|
4 | 4 | # for the ISPConfig controlpanel |
5 | 5 | ###################################################### |
6 | 6 |
|
7 | | -{vhost_port_listen} Listen {vhost_port} |
8 | | -<tmpl_if name='apache_version' op='<' value='2.4' format='version'> |
9 | | - NameVirtualHost *:{vhost_port} |
10 | | -</tmpl_if> |
| 7 | +<tmpl_var name="vhost_port_listen"> Listen <tmpl_var name="vhost_port"> |
| 8 | +NameVirtualHost *:<tmpl_var name="vhost_port"> |
11 | 9 |
|
12 | | -<VirtualHost _default_:{vhost_port}> |
| 10 | +<VirtualHost _default_:<tmpl_var name="vhost_port">> |
13 | 11 | ServerAdmin webmaster@localhost |
14 | 12 |
|
15 | 13 | Alias /mail /var/www/ispconfig/mail |
16 | 14 |
|
| 15 | + <Directory /var/www/ispconfig/> |
| 16 | + <FilesMatch "\.ph(p3?|tml)$"> |
| 17 | + SetHandler None |
| 18 | + </FilesMatch> |
| 19 | + </Directory> |
| 20 | + <Directory /usr/local/ispconfig/interface/web/> |
| 21 | + <FilesMatch "\.ph(p3?|tml)$"> |
| 22 | + SetHandler None |
| 23 | + </FilesMatch> |
| 24 | + </Directory> |
| 25 | + |
17 | 26 | <IfModule mod_fcgid.c> |
18 | 27 | DocumentRoot /var/www/ispconfig/ |
19 | 28 | SuexecUserGroup ispconfig ispconfig |
20 | 29 | <Directory /var/www/ispconfig/> |
21 | | - Options +Indexes +FollowSymLinks +MultiViews +ExecCGI |
| 30 | + Options -Indexes +FollowSymLinks +MultiViews +ExecCGI |
22 | 31 | AllowOverride AuthConfig Indexes Limit Options FileInfo |
23 | | - <FilesMatch "\.ph(p[3-5]?|tml)$"> |
| 32 | + <FilesMatch "\.php$"> |
24 | 33 | SetHandler fcgid-script |
25 | 34 | </FilesMatch> |
26 | 35 | FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php |
| 36 | + <tmpl_if name='apache_version' op='>' value='2.2' format='version'> |
| 37 | + Require all granted |
| 38 | + <tmpl_else> |
27 | 39 | Order allow,deny |
28 | 40 | Allow from all |
| 41 | + </tmpl_if> |
29 | 42 | </Directory> |
30 | 43 | DirectoryIndex index.php |
| 44 | + IPCCommTimeout 7200 |
| 45 | + MaxRequestLen 15728640 |
| 46 | + </IfModule> |
| 47 | + |
| 48 | + <IfModule mod_proxy_fcgi.c> |
| 49 | + DocumentRoot /usr/local/ispconfig/interface/web |
| 50 | + SuexecUserGroup ispconfig ispconfig |
| 51 | + DirectoryIndex index.php |
| 52 | + |
| 53 | + <Directory /usr/local/ispconfig/interface/web> |
| 54 | + Options -Indexes +FollowSymLinks +MultiViews +ExecCGI |
| 55 | + AllowOverride AuthConfig Indexes Limit Options FileInfo |
| 56 | + <tmpl_if name='apache_version' op='>' value='2.2' format='version'> |
| 57 | + Require all granted |
| 58 | + <tmpl_else> |
| 59 | + Order allow,deny |
| 60 | + Allow from all |
| 61 | + </tmpl_if> |
| 62 | + <FilesMatch \.php$> |
| 63 | + #SetHandler "proxy:unix:/var/lib/php5-fpm/ispconfig.sock|fcgi://localhost" |
| 64 | + SetHandler "proxy:fcgi://127.0.0.1:9000" |
| 65 | + </FilesMatch> |
| 66 | + </Directory> |
31 | 67 | </IfModule> |
32 | 68 |
|
33 | | - <IfModule mod_php5.c> |
| 69 | + <IfModule mpm_itk_module> |
34 | 70 | DocumentRoot /usr/local/ispconfig/interface/web/ |
| 71 | + AssignUserId ispconfig ispconfig |
35 | 72 | AddType application/x-httpd-php .php |
36 | 73 | <Directory /usr/local/ispconfig/interface/web> |
| 74 | + # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp" |
37 | 75 | Options +FollowSymLinks |
38 | 76 | AllowOverride None |
| 77 | + <tmpl_if name='apache_version' op='>' value='2.2' format='version'> |
| 78 | + Require all granted |
| 79 | + <tmpl_else> |
39 | 80 | Order allow,deny |
40 | 81 | Allow from all |
41 | | - php_value magic_quotes_gpc 0 |
