source: trunk/server/fedora/config/etc/httpd/conf/httpd.conf @ 2621

Last change on this file since 2621 was 2621, checked in by andersk, 10 years ago
Enforce a modern TLS cipher suite order This configuration was copied from the backward compatibility configuration at https://wiki.mozilla.org/Security/Server_Side_TLS, version 3/3.1/3.2.
File size: 14.0 KB
Line 
1ServerRoot /etc/httpd
2PidFile run/httpd.pid
3Timeout 300
4KeepAlive On
5MaxKeepAliveRequests 1000
6KeepAliveTimeout 15
7
8LoadModule mpm_worker_module modules/mod_mpm_worker.so
9
10<IfModule mpm_prefork_module>
11    MinSpareServers 5
12    MaxSpareServers 50
13    StartServers 8
14    ServerLimit 512
15    MaxClients 512
16    MaxRequestsPerChild 10000
17</IfModule>
18
19<IfModule mpm_worker_module>
20    StartServers 3
21    MinSpareThreads 75
22    MaxSpareThreads 250
23    ServerLimit 64
24    ThreadsPerChild 32
25    MaxClients 1024
26    MaxRequestsPerChild 10000
27</IfModule>
28
29<IfModule mpm_event_module>
30    StartServers 3
31    MinSpareThreads 75
32    MaxSpareThreads 250
33    ServerLimit 64
34    ThreadsPerChild 32
35    MaxClients 2048
36    MaxRequestsPerChild 10000
37</IfModule>
38
39# This file configures systemd module:
40LoadModule systemd_module modules/mod_systemd.so
41
42# Enable .htaccess files to use the legacy Order By syntax
43LoadModule access_compat_module modules/mod_access_compat.so
44
45LoadModule auth_basic_module modules/mod_auth_basic.so
46LoadModule auth_digest_module modules/mod_auth_digest.so
47LoadModule authn_core_module modules/mod_authn_core.so
48LoadModule authn_file_module modules/mod_authn_file.so
49LoadModule authn_anon_module modules/mod_authn_anon.so
50LoadModule allowmethods_module modules/mod_allowmethods.so
51#LoadModule authn_dbm_module modules/mod_authn_dbm.so
52LoadModule authz_core_module modules/mod_authz_core.so
53LoadModule authz_host_module modules/mod_authz_host.so
54LoadModule authz_user_module modules/mod_authz_user.so
55LoadModule authz_owner_module modules/mod_authz_owner.so
56LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
57#LoadModule authz_dbm_module modules/mod_authz_dbm.so
58LoadModule ldap_module modules/mod_ldap.so
59#LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
60LoadModule include_module modules/mod_include.so
61LoadModule log_config_module modules/mod_log_config.so
62#LoadModule logio_module modules/mod_logio.so
63LoadModule env_module modules/mod_env.so
64LoadModule ext_filter_module modules/mod_ext_filter.so
65#LoadModule mime_magic_module modules/mod_mime_magic.so
66LoadModule expires_module modules/mod_expires.so
67LoadModule deflate_module modules/mod_deflate.so
68LoadModule headers_module modules/mod_headers.so
69#LoadModule usertrack_module modules/mod_usertrack.so
70LoadModule setenvif_module modules/mod_setenvif.so
71LoadModule mime_module modules/mod_mime.so
72#LoadModule dav_module modules/mod_dav.so
73LoadModule status_module modules/mod_status.so
74LoadModule autoindex_module modules/mod_autoindex.so
75#LoadModule info_module modules/mod_info.so
76#LoadModule dav_fs_module modules/mod_dav_fs.so
77#LoadModule vhost_alias_module modules/mod_vhost_alias.so
78LoadModule negotiation_module modules/mod_negotiation.so
79LoadModule dir_module modules/mod_dir.so
80LoadModule actions_module modules/mod_actions.so
81#LoadModule speling_module modules/mod_speling.so
82LoadModule userdir_module modules/mod_userdir.so
83LoadModule alias_module modules/mod_alias.so
84LoadModule rewrite_module modules/mod_rewrite.so
85LoadModule proxy_module modules/mod_proxy.so
86LoadModule proxy_http_module modules/mod_proxy_http.so
87#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
88#LoadModule proxy_connect_module modules/mod_proxy_connect.so
89#LoadModule cache_module modules/mod_cache.so
90LoadModule suexec_module modules/mod_suexec.so
91#LoadModule disk_cache_module modules/mod_disk_cache.so
92#LoadModule file_cache_module modules/mod_file_cache.so
93#LoadModule mem_cache_module modules/mod_mem_cache.so
94LoadModule cgi_module modules/mod_cgi.so
95LoadModule ssl_module modules/mod_ssl.so
96LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
97LoadModule vhost_ldap_module modules/mod_vhost_ldap.so
98LoadModule unixd_module modules/mod_unixd.so
99LoadModule filter_module modules/mod_filter.so
100
101User apache
102Group apache
103
104#ErrorDocument  403  /403-404.html
105#ErrorDocument  404  /403-404.html
106#ErrorDocument  500  /script_error.html
107
108UserDir disabled
109
110<Directory />
111    AllowOverride None
112    Options FollowSymLinks IncludesNoExec
113    # The new syntax wasn't added until 2.4,
114    # so there's simply no way any deployed sites
115    # are already using the new syntax.
