New 2.4 configuration, need sanity and security check

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

New 2.4 configuration, need sanity and security check

David Mehler
Hello,

I'm doing a config rewrite. I'm using apache 2.4. If someone who does
security could give my setup a check from a security perspective i'd
appreciate it.

I'm also wondering in particular about my cache setup and virtual
hosts. There's a lot of repeated lines.

Config at the end of this message, rather long.

Much appreciation.

Thanks.
Dave.

# httpd.conf

#
# Httpd minimalistic configuration
#

ServerRoot "/usr/local"
Listen xxx.xxx.xxx.xxx:80
# Loadable modules
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
#LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
LoadModule file_cache_module libexec/apache24/mod_file_cache.so
LoadModule cache_module libexec/apache24/mod_cache.so
LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule socache_dc_module libexec/apache24/mod_socache_dc.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
#LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
#LoadModule lua_module libexec/apache24/mod_lua.so
LoadModule env_module libexec/apache24/mod_env.so
LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule lbmethod_byrequests_module
libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module
libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
#LoadModule status_module libexec/apache24/mod_status.so
#LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
#LoadModule suexec_module libexec/apache24/mod_suexec.so
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
#LoadModule security2_module libexec/apache24/mod_security2.so
#LoadModule perl_module        libexec/apache24/mod_perl.so
#LoadModule evasive20_module   libexec/apache24/mod_evasive20.so
LoadModule geoip_module       libexec/apache24/mod_geoip.so
LoadModule h264_streaming_module libexec/apache24/mod_h264_streaming.so
LoadModule php5_module        libexec/apache24/libphp5.so

User www
Group www
ServerAdmin [hidden email]
ServerName www.example.com:80
<Directory />
    AllowOverride none
    Require all denied
</Directory>
DocumentRoot "/usr/local/www/apache24/xxxxxxxxx"
<Directory "/usr/local/www/apache24/xxx">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
    DirectoryIndex index.html index.htm index.pl
<Files ".ht*">
    Require all denied
</Files>
ErrorLog "/var/log/httpd-error.log"
LogLevel warn
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog "/var/log/httpd-access.log" common
<IfModule headers_module>
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    RequestHeader unset Proxy early
</IfModule>
    TypesConfig etc/apache24/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
#   MIME-types for downloading Certificates and CRLs
AddType application/x-x509-cacert .crt
AddType application/x-pkcs7-crl    .crl
# Mime types for HTML 5 audio and videos
AddType audio/aac .aac
AddType audio/mp4 .mp4 .m4a
AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg
AddType audio/ogg .oga .ogg
AddType audio/wav .wav
AddType audio/webm .webm
AddType video/mp4 .mp4 .m4v
AddType video/ogg .ogv
AddType video/webm .webm
MIMEMagicFile etc/apache24/magic

# Include server default values
Include etc/apache24/extra/httpd-default.conf

# Include mpm values
Include etc/apache24/extra/httpd-mpm.conf

# Secure (SSL/TLS) connections
Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

# Some security settings
Include etc/apache24/extra/httpd-security.conf
Include etc/apache24/Includes/*.conf
# For mod security
#Include /usr/local/etc/modsecurity/*.conf
# Load the base Owasp rules
  #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf

#
# Mod deflate settings
#
     SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
text/javascript application/javascript
     SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-v
          Header append Vary User-Agent

AcceptFilter http none
AcceptFilter https none

# GeoIP
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
GeoIPScanProxyHeaders On

# Cache setup
CacheRoot /usr/local/www/proxy
CacheDirLevels 2
CacheDirLength 1

# for acme challenges
<Directory "/usr/local/www/.well-known/">
   Options None
   AllowOverride None
   Require all granted
   Header add Content-Type text/plain
</Directory>

# httpd-default.conf

#
# This configuration file reflects default settings for Apache HTTP Server.
#
# You may change these, but chances are that you may not need to.
#

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 60

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 5

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName On

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature Off

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

#
# Set a timeout for how long the client may take to send the request header
# and body.
# The default for the headers is header=20-40,MinRate=500, which means wait
# for the first byte of headers for 20 seconds. If some data arrives,
# increase the timeout corresponding to a data rate of 500 bytes/s, but not
# above 40 seconds.
# The default for the request body is body=20,MinRate=500, which is the same
# but has no upper limit for the timeout.
# To disable, set to header=0 body=0
#
<IfModule reqtimeout_module>
  RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>

# httpd-mpm.conf
#
# Server-Pool Management (MPM specific)
#

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
# Note that this is the default PidFile for most MPMs.
#
<IfModule !mpm_netware_module>
    PidFile "/var/run/httpd.pid"
</IfModule>

#
# Only one of the below sections will be relevant on your
# installed httpd.  Use "apachectl -l" to find out the
# active mpm.
#

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxRequestWorkers: maximum number of server processes allowed to start
# MaxConnectionsPerChild: maximum number of connections a server process serves
#                         before terminating
<IfModule mpm_prefork_module>
    StartServers             8
    MinSpareServers          40
    MaxSpareServers         80
    MaxClients 200
    MaxRequestsPerChild 9000
    #MaxRequestWorkers      250
    #MaxConnectionsPerChild   12000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of worker threads
# MaxConnectionsPerChild: maximum number of connections a server process serves
#                         before terminating
<IfModule mpm_worker_module>
    StartServers             3
    MinSpareThreads         75
    MaxSpareThreads        250
    ThreadsPerChild         25
    MaxRequestWorkers      400
    MaxConnectionsPerChild   0
</IfModule>

