1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf 2015-11-28 13:59:22.000000000 +0100
+++ git/etc/apache2/conf-available/security.conf 2016-05-20 00:15:49.874994024 +0200
@@ -10,6 +10,17 @@
# Order Deny,Allow
# Deny from all
#</Directory>
+<Directory />
+ Options FollowSymLinks
+ AllowOverride None
+</Directory>
+
+<Directory /var/www/>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ allow from all
+</Directory>
# Changing the following options will not really affect the security of the
diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
--- orig/etc/apache2/mods-available/ssl.conf 2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/mods-available/ssl.conf 2016-01-02 16:13:42.695785273 +0100
@@ -56,7 +56,8 @@
# ciphers(1) man page from the openssl package for list of all available
# options.
# Enable only secure ciphers:
- SSLCipherSuite HIGH:!aNULL
+ #SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
+ SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
# SSL server cipher order preference:
# Use server priorities for cipher algorithm choice.
@@ -65,7 +66,7 @@
# the CPU cost, and did not override SSLCipherSuite in a way that puts
# insecure ciphers first.
# Default: Off
- #SSLHonorCipherOrder on
+ SSLHonorCipherOrder on
# The protocols to enable.
# Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
--- orig/etc/apache2/sites-available/000-default.conf 2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/sites-available/000-default.conf 2016-05-20 00:21:02.697250540 +0200
@@ -11,11 +11,19 @@
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
+ RewriteEngine on
+ RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
+ RewriteCond %{HTTP_HOST} !^$
+ RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE]
+
+ Redirect / https://git.cacert.org/gitweb
+
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
+ LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
--- orig/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:05:51.022493172 +0200
+++ git/etc/apache2/sites-available/default-ssl.conf 2016-05-20 00:14:50.350565644 +0200
@@ -2,13 +2,27 @@
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
+ Redirect /index.html /gitweb/
+
DocumentRoot /var/www/html
+ <Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ </Directory>
+ <Directory /var/www/>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
+ LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
@@ -29,8 +43,8 @@
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
- SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
- SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+ SSLCertificateFile /etc/ssl/public/git.c.o.chain.crt
+ SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
@@ -130,6 +144,12 @@
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
+ # HSTS
+ Header always set Strict-Transport-Security "max-age=31536000"
+ Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
+ Header always set X-Frame-Options "DENY"
+ Header always set X-XSS-Protection "1; mode=block"
+ Header always set X-Content-Type-Options "nosniff"
</VirtualHost>
</IfModule>
|
