cookbook-zabbix/templates/default/security.conf.erb

#########################################################################
#               This file is centrally managed by chef.
#                 Manual changes will be over written
#########################################################################

# TODO: These standard settings should be merged back in with the
#       httpd.conf.erb file

# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages. It will be made the default for the release after lenny.
#
#<Directory />
#	AllowOverride None
#	Order Deny,Allow
#	Deny from all
#</Directory>


# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off

#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of:  On | Off | extended
#
TraceEnable Off

#
# Always send HSTS Header
#
#
<% unless node['zabbix']['httpd_conf']['https_redirection_enabled'] == false %>
LoadModule headers_module modules/mod_headers.so
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
<% end %>

#
# Always redirect incoming HTTP connections to HTTPS

# Enable mod_rewrite
# If connection is not https
# Rewrite the URL to https using the host and URI passed by the browser.

<% unless node['zabbix']['httpd_conf']['https_redirection_enabled'] == false %>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
<% end %>

# Address ETag Inode Information Leakage Vulnerability
FileETag MTime Size
Initial commit 2017-02-07 01:02:03 -05:00			`#########################################################################`
			`# This file is centrally managed by chef.`
			`# Manual changes will be over written`
			`#########################################################################`

			`# TODO: These standard settings should be merged back in with the`
			`# httpd.conf.erb file`

			`# Disable access to the entire file system except for the directories that`
			`# are explicitly allowed later.`
			`#`
			`# This currently breaks the configurations that come with some web application`
			`# Debian packages. It will be made the default for the release after lenny.`
			`#`
			`#<Directory />`
			`# AllowOverride None`
			`# Order Deny,Allow`
			`# Deny from all`
			`#</Directory>`


			`# Changing the following options will not really affect the security of the`
			`# server, but might make attacks slightly more difficult in some cases.`

			`#`
			`# ServerTokens`
			`# This directive configures what you return as the Server HTTP response`
			`# Header. The default is 'Full' which sends information about the OS-Type`
			`# and compiled in modules.`
			`# Set to one of: Full \| OS \| Minimal \| Minor \| Major \| Prod`
			`# where Full conveys the most information, and Prod the least.`
			`#`
			`ServerTokens Prod`

			`#`
			`# Optionally add a line containing the server version and virtual host`
			`# name to server-generated pages (internal error documents, FTP directory`
			`# listings, mod_status and mod_info output etc., but not CGI generated`
			`# documents or custom error documents).`
			`# Set to "EMail" to also include a mailto: link to the ServerAdmin.`
			`# Set to one of: On \| Off \| EMail`
			`#`
			`ServerSignature Off`

			`#`
			`# Allow TRACE method`
			`#`
			`# Set to "extended" to also reflect the request body (only for testing and`
			`# diagnostic purposes).`
			`#`
			`# Set to one of: On \| Off \| extended`
			`#`
			`TraceEnable Off`

			`#`
			`# Always send HSTS Header`
			`#`
			`#`
			`<% unless node['zabbix']['httpd_conf']['https_redirection_enabled'] == false %>`
			`LoadModule headers_module modules/mod_headers.so`
			`Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"`
			`<% end %>`

			`#`
			`# Always redirect incoming HTTP connections to HTTPS`

			`# Enable mod_rewrite`
			`# If connection is not https`
			`# Rewrite the URL to https using the host and URI passed by the browser.`

			`<% unless node['zabbix']['httpd_conf']['https_redirection_enabled'] == false %>`
			`RewriteEngine On`
			`RewriteCond %{HTTPS} !=on`
			`RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}`
			`<% end %>`

			`# Address ETag Inode Information Leakage Vulnerability`
			`FileETag MTime Size`