# event MPM
# StartServers: initial number of server processes to start
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestWorkers: maximum number of worker threads
# MaxConnectionsPerChild: maximum number of connections a server process serves
#                         before terminating
<IfModule mpm_event_module>
    StartServers             4
    MinSpareThreads         30
    MaxSpareThreads        100
    ThreadsPerChild         50
    MaxRequestWorkers      200
    MaxConnectionsPerChild   6000
</IfModule>

# NetWare MPM
# ThreadStackSize: Stack size allocated for each worker thread
# StartThreads: Number of worker threads launched at server startup
# MinSpareThreads: Minimum number of idle threads, to handle request spikes
# MaxSpareThreads: Maximum number of idle threads
# MaxThreads: Maximum number of worker threads alive at the same time
# MaxConnectionsPerChild: Maximum  number of connections a thread serves. It
#                         is recommended that the default value of 0 be set
#                         for this directive on NetWare.  This will allow the
#                         thread to continue to service requests indefinitely.
<IfModule mpm_netware_module>
    ThreadStackSize      65536
    StartThreads           250
    MinSpareThreads         25
    MaxSpareThreads        250
    MaxThreads            1000
    MaxConnectionsPerChild   0
</IfModule>

# OS/2 MPM
# StartServers: Number of server processes to maintain
# MinSpareThreads: Minimum number of idle threads per process,
#                  to handle request spikes
# MaxSpareThreads: Maximum number of idle threads per process
# MaxConnectionsPerChild: Maximum number of connections per server process
<IfModule mpm_mpmt_os2_module>
    StartServers             2
    MinSpareThreads          5
    MaxSpareThreads         10
    MaxConnectionsPerChild   0
</IfModule>

# WinNT MPM
# ThreadsPerChild: constant number of worker threads in the server process
# MaxConnectionsPerChild: maximum number of connections a server process serves
<IfModule mpm_winnt_module>
    ThreadsPerChild        150
    MaxConnectionsPerChild   0
</IfModule>

# The maximum number of free Kbytes that every allocator is allowed
# to hold without calling free(). In threaded MPMs, every thread has its own
# allocator. When not set, or when set to zero, the threshold will be set to
# unlimited.
<IfModule !mpm_netware_module>
    MaxMemFree            2048
</IfModule>
<IfModule mpm_netware_module>
    MaxMemFree             100
</IfModule>

# httpd-ssl.conf
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect file:/dev/urandom 512
listen 66.228.47.34:443
#Listen [2600:3c03:0:0:f03c:91ff:fedf:6fc]:443

# OCSP Stapling settings
SSLUseStapling On
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLStaplingResponderTimeout 15
SSLStaplingReturnResponderErrors off
SSLStaplingStandardCacheTimeout 3600

# For modern configuration
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
# 04/14/17:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH
SSLHonorCipherOrder On
#SSLProtocol all -SSLv2 -SSLv3
        # Enable PFS
#SSLHonorCipherOrder On
#SSLCipherSuite
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH
 #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
#SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
#SSSLCipherSuite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#
# https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCompression Off
SSLSessionTickets Off
# Strong dh parameters file
SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"

# For temporary legacy intermediate clients
#SSLProtocol             all -SSLv2 -SSLv3
#SSLCipherSuite
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#SSLHonorCipherOrder     on
#SSLCompression          off
SSLPassPhraseDialog  builtin
SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout  300

<VirtualHost _default_:443>
DocumentRoot "/usr/local/www/apache24/sslvhost"
ServerName www.davemehler.com:443
ServerAdmin [hidden email]
ErrorLog "/var/log/http-ssl-error.log"
TransferLog "/var/log/httpd-ssl-access.log"
SSLEngine on
SSLCertificateFile "/etc/ssl/certs/server.crt"
SSLCertificateKeyFile "/etc/ssl/private/server.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
        <Directory /usr/local/www/apache24/sslvhost>
Require all granted
Options FollowSymLinks
AllowOverRide none
        </Directory>
<Directory "/usr/local/www/apache24/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
#BrowserMatch "MSIE [2-5]" \
         #nokeepalive ssl-unclean-shutdown \
         #downgrade-1.0 force-response-1.0
CustomLog "/var/log/httpd-ssl_request.log" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
#Alias /mail "/usr/local/www/roundcube/"
#Alias /awstats/icon "/usr/local/www/awstats/icon/"
#Alias /awstatsicon "/usr/local/www/awstats/icon/"
#ScriptAlias /awstats "/usr/local/www/awstats/cgi-bin/"
</VirtualHost>

# httpd-security.conf
<IfModule mod_headers.c>
Header unset ETag
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header set X-XSS-Protection "1; mode=block"
Header append Referrer-Policy: no-referrer-when-downgrade
Header always unset "X-Powered-By"
Header set X-Permitted-Cross-Domain-Policies "none"
</IfModule>
# Remove server identification header
<ifModule ModSecurity.c>
  SecServerSignature ''
</ifModule>

FileETag None
TraceEnable off

# Deploy Content Security Policy CSP
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
    Header set X-Content-Type-Options nosniff
# Originally set to deny
    #Header set X-Frame-Options DENY
    Header set X-Frame-Options SAMEORIGIN
</IfModule>

