source: trunk/server/fedora/config/etc/httpd/conf/httpd.conf @ 2713

Last change on this file since 2713 was 2713, checked in by andersk, 7 years ago
Enable OCSP stapling No particular security benefit since we don’t have OCSP Must-Staple yet, but this apparently reduces latency in Firefox and IE, which do OCSP lookups by default in the absence of stapled responses.
File size: 14.4 KB
RevLine 
[39]1ServerRoot /etc/httpd
2PidFile run/httpd.pid
[1164]3Timeout 300
[231]4KeepAlive On
[39]5MaxKeepAliveRequests 1000
[734]6KeepAliveTimeout 15
[39]7
[2591]8LoadModule mpm_worker_module modules/mod_mpm_worker.so
9
[708]10<IfModule mpm_prefork_module>
11    MinSpareServers 5
[759]12    MaxSpareServers 50
[708]13    StartServers 8
[759]14    ServerLimit 512
15    MaxClients 512
[831]16    MaxRequestsPerChild 10000
[708]17</IfModule>
18
19<IfModule mpm_worker_module>
20    StartServers 3
21    MinSpareThreads 75
22    MaxSpareThreads 250
[972]23    ServerLimit 64
[759]24    ThreadsPerChild 32
25    MaxClients 1024
[831]26    MaxRequestsPerChild 10000
[708]27</IfModule>
28
[972]29<IfModule mpm_event_module>
30    StartServers 3
31    MinSpareThreads 75
32    MaxSpareThreads 250
33    ServerLimit 64
34    ThreadsPerChild 32
35    MaxClients 2048
36    MaxRequestsPerChild 10000
37</IfModule>
38
[2591]39# This file configures systemd module:
40LoadModule systemd_module modules/mod_systemd.so
41
42# Enable .htaccess files to use the legacy Order By syntax
43LoadModule access_compat_module modules/mod_access_compat.so
44
[39]45LoadModule auth_basic_module modules/mod_auth_basic.so
46LoadModule auth_digest_module modules/mod_auth_digest.so
[2591]47LoadModule authn_core_module modules/mod_authn_core.so
[39]48LoadModule authn_file_module modules/mod_authn_file.so
49LoadModule authn_anon_module modules/mod_authn_anon.so
[2593]50LoadModule allowmethods_module modules/mod_allowmethods.so
[39]51#LoadModule authn_dbm_module modules/mod_authn_dbm.so
[2591]52LoadModule authz_core_module modules/mod_authz_core.so
[39]53LoadModule authz_host_module modules/mod_authz_host.so
54LoadModule authz_user_module modules/mod_authz_user.so
55LoadModule authz_owner_module modules/mod_authz_owner.so
56LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
57#LoadModule authz_dbm_module modules/mod_authz_dbm.so
[478]58LoadModule ldap_module modules/mod_ldap.so
[39]59#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
60LoadModule include_module modules/mod_include.so
61LoadModule log_config_module modules/mod_log_config.so
62#LoadModule logio_module modules/mod_logio.so
63LoadModule env_module modules/mod_env.so
64LoadModule ext_filter_module modules/mod_ext_filter.so
65#LoadModule mime_magic_module modules/mod_mime_magic.so
[635]66LoadModule expires_module modules/mod_expires.so
[1454]67LoadModule deflate_module modules/mod_deflate.so
[365]68LoadModule headers_module modules/mod_headers.so
[39]69#LoadModule usertrack_module modules/mod_usertrack.so
70LoadModule setenvif_module modules/mod_setenvif.so
71LoadModule mime_module modules/mod_mime.so
72#LoadModule dav_module modules/mod_dav.so
[972]73LoadModule status_module modules/mod_status.so
[39]74LoadModule autoindex_module modules/mod_autoindex.so
75#LoadModule info_module modules/mod_info.so
76#LoadModule dav_fs_module modules/mod_dav_fs.so
77#LoadModule vhost_alias_module modules/mod_vhost_alias.so
[520]78LoadModule negotiation_module modules/mod_negotiation.so
[39]79LoadModule dir_module modules/mod_dir.so
80LoadModule actions_module modules/mod_actions.so
81#LoadModule speling_module modules/mod_speling.so
82LoadModule userdir_module modules/mod_userdir.so
83LoadModule alias_module modules/mod_alias.so
84LoadModule rewrite_module modules/mod_rewrite.so
[1089]85LoadModule proxy_module modules/mod_proxy.so
86LoadModule proxy_http_module modules/mod_proxy_http.so
[39]87#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
88#LoadModule proxy_connect_module modules/mod_proxy_connect.so
89#LoadModule cache_module modules/mod_cache.so
90LoadModule suexec_module modules/mod_suexec.so
91#LoadModule disk_cache_module modules/mod_disk_cache.so
92#LoadModule file_cache_module modules/mod_file_cache.so
93#LoadModule mem_cache_module modules/mod_mem_cache.so
94LoadModule cgi_module modules/mod_cgi.so
95LoadModule ssl_module modules/mod_ssl.so
[2591]96LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
[478]97LoadModule vhost_ldap_module modules/mod_vhost_ldap.so
[2591]98LoadModule unixd_module modules/mod_unixd.so
[2592]99LoadModule filter_module modules/mod_filter.so
[39]100
101User apache
102Group apache
103
104#ErrorDocument  403  /403-404.html
105#ErrorDocument  404  /403-404.html
106#ErrorDocument  500  /script_error.html
107
[247]108UserDir disabled
[39]109
110<Directory />
[642]111    AllowOverride None
[39]112    Options FollowSymLinks IncludesNoExec
[2591]113    # The new syntax wasn't added until 2.4,
114    # so there's simply no way any deployed sites
115    # are already using the new syntax.
