79 lines
2.4 KiB
Plaintext
79 lines
2.4 KiB
Plaintext
#########################################################################
|
|
# This file is centrally managed by chef.
|
|
# Manual changes will be over written
|
|
#########################################################################
|
|
|
|
# TODO: These standard settings should be merged back in with the
|
|
# httpd.conf.erb file
|
|
|
|
# Disable access to the entire file system except for the directories that
|
|
# are explicitly allowed later.
|
|
#
|
|
# This currently breaks the configurations that come with some web application
|
|
# Debian packages. It will be made the default for the release after lenny.
|
|
#
|
|
#<Directory />
|
|
# AllowOverride None
|
|
# Order Deny,Allow
|
|
# Deny from all
|
|
#</Directory>
|
|
|
|
|
|
# Changing the following options will not really affect the security of the
|
|
# server, but might make attacks slightly more difficult in some cases.
|
|
|
|
#
|
|
# ServerTokens
|
|
# This directive configures what you return as the Server HTTP response
|
|
# Header. The default is 'Full' which sends information about the OS-Type
|
|
# and compiled in modules.
|
|
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
|
|
# where Full conveys the most information, and Prod the least.
|
|
#
|
|
ServerTokens Prod
|
|
|
|
#
|
|
# Optionally add a line containing the server version and virtual host
|
|
# name to server-generated pages (internal error documents, FTP directory
|
|
# listings, mod_status and mod_info output etc., but not CGI generated
|
|
# documents or custom error documents).
|
|
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
|
|
# Set to one of: On | Off | EMail
|
|
#
|
|
ServerSignature Off
|
|
|
|
#
|
|
# Allow TRACE method
|
|
#
|
|
# Set to "extended" to also reflect the request body (only for testing and
|
|
# diagnostic purposes).
|
|
#
|
|
# Set to one of: On | Off | extended
|
|
#
|
|
TraceEnable Off
|
|
|
|
#
|
|
# Always send HSTS Header
|
|
#
|
|
#
|
|
<% unless node['zabbix']['httpd_conf']['https_redirection_enabled'] == false %>
|
|
LoadModule headers_module modules/mod_headers.so
|
|
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
<% end %>
|
|
|
|
#
|
|
# Always redirect incoming HTTP connections to HTTPS
|
|
|
|
# Enable mod_rewrite
|
|
# If connection is not https
|
|
# Rewrite the URL to https using the host and URI passed by the browser.
|
|
|
|
<% unless node['zabbix']['httpd_conf']['https_redirection_enabled'] == false %>
|
|
RewriteEngine On
|
|
RewriteCond %{HTTPS} !=on
|
|
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
|
|
<% end %>
|
|
|
|
# Address ETag Inode Information Leakage Vulnerability
|
|
FileETag MTime Size
|