# mod_evasive module
<IfModule mod_evasive20.c>
    DOSHashTableSize    3097
    DOSPageCount        2
    DOSSiteCount        50
    DOSPageInterval     1
    DOSSiteInterval     1
    DOSBlockingPeriod   10
DOSEmailNotify [hidden email]
DOSWhitelist 127.0.0.1
DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
</IfModule>

vhosts.conf
#
# Virtual host file
#

# The example.com http virtual host
<VirtualHost *:80>
    ServerName example.com
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin [hidden email]
    DocumentRoot "/usr/vhosts/example.com/htdocs/"
    ServerName www.example.com
    ServerAlias www.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.com/.well-known gets
forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.com/logs/error.log"
    <Directory "/usr/vhosts/example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The test.example.com http virtual host
<VirtualHost *:80>
    ServerAdmin [hidden email]
    DocumentRoot "/usr/vhosts/test.example.com/htdocs/"
    ServerName test.example.com
    ServerAlias test.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to test.example.com/.well-known gets
forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://test.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/test.example.com/logs/error.log"
    <Directory "/usr/vhosts/test.example.com/htdocs/">
 # mod_authn_core and mod_auth_basic configuration
 # for mod_authn_dbd
 #AuthType Basic
 #AuthName "Restricted Access"

 # To cache credentials, put socache ahead of dbd here
 #AuthBasicProvider socache dbd

 # Also required for caching: tell the cache to cache dbd lookups!
 #AuthnCacheProvideFor dbd
 #AuthnCacheContext my-server

 # mod_authn_dbd SQL query to authenticate a user
 #AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s"

 # mod_authz_core configuration
            #<RequireAll>
                #Require group alpha beta testgroup
#Require dbd-group team
                #Require not group reject
                #<RequireAny>
                    #Require valid-user
                #</RequireAny>
        #<RequireNone>
            #Require group temps
        #</RequireNone>
            #</RequireAll>
                    #Require group testgroup
#Require dbd-group testgroup
                    #Require valid-user

  # mod_authz_dbd configuration
  #AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = '%s'"
#AuthzSendForbiddenOnFailure On
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/test.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The example.net http virtual host
<VirtualHost *:80>
    ServerName example.net
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.net/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin [hidden email]
    DocumentRoot "/usr/vhosts/example.net/htdocs/"
    ServerName www.example.net
    ServerAlias www.example.net

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.net/.well-known gets
forwarded to the https site
#    RewriteEngine on
#    RewriteCond %{REQUEST_URI} !^/.well-known
#    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.net/logs/error.log"
    <Directory "/usr/vhosts/example.net/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.net/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The example.org http virtual host
<VirtualHost *:80>
    ServerName example.org
    RewriteEngine On
    RewriteRule ^/?(.*) http://www.example.org/$1 [R,L]
</VirtualHost>
<VirtualHost *:80>
    ServerAdmin [hidden email]
    DocumentRoot "/usr/vhosts/example.org/htdocs/"
    ServerName www.example.org
    ServerAlias www.example.org

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to example.org/.well-known gets
forwarded to the https site
#    RewriteEngine on
#    RewriteCond %{REQUEST_URI} !^/.well-known
#    RewriteRule (.*) https://www.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/example.org/logs/error.log"
    <Directory "/usr/vhosts/example.org/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/example.org/logs/access.log-%Y-%m-%d.log 86400" combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The webmail.example.com http virtual host
<VirtualHost *:80>
    ServerAdmin [hidden email]
    DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/"
    ServerName webmail.example.com
    ServerAlias webmail.example.com

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to webmail.example.com/.well-known
gets forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://webmail.example.com/$1 [R=301,L]

    ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log"
    <Directory "/usr/vhosts/webmail.example.com/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

# The webmail.example.org http virtual host
<VirtualHost *:80>
    ServerAdmin [hidden email]
    DocumentRoot "/usr/vhosts/webmail.example.org/htdocs/"
    ServerName webmail.example.org
    ServerAlias webmail.example.org

    ErrorDocument 404 /errordocs/error404.htm
    # share well-known for renewal via Let's Encrypt!
    Alias /.well-known/ /usr/local/www/.well-known/

    # Anything that isn't going to webmail.example.org/.well-known
gets forwarded to the https site
    RewriteEngine on
    RewriteCond %{REQUEST_URI} !^/.well-known
    RewriteRule (.*) https://webmail.example.org/$1 [R=301,L]

    ErrorLog "/usr/vhosts/webmail.example.org/logs/error.log"
    <Directory "/usr/vhosts/webmail.example.org/htdocs/">
Options FollowSymLinks
AllowOverRide None
Require all granted
    </Directory>
    <IfModule mod_log_config.c>
        CustomLog "|/usr/local/sbin/rotatelogs -l
/usr/vhosts/webmail.example.org/logs/access.log-%Y-%m-%d.log 86400"
combined
    </IfModule>

# Disc cache setup
    CacheQuickHandler off
    CacheLock on
    CacheLockPath /tmp/mod_cache-lock
    CacheLockMaxAge 5
    CacheIgnoreHeaders Set-Cookie
    <Location />
        CacheEnable disk
        CacheHeader on
        CacheDefaultExpire 600
        CacheMaxExpire 86400
        CacheLastModifiedFactor 0.5
        ExpiresActive on
        ExpiresDefault "access plus 5 minutes"
        Header merge Cache-Control public
        FileETag All
    </Location>
</VirtualHost>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: New 2.4 configuration, need sanity and security check

