summaryrefslogtreecommitdiff
path: root/docs/configdiff/git/git-apache-config.diff
blob: ad2c182af4eca4a09b9e04179f5cfb33a200a1ab (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
diff -urwN -X diffignore-apache2 orig/etc/apache2/conf-available/security.conf git/etc/apache2/conf-available/security.conf
--- orig/etc/apache2/conf-available/security.conf	2015-11-28 13:59:22.000000000 +0100
+++ git/etc/apache2/conf-available/security.conf	2016-05-20 00:15:49.874994024 +0200
@@ -10,6 +10,17 @@
 #   Order Deny,Allow
 #   Deny from all
 #</Directory>
+<Directory />
+	Options FollowSymLinks
+	AllowOverride None
+</Directory>
+
+<Directory /var/www/>
+	Options Indexes FollowSymLinks MultiViews
+	AllowOverride None
+	Order allow,deny
+	allow from all
+</Directory>
 
 
 # Changing the following options will not really affect the security of the
diff -urwN -X diffignore-apache2 orig/etc/apache2/mods-available/ssl.conf git/etc/apache2/mods-available/ssl.conf
--- orig/etc/apache2/mods-available/ssl.conf	2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/mods-available/ssl.conf	2016-01-02 16:13:42.695785273 +0100
@@ -56,7 +56,8 @@
 	#   ciphers(1) man page from the openssl package for list of all available
 	#   options.
 	#   Enable only secure ciphers:
-	SSLCipherSuite HIGH:!aNULL
+	#SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP:!AES128:!CAMELLIA128
+	SSLCipherSuite HIGH:+CAMELLIA256:!eNull:!aNULL:!ADH:!MD5:!AES+SHA1:!RC4:!DES:!3DES:!SEED:!EXP
 
 	# SSL server cipher order preference:
 	# Use server priorities for cipher algorithm choice.
@@ -65,7 +66,7 @@
 	# the CPU cost, and did not override SSLCipherSuite in a way that puts
 	# insecure ciphers first.
 	# Default: Off
-	#SSLHonorCipherOrder on
+	SSLHonorCipherOrder on
 
 	#   The protocols to enable.
 	#   Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/000-default.conf git/etc/apache2/sites-available/000-default.conf
--- orig/etc/apache2/sites-available/000-default.conf	2015-10-24 10:37:19.000000000 +0200
+++ git/etc/apache2/sites-available/000-default.conf	2016-05-20 00:21:02.697250540 +0200
@@ -11,11 +11,19 @@
 	ServerAdmin webmaster@localhost
 	DocumentRoot /var/www/html
 
+	RewriteEngine on
+	RewriteCond %{HTTP_HOST} !^git\.cacert\.org [NC]
+	RewriteCond %{HTTP_HOST} !^$
+	RewriteRule ^/?(.*) http://git.cacert.org/$1 [L,R,NE] 
+
+	Redirect / https://git.cacert.org/gitweb
+
 	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 	# error, crit, alert, emerg.
 	# It is also possible to configure the loglevel for particular
 	# modules, e.g.
 	#LogLevel info ssl:warn
+	LogLevel warn
 
 	ErrorLog ${APACHE_LOG_DIR}/error.log
 	CustomLog ${APACHE_LOG_DIR}/access.log combined
diff -urwN -X diffignore-apache2 orig/etc/apache2/sites-available/default-ssl.conf git/etc/apache2/sites-available/default-ssl.conf
--- orig/etc/apache2/sites-available/default-ssl.conf	2016-05-20 00:05:51.022493172 +0200
+++ git/etc/apache2/sites-available/default-ssl.conf	2016-05-20 00:14:50.350565644 +0200
@@ -2,13 +2,27 @@
 	<VirtualHost _default_:443>
 		ServerAdmin webmaster@localhost
 
+		Redirect /index.html /gitweb/
+
 		DocumentRoot /var/www/html
 
+		<Directory />
+			Options FollowSymLinks
+			AllowOverride None
+		</Directory>
+		<Directory /var/www/>
+			Options Indexes FollowSymLinks MultiViews
+			AllowOverride None
+			Order allow,deny
+			allow from all
+		</Directory>
+	
 		# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
 		# error, crit, alert, emerg.
 		# It is also possible to configure the loglevel for particular
 		# modules, e.g.
 		#LogLevel info ssl:warn
+		LogLevel warn
 
 		ErrorLog ${APACHE_LOG_DIR}/error.log
 		CustomLog ${APACHE_LOG_DIR}/access.log combined
@@ -29,8 +43,8 @@
 		#   /usr/share/doc/apache2/README.Debian.gz for more info.
 		#   If both key and certificate are stored in the same file, only the
 		#   SSLCertificateFile directive is needed.
-		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
-		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+		SSLCertificateFile    /etc/ssl/public/git.c.o.chain.crt
+		SSLCertificateKeyFile /etc/ssl/private/git.c.o.key
 
 		#   Server Certificate Chain:
 		#   Point SSLCertificateChainFile at a file containing the
@@ -130,6 +144,12 @@
 		# MSIE 7 and newer should be able to use keepalive
 		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 
+		# HSTS
+		Header always set Strict-Transport-Security "max-age=31536000"
+		Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'sha256-dacEZQWGxky95ybZadcNI26RDghVLeVdbdRC/Q3spJQ='; img-src 'self'; style-src 'self';"
+		Header always set X-Frame-Options "DENY"
+		Header always set X-XSS-Protection "1; mode=block"
+		Header always set X-Content-Type-Options "nosniff"
 	</VirtualHost>
 </IfModule>