116    <IfModule include_module>
117        SSILegacyExprParser on
118    </IfModule>
[39]119</Directory>
120
[642]121<Directory /afs/*/*/web_scripts>
122    AllowOverride All
123</Directory>
124<Directory /afs/*/*/*/web_scripts>
125    AllowOverride All
126</Directory>
127<Directory /afs/*/*/*/*/web_scripts>
128    AllowOverride All
129</Directory>
130<Directory /afs/*/*/*/*/*/web_scripts>
131    AllowOverride All
132</Directory>
133<Directory /afs/*/*/*/*/*/*/web_scripts>
134    AllowOverride All
135</Directory>
136<Directory /afs/*/*/*/*/*/*/*/web_scripts>
137    AllowOverride All
138</Directory>
139<Directory /afs/*/*/*/*/*/*/*/*/web_scripts>
140    AllowOverride All
141</Directory>
142
[39]143<IfModule mod_dir.c>
[1412]144    DirectoryIndex index index.html index.htm index.cgi index.pl index.php index.py index.shtml index.exe index.fcgi
[39]145</IfModule>
146
147AccessFileName .htaccess
148
149<Files ~ "^\.ht">
[2591]150    Require all denied
[39]151</Files>
152
153UseCanonicalName Off
154TypesConfig /etc/mime.types
155#MIMEMagicFile conf/magic
156
157HostnameLookups Off
[149]158ErrorLog "/home/logview/error_log"
[39]159LogLevel warn
160LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
161LogFormat "%h %l %u %t \"%r\" %>s %b" common
[1316]162LogFormat "%a %V %U" statistics
[39]163#CustomLog /var/log/httpd/access_log combined
[1341]164#CustomLog "|/etc/httpd/statistics_log_mitonly.sh" statistics
[39]165ServerSignature Off
166ServerAdmin scripts@mit.edu
167ServerTokens Prod
[2270]168Header add Scripts-IP "%{SERVER_ADDR}e"
[39]169
[257]170<IfModule mod_autoindex.c>
[2591]171    Alias /__scripts/icons /usr/share/httpd/icons/
172    <Directory /usr/share/httpd/icons/>
[802]173        Options Indexes
[257]174        AllowOverride None
175        <Files ~ "\.(gif|png)$">
176            SetHandler default-handler
177        </Files>
178    </Directory>
[39]179
180    IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
181
[602]182    AddIconByEncoding (CMP,/__scripts/icons/compressed.gif) x-compress x-gzip
[39]183
[602]184    AddIconByType (TXT,/__scripts/icons/text.gif) text/*
185    AddIconByType (IMG,/__scripts/icons/image2.gif) image/*
186    AddIconByType (SND,/__scripts/icons/sound2.gif) audio/*
187    AddIconByType (VID,/__scripts/icons/movie.gif) video/*
[39]188
[602]189    AddIcon /__scripts/icons/binary.gif .bin .exe
190    AddIcon /__scripts/icons/binhex.gif .hqx
191    AddIcon /__scripts/icons/tar.gif .tar
192    AddIcon /__scripts/icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
193    AddIcon /__scripts/icons/compressed.gif .Z .z .tgz .gz .zip
194    AddIcon /__scripts/icons/a.gif .ps .ai .eps
195    AddIcon /__scripts/icons/layout.gif .html .shtml .htm .pdf
196    AddIcon /__scripts/icons/text.gif .txt
197    AddIcon /__scripts/icons/c.gif .c
198    AddIcon /__scripts/icons/p.gif .pl .py
199    AddIcon /__scripts/icons/f.gif .for
200    AddIcon /__scripts/icons/dvi.gif .dvi
201    AddIcon /__scripts/icons/uuencoded.gif .uu
202    AddIcon /__scripts/icons/script.gif .conf .sh .shar .csh .ksh .tcl
203    AddIcon /__scripts/icons/tex.gif .tex
204    AddIcon /__scripts/icons/bomb.gif core
[39]205
[602]206    AddIcon /__scripts/icons/back.gif ..
