소스 보기

LoadModule macro_module modules/mod_macro.so

<Macro RotateLogs $site>
    LogLevel    warn
    ErrorLog    "|/usr/sbin/rotatelogs /var/log/httpd/$site/error_log.%Y%m%d   86400 +540"
    TransferLog "|/usr/sbin/rotatelogs /var/log/httpd/$site/access_log.%Y%m%d  86400 +540"
    CustomLog   "|/usr/sbin/rotatelogs /var/log/httpd/$site/request_log.%Y%m%d 86400 +540" \
                    "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</Macro>

<VirtualHost *:80>
    ServerName eduroam.kreonet.net
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</VirtualHost>

<VirtualHost *:443>
    ServerName eduroam.kreonet.net
    DocumentRoot "/var/www/eduroam.kreonet.net"
    Use RotateLogs eduroam.kreonet.net
    Include conf.d/ssl-kreonet.cnf
</VirtualHost>

SSLEngine on

SSLProtocol             all -SSLv2 -SSLv3

SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

SSLHonorCipherOrder     on

SSLCompression          off

SSLOptions +StrictRequire

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

SSLCertificateFile      /etc/httpd/cert/_wildcard_kreonet_net.crt
SSLCertificateKeyFile   /etc/httpd/cert/_wildcard_kreonet_net_SHA256WITHRSA.key
SSLCertificateChainFile /etc/httpd/cert/rsa-dv.chain-bundle.pem
SSLCACertificateFile    /etc/httpd/cert/AddTrustExternalCARoot.crt

Header always set Strict-Transport-Security "max-age=86400; includeSubdomains; preload"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY

# Conflict with grafana
# Header set Content-Security-Policy: "default-src 'self' 'unsafe-inline'"

SSLProxyEngine     On
ProxyRequests      Off
ProxyVia           On
ProxyPreserveHost  On

SSLProxyVerify none
SSLProxyCheckPeerName off
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

Timeout      2400
ProxyTimeout 2400

ProxyBadHeader Ignore
RemoteIPHeader X-Forwarded-For

/etc/httpd
├── cert
├── conf
│   └── httpd.conf
├── conf.d
│   ├── eduroam_kreonet_net.conf
│   ├── wiki_net.conf
│   ├── ssl.conf
│   ├── ssl-kreonet.cnf

...

$ sudo apachectl configtest
Syntax OK