Frank Gingras
On 16/06/17 10:53 PM, David Mehler wrote:

> Hello,
>
> I'm doing a config rewrite. I'm using apache 2.4. If someone who does
> security could give my setup a check from a security perspective i'd
> appreciate it.
>
> I'm also wondering in particular about my cache setup and virtual
> hosts. There's a lot of repeated lines.
>
> Config at the end of this message, rather long.
>
> Much appreciation.
>
> Thanks.
> Dave.
>
> # httpd.conf
>
> #
> # Httpd minimalistic configuration
> #
>
> ServerRoot "/usr/local"
> Listen xxx.xxx.xxx.xxx:80
> # Loadable modules
> LoadModule authn_file_module libexec/apache24/mod_authn_file.so
> #LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
> #LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
> LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
> LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
> LoadModule authn_core_module libexec/apache24/mod_authn_core.so
> LoadModule authz_host_module libexec/apache24/mod_authz_host.so
> LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
> LoadModule authz_user_module libexec/apache24/mod_authz_user.so
> #LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
> #LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
> LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
> LoadModule authz_core_module libexec/apache24/mod_authz_core.so
> #LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
> #LoadModule access_compat_module libexec/apache24/mod_access_compat.so
> LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
> #LoadModule auth_form_module libexec/apache24/mod_auth_form.so
> #LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
> #LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
> LoadModule file_cache_module libexec/apache24/mod_file_cache.so
> LoadModule cache_module libexec/apache24/mod_cache.so
> LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
> LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
> LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
> #LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
> #LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
> #LoadModule socache_dc_module libexec/apache24/mod_socache_dc.so
> #LoadModule watchdog_module libexec/apache24/mod_watchdog.so
> #LoadModule macro_module libexec/apache24/mod_macro.so
> LoadModule dbd_module libexec/apache24/mod_dbd.so
> #LoadModule dumpio_module libexec/apache24/mod_dumpio.so
> #LoadModule buffer_module libexec/apache24/mod_buffer.so
> #LoadModule data_module libexec/apache24/mod_data.so
> #LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
> #LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
> #LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
> #LoadModule request_module libexec/apache24/mod_request.so
> LoadModule include_module libexec/apache24/mod_include.so
> LoadModule filter_module libexec/apache24/mod_filter.so
> #LoadModule reflector_module libexec/apache24/mod_reflector.so
> #LoadModule substitute_module libexec/apache24/mod_substitute.so
> #LoadModule sed_module libexec/apache24/mod_sed.so
> #LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
> LoadModule deflate_module libexec/apache24/mod_deflate.so
> #LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
> #LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
> LoadModule mime_module libexec/apache24/mod_mime.so
> LoadModule log_config_module libexec/apache24/mod_log_config.so
> #LoadModule log_debug_module libexec/apache24/mod_log_debug.so
> #LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
> #LoadModule logio_module libexec/apache24/mod_logio.so
> #LoadModule lua_module libexec/apache24/mod_lua.so
> LoadModule env_module libexec/apache24/mod_env.so
> LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
> #LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
> LoadModule expires_module libexec/apache24/mod_expires.so
> LoadModule headers_module libexec/apache24/mod_headers.so
> #LoadModule usertrack_module libexec/apache24/mod_usertrack.so
> LoadModule unique_id_module libexec/apache24/mod_unique_id.so
> LoadModule setenvif_module libexec/apache24/mod_setenvif.so
> LoadModule version_module libexec/apache24/mod_version.so
> #LoadModule remoteip_module libexec/apache24/mod_remoteip.so
> #LoadModule proxy_module libexec/apache24/mod_proxy.so
> #LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
> #LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
> #LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
> #LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
> #LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
> #LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
> #LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
> #LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
> #LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
> #LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
> #LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
> #LoadModule session_module libexec/apache24/mod_session.so
> #LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
> #LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
> #LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
> LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
> #LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
> LoadModule ssl_module libexec/apache24/mod_ssl.so
> #LoadModule dialup_module libexec/apache24/mod_dialup.so
> #LoadModule lbmethod_byrequests_module
> libexec/apache24/mod_lbmethod_byrequests.so
> #LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
> #LoadModule lbmethod_bybusyness_module
> libexec/apache24/mod_lbmethod_bybusyness.so
> #LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
> #LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
> LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
> #LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
> LoadModule unixd_module libexec/apache24/mod_unixd.so
> #LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
> #LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
> #LoadModule dav_module libexec/apache24/mod_dav.so
> #LoadModule status_module libexec/apache24/mod_status.so
> #LoadModule autoindex_module libexec/apache24/mod_autoindex.so
> #LoadModule asis_module libexec/apache24/mod_asis.so
> #LoadModule info_module libexec/apache24/mod_info.so
> #LoadModule suexec_module libexec/apache24/mod_suexec.so
> #LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
> #LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
> #LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
> LoadModule negotiation_module libexec/apache24/mod_negotiation.so
> LoadModule dir_module libexec/apache24/mod_dir.so
> #LoadModule imagemap_module libexec/apache24/mod_imagemap.so
> #LoadModule actions_module libexec/apache24/mod_actions.so
> #LoadModule speling_module libexec/apache24/mod_speling.so
> #LoadModule userdir_module libexec/apache24/mod_userdir.so
> LoadModule alias_module libexec/apache24/mod_alias.so
> LoadModule rewrite_module libexec/apache24/mod_rewrite.so
> #LoadModule security2_module libexec/apache24/mod_security2.so
> #LoadModule perl_module        libexec/apache24/mod_perl.so
> #LoadModule evasive20_module   libexec/apache24/mod_evasive20.so
> LoadModule geoip_module       libexec/apache24/mod_geoip.so
> LoadModule h264_streaming_module libexec/apache24/mod_h264_streaming.so
> LoadModule php5_module        libexec/apache24/libphp5.so
>
> User www
> Group www
> ServerAdmin [hidden email]
> ServerName www.example.com:80
> <Directory />
>     AllowOverride none
>     Require all denied
> </Directory>
> DocumentRoot "/usr/local/www/apache24/xxxxxxxxx"
> <Directory "/usr/local/www/apache24/xxx">
>     Options Indexes FollowSymLinks
>     AllowOverride None
>     Require all granted
> </Directory>
>     DirectoryIndex index.html index.htm index.pl
> <Files ".ht*">
>     Require all denied
> </Files>
> ErrorLog "/var/log/httpd-error.log"
> LogLevel warn
>     LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" combined
>     LogFormat "%h %l %u %t \"%r\" %>s %b" common
>     CustomLog "/var/log/httpd-access.log" common
> <IfModule headers_module>
>     # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
>     # backend servers which have lingering "httpoxy" defects.
>     # 'Proxy' request header is undefined by the IETF, not listed by IANA
>     RequestHeader unset Proxy early
> </IfModule>
>     TypesConfig etc/apache24/mime.types
>     AddType application/x-compress .Z
>     AddType application/x-gzip .gz .tgz
> #   MIME-types for downloading Certificates and CRLs
> AddType application/x-x509-cacert .crt
> AddType application/x-pkcs7-crl    .crl
> # Mime types for HTML 5 audio and videos
> AddType audio/aac .aac
> AddType audio/mp4 .mp4 .m4a
> AddType audio/mpeg .mp1 .mp2 .mp3 .mpg .mpeg
> AddType audio/ogg .oga .ogg
> AddType audio/wav .wav
> AddType audio/webm .webm
> AddType video/mp4 .mp4 .m4v
> AddType video/ogg .ogv
> AddType video/webm .webm
> MIMEMagicFile etc/apache24/magic
>
> # Include server default values
> Include etc/apache24/extra/httpd-default.conf
>
> # Include mpm values
> Include etc/apache24/extra/httpd-mpm.conf
>
> # Secure (SSL/TLS) connections
> Include etc/apache24/extra/httpd-ssl.conf
> <IfModule ssl_module>
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> </IfModule>
>
> # Some security settings
> Include etc/apache24/extra/httpd-security.conf
> Include etc/apache24/Includes/*.conf
> # For mod security
> #Include /usr/local/etc/modsecurity/*.conf
> # Load the base Owasp rules
>   #Include etc/modsecurity/owasp-modsecurity-crs/rules/*.conf
>
> #
> # Mod deflate settings
> #
>      SetOutputFilter DEFLATE
> AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css
> text/javascript application/javascript
>      SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|rar|zip|pdf)$ no-gzip dont-v
>           Header append Vary User-Agent
>
> AcceptFilter http none
> AcceptFilter https none
>
> # GeoIP
> GeoIPEnable On
> SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
> SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
> GeoIPScanProxyHeaders On
>
> # Cache setup
> CacheRoot /usr/local/www/proxy
> CacheDirLevels 2
> CacheDirLength 1
>
> # for acme challenges
> <Directory "/usr/local/www/.well-known/">
>    Options None
>    AllowOverride None
>    Require all granted
>    Header add Content-Type text/plain
> </Directory>
>
> # httpd-default.conf
>
> #
> # This configuration file reflects default settings for Apache HTTP Server.
> #
> # You may change these, but chances are that you may not need to.
> #
>
> #
> # Timeout: The number of seconds before receives and sends time out.
> #
> Timeout 60
>
> #
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
> #
> KeepAlive Off
>
> #
> # MaxKeepAliveRequests: The maximum number of requests to allow
> # during a persistent connection. Set to 0 to allow an unlimited amount.
> # We recommend you leave this number high, for maximum performance.
> #
> MaxKeepAliveRequests 100
>
> #
> # KeepAliveTimeout: Number of seconds to wait for the next request from the
> # same client on the same connection.
> #
> KeepAliveTimeout 5
>
> #
> # UseCanonicalName: Determines how Apache constructs self-referencing
> # URLs and the SERVER_NAME and SERVER_PORT variables.
> # When set "Off", Apache will use the Hostname and Port supplied
> # by the client.  When set "On", Apache will use the value of the
> # ServerName directive.
> #
> UseCanonicalName On
>
> #