116    <IfModule include_module>
117        SSILegacyExprParser on
118    </IfModule>
119</Directory>
120
121<Directory /afs/*/*/web_scripts>
122    AllowOverride All
123</Directory>
124<Directory /afs/*/*/*/web_scripts>
125    AllowOverride All
126</Directory>
127<Directory /afs/*/*/*/*/web_scripts>
128    AllowOverride All
129</Directory>
130<Directory /afs/*/*/*/*/*/web_scripts>
131    AllowOverride All
132</Directory>
133<Directory /afs/*/*/*/*/*/*/web_scripts>
134    AllowOverride All
135</Directory>
136<Directory /afs/*/*/*/*/*/*/*/web_scripts>
137    AllowOverride All
138</Directory>
139<Directory /afs/*/*/*/*/*/*/*/*/web_scripts>
140    AllowOverride All
141</Directory>
142
143<IfModule mod_dir.c>
144    DirectoryIndex index index.html index.htm index.cgi index.pl index.php index.py index.shtml index.exe index.fcgi
145</IfModule>
146
147AccessFileName .htaccess
148
149<Files ~ "^\.ht">
150    Require all denied
151</Files>
152
153UseCanonicalName Off
154TypesConfig /etc/mime.types
155#MIMEMagicFile conf/magic
156
157HostnameLookups Off
158ErrorLog "/home/logview/error_log"
159LogLevel warn
160LogFormat "%V %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
161LogFormat "%h %l %u %t \"%r\" %>s %b" common
162LogFormat "%a %V %U" statistics
163#CustomLog /var/log/httpd/access_log combined
164#CustomLog "|/etc/httpd/statistics_log_mitonly.sh" statistics
165ServerSignature Off
166ServerAdmin scripts@mit.edu
167ServerTokens Prod
168Header add Scripts-IP "%{SERVER_ADDR}e"
