InfraTrack

Apache SSL Configuration

Sample Apache 2.4 configuration file for Infra Track Web portal v. 1.0.0 HTTPS (SSL)

Make sure you replace all information to match your subdomain, domain, directory path, log file location and certificate files according to your installation

This script is provided only as a sample!

<VirtualHost *:443>
    ServerAdmin noc@domain.tld
    ServerName infratrack.domain.tld
    ServerAlias infratrack.domain.tld infratrack

    DocumentRoot /srv/infratrack_www/

    ErrorLog /var/log/apache2/infratrack_https_error.log
    CustomLog /var/log/apache2/infratrack_https_access.log combined

    SSLEngine on

    SSLProtocol -ALL +SSLv3 +TLSv1.2
    SSLHonorCipherOrder On
    SSLCipherSuite ALL:!ADH:!SSLv2:!EXPORT56:!EXPORT40:!RC4:!DES:+HIGH:!MEDIUM:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AECDH-DES-CBC3-SHA:!DES-CBC3-SHA:!ECDHE-RSA-AES128-SHA:!DHE-RSA-AES128-SHA:!DHE-RSA-CAMELLIA128-SHA:!AECDH-AES128-SHA:!AES128-SHA:!CAMELLIA128-SHA
    SSLCompression off
    SSLStrictSNIVHostCheck on

    SSLCertificateFile      /etc/apache2/ssl/infratrack_ssl.crt
    SSLCertificateKeyFile   /etc/apache2/ssl/infratrack_ssl_nopwd.key
    SSLCACertificateFile    /etc/apache2/ssl/company_global_ca.crt

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-6]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

    DirectoryIndex index.html index.htm index.php default.html default.htm default.php index.shtml
    <Directory /srv/infratrack_www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
        Order deny,allow
        Allow from all
    </Directory>

    AccessFileName .htacces

    <Files ~ "\.inc$">
        Order allow,deny
        Deny from all
    </Files>
    <Files ~ "\.inf$">
        Order allow,deny
        Deny from all
    </Files>
    <Files ~ "\.ini$">
        Order allow,deny
        Deny from all
    </Files>
    <Files ~ "\.hta$">
        Order allow,deny
        Deny from all
    </Files>

</VirtualHost>