> # AccessFileName: The name of the file to look for in each directory
> # for additional configuration directives.  See also the AllowOverride
> # directive.
> #
> AccessFileName .htaccess
>
> #
> # ServerTokens
> # This directive configures what you return as the Server HTTP response
> # Header. The default is 'Full' which sends information about the OS-Type
> # and compiled in modules.
> # Set to one of:  Full | OS | Minor | Minimal | Major | Prod
> # where Full conveys the most information, and Prod the least.
> #
> ServerTokens Prod
>
> #
> # Optionally add a line containing the server version and virtual host
> # name to server-generated pages (internal error documents, FTP directory
> # listings, mod_status and mod_info output etc., but not CGI generated
> # documents or custom error documents).
> # Set to "EMail" to also include a mailto: link to the ServerAdmin.
> # Set to one of:  On | Off | EMail
> #
> ServerSignature Off
>
> #
> # HostnameLookups: Log the names of clients or just their IP addresses
> # e.g., www.apache.org (on) or 204.62.129.132 (off).
> # The default is off because it'd be overall better for the net if people
> # had to knowingly turn this feature on, since enabling it means that
> # each client request will result in AT LEAST one lookup request to the
> # nameserver.
> #
> HostnameLookups Off
>
> #
> # Set a timeout for how long the client may take to send the request header
> # and body.
> # The default for the headers is header=20-40,MinRate=500, which means wait
> # for the first byte of headers for 20 seconds. If some data arrives,
> # increase the timeout corresponding to a data rate of 500 bytes/s, but not
> # above 40 seconds.
> # The default for the request body is body=20,MinRate=500, which is the same
> # but has no upper limit for the timeout.
> # To disable, set to header=0 body=0
> #
> <IfModule reqtimeout_module>
>   RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
> </IfModule>
>
> # httpd-mpm.conf
> #
> # Server-Pool Management (MPM specific)
> #
>
> #
> # PidFile: The file in which the server should record its process
> # identification number when it starts.
> #
> # Note that this is the default PidFile for most MPMs.
> #
> <IfModule !mpm_netware_module>
>     PidFile "/var/run/httpd.pid"
> </IfModule>
>
> #
> # Only one of the below sections will be relevant on your
> # installed httpd.  Use "apachectl -l" to find out the
> # active mpm.
> #
>
> # prefork MPM
> # StartServers: number of server processes to start
> # MinSpareServers: minimum number of server processes which are kept spare
> # MaxSpareServers: maximum number of server processes which are kept spare
> # MaxRequestWorkers: maximum number of server processes allowed to start
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> #                         before terminating
> <IfModule mpm_prefork_module>
>     StartServers             8
>     MinSpareServers          40
>     MaxSpareServers         80
>     MaxClients 200
>     MaxRequestsPerChild 9000
>     #MaxRequestWorkers      250
>     #MaxConnectionsPerChild   12000
> </IfModule>
>
> # worker MPM
> # StartServers: initial number of server processes to start
> # MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept spare
> # ThreadsPerChild: constant number of worker threads in each server process
> # MaxRequestWorkers: maximum number of worker threads
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> #                         before terminating
> <IfModule mpm_worker_module>
>     StartServers             3
>     MinSpareThreads         75
>     MaxSpareThreads        250
>     ThreadsPerChild         25
>     MaxRequestWorkers      400
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # event MPM
> # StartServers: initial number of server processes to start
> # MinSpareThreads: minimum number of worker threads which are kept spare
> # MaxSpareThreads: maximum number of worker threads which are kept spare
> # ThreadsPerChild: constant number of worker threads in each server process
> # MaxRequestWorkers: maximum number of worker threads
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> #                         before terminating
> <IfModule mpm_event_module>
>     StartServers             4
>     MinSpareThreads         30
>     MaxSpareThreads        100
>     ThreadsPerChild         50
>     MaxRequestWorkers      200
>     MaxConnectionsPerChild   6000
> </IfModule>
>
> # NetWare MPM
> # ThreadStackSize: Stack size allocated for each worker thread
> # StartThreads: Number of worker threads launched at server startup
> # MinSpareThreads: Minimum number of idle threads, to handle request spikes
> # MaxSpareThreads: Maximum number of idle threads
> # MaxThreads: Maximum number of worker threads alive at the same time
> # MaxConnectionsPerChild: Maximum  number of connections a thread serves. It
> #                         is recommended that the default value of 0 be set
> #                         for this directive on NetWare.  This will allow the
> #                         thread to continue to service requests indefinitely.
> <IfModule mpm_netware_module>
>     ThreadStackSize      65536
>     StartThreads           250
>     MinSpareThreads         25
>     MaxSpareThreads        250
>     MaxThreads            1000
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # OS/2 MPM
> # StartServers: Number of server processes to maintain
> # MinSpareThreads: Minimum number of idle threads per process,
> #                  to handle request spikes
> # MaxSpareThreads: Maximum number of idle threads per process
> # MaxConnectionsPerChild: Maximum number of connections per server process
> <IfModule mpm_mpmt_os2_module>
>     StartServers             2
>     MinSpareThreads          5
