require all granted
</Directory>
Alias /proxy-reports/ /var/log/sarg/
<Directory /var/log/sarg>
AllowOverride None
Options None
AuthName "IPFire - Restricted"
AuthType Basic
AuthUserFile /var/ipfire/auth/users
<RequireAll>
Require user admin
Require ssl
</RequireAll>
</Directory>
</VirtualHost>
Reference in New Issue View Git Blame Copy Permalink