169
170<IfModule mod_autoindex.c>
171    Alias /__scripts/icons /usr/share/httpd/icons/
172    <Directory /usr/share/httpd/icons/>
173        Options Indexes
174        AllowOverride None
175        <Files ~ "\.(gif|png)$">
176            SetHandler default-handler
177        </Files>
178    </Directory>
179
180    IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable
181
182    AddIconByEncoding (CMP,/__scripts/icons/compressed.gif) x-compress x-gzip
183
184    AddIconByType (TXT,/__scripts/icons/text.gif) text/*
185    AddIconByType (IMG,/__scripts/icons/image2.gif) image/*
186    AddIconByType (SND,/__scripts/icons/sound2.gif) audio/*
187    AddIconByType (VID,/__scripts/icons/movie.gif) video/*
188
189    AddIcon /__scripts/icons/binary.gif .bin .exe
190    AddIcon /__scripts/icons/binhex.gif .hqx
191    AddIcon /__scripts/icons/tar.gif .tar
192    AddIcon /__scripts/icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
193    AddIcon /__scripts/icons/compressed.gif .Z .z .tgz .gz .zip
194    AddIcon /__scripts/icons/a.gif .ps .ai .eps
195    AddIcon /__scripts/icons/layout.gif .html .shtml .htm .pdf
196    AddIcon /__scripts/icons/text.gif .txt
197    AddIcon /__scripts/icons/c.gif .c
198    AddIcon /__scripts/icons/p.gif .pl .py
199    AddIcon /__scripts/icons/f.gif .for
200    AddIcon /__scripts/icons/dvi.gif .dvi
201    AddIcon /__scripts/icons/uuencoded.gif .uu
202    AddIcon /__scripts/icons/script.gif .conf .sh .shar .csh .ksh .tcl
203    AddIcon /__scripts/icons/tex.gif .tex
204    AddIcon /__scripts/icons/bomb.gif core
205
206    AddIcon /__scripts/icons/back.gif ..
207    AddIcon /__scripts/icons/hand.right.gif README
208    AddIcon /__scripts/icons/folder.gif ^^DIRECTORY^^
209    AddIcon /__scripts/icons/blank.gif ^^BLANKICON^^
210
211    DefaultIcon /__scripts/icons/unknown.gif
212
213    ReadmeName README
214    HeaderName HEADER
215   
216    IndexIgnore .??* *~ *# RCS CVS *,v *,t
217</IfModule>
218
219<IfModule mod_mime.c>
220    AddType application/xhtml+xml         .xhtml
221    AddType application/http-index-format .hti
222    AddType text/html                     .html
223    AddType text/css                      .css
224    AddType text/xsl                      .xslt
225    AddType application/x-javascript      .js
226    AddType application/xml               .xml
227    AddType image/svg+xml                 .svg
228    AddType application/vnd.mozilla.xul+xml .xul
229    AddType application/rdf+xml             .rdf
230    AddType application/x-xpinstall         .xpi
231    AddType text/xml .xsl
232    AddType text/html .shtml
233    AddHandler server-parsed .shtml
234
235    AddEncoding x-compress Z
236    AddEncoding x-gzip gz tgz
237
238    AddLanguage da .dk
239    AddLanguage nl .nl
240    AddLanguage en .en
241    AddLanguage et .ee
242    AddLanguage fr .fr
243    AddLanguage de .de
244    AddLanguage el .el
245    AddLanguage it .it
246    AddLanguage ja .ja
247    AddCharset ISO-2022-JP .jis
248    AddLanguage pl .po
249    AddCharset ISO-8859-2 .iso-pl
250    AddLanguage pt .pt
251    AddLanguage pt-br .pt-br
252    AddLanguage ltz .lu
253    AddLanguage ca .ca
254    AddLanguage es .es
255    AddLanguage sv .se
256    AddLanguage cz .cz
257
258    <IfModule mod_negotiation.c>
259        LanguagePriority en da nl et fr de el it ja pl pt pt-br ltz ca es sv
260    </IfModule>
261
262    AddType application/x-tar .tgz
263    AddType image/bmp .bmp
264
265    AddType text/x-hdml .hdml
266</IfModule>
267
268<IfModule mod_setenvif.c>
269    BrowserMatch "Mozilla/2" nokeepalive
270    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
271    BrowserMatch "RealPlayer 4\.0" force-response-1.0
272    BrowserMatch "Java/1\.0" force-response-1.0
273    BrowserMatch "JDK/1\.0" force-response-1.0
274    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
275</IfModule>
276
277Listen 80
278
279RLimitCPU 300 300
280RLimitMEM 1610612736 1610612736
281RLimitNPROC 4096 4096
282
283ServerName localhost
284DocumentRoot /afs/athena.mit.edu/contrib/scripts/www
285
286ExtendedStatus On
287RewriteEngine Off
288
289ProxyRequests Off
290
291<Location /robots.txt>
292    ErrorDocument 404 "No robots.txt.
293</Location>
294<Location /favicon.ico>
295    ErrorDocument 404 "No favicon.ico.
296</Location>
297
298<VirtualHost 18.181.0.50:80>
299    ServerName scripts-cert.mit.edu
300    ServerAlias scripts-cert
301    Include conf.d/scripts-vhost.conf
302    Include conf.d/vhosts-common.conf
303</VirtualHost>
304
305# LDAP vhost, w00t w00t
306<VirtualHost *:80>
307    Include conf.d/vhost_ldap.conf
308    Include conf.d/vhosts-common.conf
309</VirtualHost>
310
311<VirtualHost *:80>
312    Include conf.d/scripts-vhost-names.conf
313    Include conf.d/scripts-vhost.conf
314    Include conf.d/vhosts-common.conf
315</VirtualHost>
316
317<IfModule ssl_module>
318    Listen 443
319    Listen 444
320
321    AddType application/x-x509-ca-cert .crt
322    AddType application/x-pkcs7-crl    .crl
323
324    # This directive allows insecure renegotiations to succeed for browsers
325    # that do not yet support RFC 5746.  It should be removed when enough
326    # of the world has caught up.