| 82 | + </tmpl_if> |
| 83 | + php_value magic_quotes_gpc 0 |
42 | 84 | </Directory> |
43 | 85 | </IfModule> |
44 | 86 |
|
|
51 | 93 | </IfModule> |
52 | 94 |
|
53 | 95 | # SSL Configuration |
54 | | - {ssl_comment}SSLEngine On |
55 | | - {ssl_comment}SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt |
56 | | - {ssl_comment}SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key |
| 96 | + <tmpl_var name="ssl_comment">SSLEngine On |
| 97 | + <tmpl_if name='apache_version' op='>=' value='2.3.16' format='version'> |
| 98 | + <tmpl_var name="ssl_comment">SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1 |
| 99 | + <tmpl_else> |
| 100 | + <tmpl_var name="ssl_comment">SSLProtocol All -SSLv2 -SSLv3 |
| 101 | + </tmpl_if> |
| 102 | + <tmpl_var name="ssl_comment">SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt |
| 103 | + <tmpl_var name="ssl_comment">SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key |
| 104 | + <tmpl_var name="ssl_bundle_comment">SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle |
57 | 105 |
|
58 | | -</VirtualHost> |
| 106 | + <tmpl_var name="ssl_comment">SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 |
| 107 | + <tmpl_var name="ssl_comment">SSLHonorCipherOrder On |
| 108 | + <tmpl_if name='apache_version' op='>=' value='2.4.3' format='version'> |
| 109 | + <tmpl_var name="ssl_comment">SSLCompression Off |
| 110 | + </tmpl_if> |
| 111 | + <tmpl_if name='apache_version' op='>=' value='2.4.11' format='version'> |
| 112 | + <tmpl_var name="ssl_comment">SSLSessionTickets Off |
| 113 | + </tmpl_if> |
59 | 114 |
|
60 | | -<Directory /var/www/php-cgi-scripts> |
61 | | - AllowOverride None |
62 | | - Order Deny,Allow |
63 | | - Deny from all |
64 | | -</Directory> |
| 115 | + <IfModule mod_headers.c> |
| 116 | + # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval |
| 117 | + Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'" |
| 118 | + <tmpl_var name="ssl_comment">Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests" |
| 119 | + Header set X-Content-Type-Options: nosniff |
| 120 | + Header set X-Frame-Options: SAMEORIGIN |
| 121 | + Header set X-XSS-Protection: "1; mode=block" |
| 122 | + Header always edit Set-Cookie (.*) "$1; HTTPOnly" |
| 123 | + <tmpl_var name="ssl_comment">Header always edit Set-Cookie (.*) "$1; Secure" |
| 124 | + <IfModule mod_version.c> |
| 125 | + <IfVersion >= 2.4.7> |
| 126 | + Header setifempty Strict-Transport-Security "max-age=15768000" |
| 127 | + </IfVersion> |
| 128 | + <IfVersion < 2.4.7> |
| 129 | + Header set Strict-Transport-Security "max-age=15768000" |
| 130 | + </IfVersion> |
| 131 | + </IfModule> |
| 132 | + RequestHeader unset Proxy early |
| 133 | + </IfModule> |
| 134 | + |
| 135 | + <tmpl_if name='apache_version' op='>=' value='2.3.3' format='version'> |
| 136 | + <tmpl_var name="ssl_comment">SSLUseStapling On |
| 137 | + <tmpl_var name="ssl_comment">SSLStaplingResponderTimeout 5 |
| 138 | + <tmpl_var name="ssl_comment">SSLStaplingReturnResponderErrors Off |
| 139 | + </tmpl_if> |
| 140 | + |
| 141 | + # Redirect http to https |
| 142 | + ErrorDocument 400 "<script>document.location.href='https://'+location.hostname+':'+location.port';</script><h1>Error 400 - trying to redirect</h1>" |
| 143 | + |
| 144 | +</VirtualHost> |
65 | 145 |
|
66 | | -<Directory /var/www/php-fcgi-scripts> |
67 | | - AllowOverride None |
68 | | - Order Deny,Allow |
69 | | - Deny from all |
70 | | -</Directory> |
|
0 commit comments