207    AddIcon /__scripts/icons/hand.right.gif README
208    AddIcon /__scripts/icons/folder.gif ^^DIRECTORY^^
209    AddIcon /__scripts/icons/blank.gif ^^BLANKICON^^
[39]210
[602]211    DefaultIcon /__scripts/icons/unknown.gif
[39]212
213    ReadmeName README
214    HeaderName HEADER
215   
[477]216    IndexIgnore .??* *~ *# RCS CVS *,v *,t
[39]217</IfModule>
218
219<IfModule mod_mime.c>
[257]220    AddType application/xhtml+xml         .xhtml
221    AddType application/http-index-format .hti
222    AddType text/html                     .html
223    AddType text/css                      .css
224    AddType text/xsl                      .xslt
225    AddType application/x-javascript      .js
226    AddType application/xml               .xml
227    AddType image/svg+xml                 .svg
228    AddType application/vnd.mozilla.xul+xml .xul
229    AddType application/rdf+xml             .rdf
230    AddType application/x-xpinstall         .xpi
231    AddType text/xml .xsl
232    AddType text/html .shtml
233    AddHandler server-parsed .shtml
[39]234
235    AddEncoding x-compress Z
236    AddEncoding x-gzip gz tgz
237
238    AddLanguage da .dk
239    AddLanguage nl .nl
240    AddLanguage en .en
241    AddLanguage et .ee
242    AddLanguage fr .fr
243    AddLanguage de .de
244    AddLanguage el .el
245    AddLanguage it .it
246    AddLanguage ja .ja
247    AddCharset ISO-2022-JP .jis
248    AddLanguage pl .po
249    AddCharset ISO-8859-2 .iso-pl
250    AddLanguage pt .pt
251    AddLanguage pt-br .pt-br
252    AddLanguage ltz .lu
253    AddLanguage ca .ca
254    AddLanguage es .es
255    AddLanguage sv .se
256    AddLanguage cz .cz
257
258    <IfModule mod_negotiation.c>
259        LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv
260    </IfModule>
261
262    AddType application/x-tar .tgz
263    AddType image/bmp .bmp
264
265    AddType text/x-hdml .hdml
266</IfModule>
267
268<IfModule mod_setenvif.c>
269    BrowserMatch "Mozilla/2" nokeepalive
270    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
271    BrowserMatch "RealPlayer 4\.0" force-response-1.0
272    BrowserMatch "Java/1\.0" force-response-1.0
273    BrowserMatch "JDK/1\.0" force-response-1.0
274    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
275</IfModule>
276
277Listen 80
278
[1032]279RLimitCPU 300 300
[1772]280RLimitMEM 1610612736 1610612736
[972]281RLimitNPROC 4096 4096
[39]282
283ServerName localhost
284DocumentRoot /afs/athena.mit.edu/contrib/scripts/www
[151]285
[972]286ExtendedStatus On
[151]287RewriteEngine Off
288
[1089]289ProxyRequests Off
290
[330]291<Location /robots.txt>
292    ErrorDocument 404 "No robots.txt.
[151]293</Location>
[330]294<Location /favicon.ico>
295    ErrorDocument 404 "No favicon.ico.
296</Location>
[151]297
298<VirtualHost 18.181.0.50:80>
[257]299    ServerName scripts-cert.mit.edu
300    ServerAlias scripts-cert
[330]301    Include conf.d/scripts-vhost.conf
[257]302    Include conf.d/vhosts-common.conf
[151]303</VirtualHost>
304
[454]305# LDAP vhost, w00t w00t
[478]306<VirtualHost *:80>
307    Include conf.d/vhost_ldap.conf
308    Include conf.d/vhosts-common.conf
309</VirtualHost>
[454]310
[151]311<VirtualHost *:80>
[332]312    Include conf.d/scripts-vhost-names.conf
[330]313    Include conf.d/scripts-vhost.conf
[257]314    Include conf.d/vhosts-common.conf
[151]315</VirtualHost>
316
[244]317<IfModule ssl_module>
[257]318    Listen 443
[332]319    Listen 444
[233]320
[257]321    AddType application/x-x509-ca-cert .crt
322    AddType application/x-pkcs7-crl    .crl
[233]323
[1540]324    # This directive allows insecure renegotiations to succeed for browsers
325    # that do not yet support RFC 5746.  It should be removed when enough
326    # of the world has caught up.