>     MaxSpareThreads         10
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # WinNT MPM
> # ThreadsPerChild: constant number of worker threads in the server process
> # MaxConnectionsPerChild: maximum number of connections a server process serves
> <IfModule mpm_winnt_module>
>     ThreadsPerChild        150
>     MaxConnectionsPerChild   0
> </IfModule>
>
> # The maximum number of free Kbytes that every allocator is allowed
> # to hold without calling free(). In threaded MPMs, every thread has its own
> # allocator. When not set, or when set to zero, the threshold will be set to
> # unlimited.
> <IfModule !mpm_netware_module>
>     MaxMemFree            2048
> </IfModule>
> <IfModule mpm_netware_module>
>     MaxMemFree             100
> </IfModule>
>
> # httpd-ssl.conf
> SSLRandomSeed startup file:/dev/urandom 512
> SSLRandomSeed connect file:/dev/urandom 512
> listen 66.228.47.34:443
> #Listen [2600:3c03:0:0:f03c:91ff:fedf:6fc]:443
>
> # OCSP Stapling settings
> SSLUseStapling On
> SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
> SSLStaplingResponderTimeout 15
> SSLStaplingReturnResponderErrors off
> SSLStaplingStandardCacheTimeout 3600
>
> # For modern configuration
> # https://mozilla.github.io/server-side-tls/ssl-config-generator/
> # 04/14/17:
> SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
> SSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256@STRENGTH
> SSLHonorCipherOrder On
> #SSLProtocol all -SSLv2 -SSLv3
>         # Enable PFS
> #SSLHonorCipherOrder On
> #SSLCipherSuite
> ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS@STRENGTH
>  #SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
> #SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
> #SSSLCipherSuite
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> #
> # https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
> SSLCompression Off
> SSLSessionTickets Off
> # Strong dh parameters file
> SSLOpenSSLConfCmd DHParameters "/etc/ssl/dhparam.pem"
>
> # For temporary legacy intermediate clients
> #SSLProtocol             all -SSLv2 -SSLv3
> #SSLCipherSuite
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
> #SSLHonorCipherOrder     on
> #SSLCompression          off
> SSLPassPhraseDialog  builtin
> SSLSessionCache        "shmcb:/var/run/ssl_scache(512000)"
> SSLSessionCacheTimeout  300
>
> <VirtualHost _default_:443>
> DocumentRoot "/usr/local/www/apache24/sslvhost"
> ServerName www.davemehler.com:443
> ServerAdmin [hidden email]
> ErrorLog "/var/log/http-ssl-error.log"
> TransferLog "/var/log/httpd-ssl-access.log"
> SSLEngine on
> SSLCertificateFile "/etc/ssl/certs/server.crt"
> SSLCertificateKeyFile "/etc/ssl/private/server.key"
> <FilesMatch "\.(cgi|shtml|phtml|php)$">
>     SSLOptions +StdEnvVars
> </FilesMatch>
> <Directory /usr/local/www/apache24/sslvhost>
> Require all granted
> Options FollowSymLinks
> AllowOverRide none
> </Directory>
> <Directory "/usr/local/www/apache24/cgi-bin">
>     SSLOptions +StdEnvVars
> </Directory>
> #BrowserMatch "MSIE [2-5]" \
>          #nokeepalive ssl-unclean-shutdown \
>          #downgrade-1.0 force-response-1.0
> CustomLog "/var/log/httpd-ssl_request.log" \
>           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> #Alias /mail "/usr/local/www/roundcube/"
> #Alias /awstats/icon "/usr/local/www/awstats/icon/"
> #Alias /awstatsicon "/usr/local/www/awstats/icon/"
> #ScriptAlias /awstats "/usr/local/www/awstats/cgi-bin/"
> </VirtualHost>
>
> # httpd-security.conf
> <IfModule mod_headers.c>
> Header unset ETag
> Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
> Header set X-XSS-Protection "1; mode=block"
> Header append Referrer-Policy: no-referrer-when-downgrade
> Header always unset "X-Powered-By"
> Header set X-Permitted-Cross-Domain-Policies "none"
> </IfModule>
> # Remove server identification header
> <ifModule ModSecurity.c>
>   SecServerSignature ''
> </ifModule>
>
> FileETag None
> TraceEnable off
>
> # Deploy Content Security Policy CSP
> <IfModule mod_headers.c>
> Header set Content-Security-Policy "default-src 'self'; script-src 'self';"
>     Header set X-Content-Type-Options nosniff
> # Originally set to deny
>     #Header set X-Frame-Options DENY
>     Header set X-Frame-Options SAMEORIGIN
> </IfModule>
>
> # mod_evasive module
> <IfModule mod_evasive20.c>
>     DOSHashTableSize    3097
>     DOSPageCount        2
>     DOSSiteCount        50
>     DOSPageInterval     1
>     DOSSiteInterval     1
>     DOSBlockingPeriod   10
> DOSEmailNotify [hidden email]
> DOSWhitelist 127.0.0.1
> DOSSystemCommand '/sbin/pfctl -t evasive -T add %s'
> </IfModule>
>
> vhosts.conf
> #
> # Virtual host file
> #
>
> # The example.com http virtual host
> <VirtualHost *:80>
>     ServerName example.com
>     RewriteEngine On
>     RewriteRule ^/?(.*) http://www.example.com/$1 [R,L]
> </VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     DocumentRoot "/usr/vhosts/example.com/htdocs/"
>     ServerName www.example.com
>     ServerAlias www.example.com
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to example.com/.well-known gets
> forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://www.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/example.com/logs/error.log"
>     <Directory "/usr/vhosts/example.com/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/example.com/logs/access.log-%Y-%m-%d.log 86400" combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The test.example.com http virtual host
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     DocumentRoot "/usr/vhosts/test.example.com/htdocs/"
>     ServerName test.example.com
>     ServerAlias test.example.com
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to test.example.com/.well-known gets
> forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://test.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/test.example.com/logs/error.log"
>     <Directory "/usr/vhosts/test.example.com/htdocs/">
>  # mod_authn_core and mod_auth_basic configuration
>  # for mod_authn_dbd
>  #AuthType Basic
>  #AuthName "Restricted Access"
>
>  # To cache credentials, put socache ahead of dbd here
>  #AuthBasicProvider socache dbd
>
>  # Also required for caching: tell the cache to cache dbd lookups!
>  #AuthnCacheProvideFor dbd
>  #AuthnCacheContext my-server
>
>  # mod_authn_dbd SQL query to authenticate a user
>  #AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s"
>
>  # mod_authz_core configuration
>             #<RequireAll>
>                 #Require group alpha beta testgroup
> #Require dbd-group team
>                 #Require not group reject
>                 #<RequireAny>
>                     #Require valid-user
>                 #</RequireAny>
>         #<RequireNone>
>             #Require group temps
>         #</RequireNone>
>             #</RequireAll>
>                     #Require group testgroup
> #Require dbd-group testgroup
>                     #Require valid-user
>
>   # mod_authz_dbd configuration
>   #AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE username = '%s'"
> #AuthzSendForbiddenOnFailure On
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/test.example.com/logs/access.log-%Y-%m-%d.log 86400"
> combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The example.net http virtual host
> <VirtualHost *:80>
>     ServerName example.net
>     RewriteEngine On
>     RewriteRule ^/?(.*) http://www.example.net/$1 [R,L]
> </VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     DocumentRoot "/usr/vhosts/example.net/htdocs/"
>     ServerName www.example.net
>     ServerAlias www.example.net
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to example.net/.well-known gets
> forwarded to the https site
> #    RewriteEngine on
> #    RewriteCond %{REQUEST_URI} !^/.well-known
> #    RewriteRule (.*) https://www.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/example.net/logs/error.log"
>     <Directory "/usr/vhosts/example.net/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/example.net/logs/access.log-%Y-%m-%d.log 86400" combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The example.org http virtual host
> <VirtualHost *:80>
>     ServerName example.org
>     RewriteEngine On
>     RewriteRule ^/?(.*) http://www.example.org/$1 [R,L]
> </VirtualHost>
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     DocumentRoot "/usr/vhosts/example.org/htdocs/"
>     ServerName www.example.org
>     ServerAlias www.example.org
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to example.org/.well-known gets
> forwarded to the https site
> #    RewriteEngine on
> #    RewriteCond %{REQUEST_URI} !^/.well-known
> #    RewriteRule (.*) https://www.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/example.org/logs/error.log"
>     <Directory "/usr/vhosts/example.org/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/example.org/logs/access.log-%Y-%m-%d.log 86400" combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The webmail.example.com http virtual host
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     DocumentRoot "/usr/vhosts/webmail.example.com/htdocs/"
>     ServerName webmail.example.com
>     ServerAlias webmail.example.com
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to webmail.example.com/.well-known
> gets forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://webmail.example.com/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/webmail.example.com/logs/error.log"
>     <Directory "/usr/vhosts/webmail.example.com/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/webmail.example.com/logs/access.log-%Y-%m-%d.log 86400"
> combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> # The webmail.example.org http virtual host
> <VirtualHost *:80>
>     ServerAdmin [hidden email]
>     DocumentRoot "/usr/vhosts/webmail.example.org/htdocs/"
>     ServerName webmail.example.org
>     ServerAlias webmail.example.org
>
>     ErrorDocument 404 /errordocs/error404.htm
>     # share well-known for renewal via Let's Encrypt!
>     Alias /.well-known/ /usr/local/www/.well-known/
>
>     # Anything that isn't going to webmail.example.org/.well-known
> gets forwarded to the https site
>     RewriteEngine on
>     RewriteCond %{REQUEST_URI} !^/.well-known
>     RewriteRule (.*) https://webmail.example.org/$1 [R=301,L]
>
>     ErrorLog "/usr/vhosts/webmail.example.org/logs/error.log"
>     <Directory "/usr/vhosts/webmail.example.org/htdocs/">
> Options FollowSymLinks
> AllowOverRide None
> Require all granted
>     </Directory>
>     <IfModule mod_log_config.c>
>         CustomLog "|/usr/local/sbin/rotatelogs -l
> /usr/vhosts/webmail.example.org/logs/access.log-%Y-%m-%d.log 86400"
> combined
>     </IfModule>
>
> # Disc cache setup
>     CacheQuickHandler off
>     CacheLock on
>     CacheLockPath /tmp/mod_cache-lock
>     CacheLockMaxAge 5
>     CacheIgnoreHeaders Set-Cookie
>     <Location />
>         CacheEnable disk
>         CacheHeader on
>         CacheDefaultExpire 600
>         CacheMaxExpire 86400
>         CacheLastModifiedFactor 0.5
>         ExpiresActive on
>         ExpiresDefault "access plus 5 minutes"
>         Header merge Cache-Control public
>         FileETag All
>     </Location>
> </VirtualHost>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

No one will parse your entire httpd.conf out of their free time.

Instead, I recommend starting with
http://httpd.apache.org/docs/current/upgrading.html

Then you can focus on specific problems.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]