327    SSLInsecureRenegotiation on
328
329    SSLPassPhraseDialog  builtin
330    SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
331    SSLSessionCacheTimeout 28800
332    SSLRandomSeed startup file:/dev/urandom 256
333    SSLRandomSeed connect builtin
334    SSLCryptoDevice builtin
335    SSLCACertificateFile /etc/pki/tls/certs/ca.pem
336    SSLVerifyClient none
337    SSLOptions +StdEnvVars
338
339    # Copied from https://wiki.mozilla.org/Security/Server_Side_TLS
340    # (backward compatibility configuration)
341    SSLProtocol all -SSLv2
342    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
343    SSLHonorCipherOrder on
344    SSLCompression off
345
346    <VirtualHost 18.181.0.50:443 18.181.0.50:444>
347        ServerName scripts-cert.mit.edu
348        ServerAlias scripts-cert
349        Include conf.d/scripts-vhost.conf
350        Include conf.d/vhosts-common-ssl.conf
351        SSLCertificateFile /etc/pki/tls/certs/scripts-cert.pem
352        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
353        Include conf.d/vhosts-common-ssl-cert.conf
354    </VirtualHost>
355    <VirtualHost 18.181.0.43:443>
356        Include conf.d/scripts-vhost-names.conf
357        Include conf.d/scripts-vhost.conf
358        Include conf.d/vhosts-common-ssl.conf
359        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
360        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
361    </VirtualHost>
362    <VirtualHost 18.181.0.43:444>
363        Include conf.d/scripts-vhost-names.conf
364        Include conf.d/scripts-vhost.conf
365        Include conf.d/vhosts-common-ssl.conf
366        Include conf.d/vhosts-common-ssl-cert.conf
367        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
368        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
369    </VirtualHost>
370    # LDAP vhost, w00t w00t
371    <VirtualHost *:443>
372        ServerName localhost
373        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
374        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
375        Include conf.d/vhost_ldap.conf
376        Include conf.d/vhosts-common-ssl.conf
377    </VirtualHost>
378    # LDAP vhost, w00t w00t
379    <VirtualHost *:444>
380        ServerName localhost
381        SSLCertificateFile /etc/pki/tls/certs/star.scripts.pem
382        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
383        Include conf.d/vhost_ldap.conf
384        Include conf.d/vhosts-common-ssl.conf
385        Include conf.d/vhosts-common-ssl-cert.conf
386    </VirtualHost>
387</IfModule>
388Include vhosts.d/*.conf
389<IfModule ssl_module>
390    <VirtualHost *:443>
391        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
392        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
393        Include conf.d/scripts-vhost-names.conf
394        Include conf.d/scripts-vhost.conf
395        Include conf.d/vhosts-common-ssl.conf
396    </VirtualHost>
397    <VirtualHost *:444>
398        SSLCertificateFile /etc/pki/tls/certs/scripts.pem
399        SSLCertificateKeyFile /etc/pki/tls/private/scripts.key
400        Include conf.d/scripts-vhost-names.conf
401        Include conf.d/scripts-vhost.conf
402        Include conf.d/vhosts-common-ssl.conf
403        Include conf.d/vhosts-common-ssl-cert.conf
404    </VirtualHost>
405</IfModule>
406
407LoadModule fcgid_module modules/mod_fcgid.so
408AddHandler fcgid-script fcgi
409<Files *.fcgi>
410        Options +ExecCGI
411</Files>
412SocketPath /var/run/mod_fcgid
413SharememPath /var/run/mod_fcgid/fcgid_shm
414IPCCommTimeout 300
415FcgidMaxRequestLen 209715200
416FcgidIdleTimeout 600
417FcgidMaxProcessesPerClass 10
418FcgidMinProcessesPerClass 0
419FcgidMaxRequestsPerProcess 10000
420
421Include conf.d/auth_sslcert.conf
422Include conf.d/execsys.conf
423Include conf.d/scripts-special.conf
Note: See TracBrowser for help on using the repository browser.