327    SSLInsecureRenegotiation on
328
[257]329    SSLPassPhraseDialog  builtin
[740]330    SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
[734]331    SSLSessionCacheTimeout 28800
[2713]332    SSLStaplingCache shmcb:/var/cache/mod_ssl/ocspcache(512000)
333    SSLUseStapling on
[740]334    SSLRandomSeed startup file:/dev/urandom 256
[257]335    SSLRandomSeed connect builtin
[740]336    SSLCryptoDevice builtin
[257]337    SSLCACertificateFile /etc/pki/tls/certs/ca.pem
338    SSLVerifyClient none
339    SSLOptions +StdEnvVars
[2621]340
341    # Copied from https://wiki.mozilla.org/Security/Server_Side_TLS
[2632]342    # (backward compatibility configuration minus SSL 3.0; equivalently,
343    # intermediate compatibility configuration plus 3DES)
344    SSLProtocol all -SSLv2 -SSLv3
[2635]345    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
[2621]346    SSLHonorCipherOrder on
347    SSLCompression off
348
[332]349    <VirtualHost 18.181.0.50:443 18.181.0.50:444>
[257]350        ServerName scripts-cert.mit.edu
351        ServerAlias scripts-cert
[330]352        Include conf.d/scripts-vhost.conf
[257]353        Include conf.d/vhosts-common-ssl.conf
[369]354        SSLCertificateFile /etc/pki/tls/certs/scripts-cert.pem
[2624]355        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[270]356        Include conf.d/vhosts-common-ssl-cert.conf
[257]357    </VirtualHost>
[973]358    <VirtualHost 18.181.0.43:443>
359        Include conf.d/scripts-vhost-names.conf
360        Include conf.d/scripts-vhost.conf
361        Include conf.d/vhosts-common-ssl.conf
362        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
[2626]363        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[973]364    </VirtualHost>
365    <VirtualHost 18.181.0.43:444>
366        Include conf.d/scripts-vhost-names.conf
367        Include conf.d/scripts-vhost.conf
368        Include conf.d/vhosts-common-ssl.conf
369        Include conf.d/vhosts-common-ssl-cert.conf
370        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
[2626]371        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[973]372    </VirtualHost>
[478]373    # LDAP vhost, w00t w00t
[257]374    <VirtualHost *:443>
[648]375        ServerName localhost
[2591]376        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
[2626]377        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[478]378        Include conf.d/vhost_ldap.conf
379        Include conf.d/vhosts-common-ssl.conf
380    </VirtualHost>
[1086]381    # LDAP vhost, w00t w00t
382    <VirtualHost *:444>
383        ServerName localhost
[2591]384        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
[2626]385        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[1086]386        Include conf.d/vhost_ldap.conf
387        Include conf.d/vhosts-common-ssl.conf
388        Include conf.d/vhosts-common-ssl-cert.conf
389    </VirtualHost>
[1082]390</IfModule>
391Include vhosts.d/*.conf
392<IfModule ssl_module>
[478]393    <VirtualHost *:443>
[2591]394        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
[2626]395        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[332]396        Include conf.d/scripts-vhost-names.conf
[330]397        Include conf.d/scripts-vhost.conf
[257]398        Include conf.d/vhosts-common-ssl.conf
399    </VirtualHost>
[332]400    <VirtualHost *:444>
[2591]401        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
[2626]402        SSLCertificateKeyFile /etc/pki/tls/private/scripts-2048.key
[332]403        Include conf.d/scripts-vhost-names.conf
404        Include conf.d/scripts-vhost.conf
405        Include conf.d/vhosts-common-ssl.conf
406        Include conf.d/vhosts-common-ssl-cert.conf
407    </VirtualHost>
[151]408</IfModule>
409
410LoadModule fcgid_module modules/mod_fcgid.so
411AddHandler fcgid-script fcgi
412<Files *.fcgi>
413        Options +ExecCGI
414</Files>
[1482]415SocketPath /var/run/mod_fcgid
416SharememPath /var/run/mod_fcgid/fcgid_shm
[1016]417IPCCommTimeout 300
[1732]418FcgidMaxRequestLen 209715200
[2020]419FcgidIdleTimeout 600
420FcgidMaxProcessesPerClass 10
421FcgidMinProcessesPerClass 0
422FcgidMaxRequestsPerProcess 10000
[151]423
[70]424Include conf.d/auth_sslcert.conf
[40]425Include conf.d/execsys.conf
[603]426Include conf.d/scripts-special.conf
Note: See TracBrowser for help on using the repository browser.