HTTP security headers

docker/frontend-apache.conf

@@ -1,228 +1,233 @@
-ServerRoot "/usr/local/apache2"
-
-Listen 80
-
-LoadModule mpm_event_module modules/mod_mpm_event.so
-LoadModule authn_core_module modules/mod_authn_core.so
-LoadModule authz_core_module modules/mod_authz_core.so
-LoadModule access_compat_module modules/mod_access_compat.so
-LoadModule mime_module modules/mod_mime.so
-LoadModule log_config_module modules/mod_log_config.so
-LoadModule env_module modules/mod_env.so
-#LoadModule expires_module modules/mod_expires.so
-LoadModule headers_module modules/mod_headers.so
-#LoadModule setenvif_module modules/mod_setenvif.so
-#LoadModule remoteip_module modules/mod_remoteip.so
-LoadModule proxy_module modules/mod_proxy.so
-LoadModule proxy_http_module modules/mod_proxy_http.so
-LoadModule unixd_module modules/mod_unixd.so
-#LoadModule status_module modules/mod_status.so
-#LoadModule autoindex_module modules/mod_autoindex.so
-LoadModule dir_module modules/mod_dir.so
-LoadModule alias_module modules/mod_alias.so
-
-LoadModule session_module modules/mod_session.so
-LoadModule session_crypto_module modules/mod_session_crypto.so
-LoadModule session_cookie_module modules/mod_session_cookie.so
-LoadModule request_module modules/mod_request.so
-LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule auth_form_module modules/mod_auth_form.so
-LoadModule authn_dbd_module modules/mod_authn_dbd.so
-LoadModule dbd_module modules/mod_dbd.so
-
-LoadModule macro_module modules/mod_macro.so
-LoadModule rewrite_module modules/mod_rewrite.so
-
-<IfModule unixd_module>
-#
-# If you wish httpd to run as a different user or group, you must run
-# httpd as root initially and it will switch.  
-#
-# User/Group: The name (or #number) of the user/group to run httpd as.
-# It is usually good practice to create a dedicated user and group for
-# running httpd, as with most system services.
-#
-User daemon
-Group daemon
-</IfModule>
-
-ServerAdmin you@example.com
-
-ServerName feedati-fe:80
-
-DBDriver pgsql
-DBDParams "host=db dbname=feeds user=apache password=apachepass"
-
-<Macro Auth>
-    AuthFormLoginRequiredLocation "/login/"
-# authn
-    AuthFormProvider dbd
-    AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
-# form
-    AuthType form
-    AuthName "authenticationform"
-# mod_session
-    Session On
-    SessionCookieName session path=/;httponly
-    SessionCryptoPassphrase changeme!really!
-</Macro>
-
-<Location "/login/do">
-SetHandler form-login-handler
-Use Auth
-AuthFormLoginSuccessLocation "/panel/"
-</Location>
-<Location "/logout">
-    SetHandler form-logout-handler
-    AuthFormLogoutLocation "/login/logout.html"
-    Session on
-</Location>
-
-<Directory />
-    AllowOverride none
-    Require all denied
-</Directory>
-
-DocumentRoot "/var/www"
-<Directory "/var/www">
-    Options None
-    AllowOverride None
-    Use Auth
-    Require all granted
-</Directory>
-
-<Files ".ht*">
-    Require all denied
-</Files>
-
-# ErrorLog: The location of the error log file.
-# If you do not specify an ErrorLog directive within a <VirtualHost>
-# container, error messages relating to that virtual host will be
-# logged here.  If you *do* define an error logfile for a <VirtualHost>
-# container, that host's errors will be logged there and not here.
-#
-ErrorLog /proc/self/fd/2
-
-# LogLevel: Control the number of messages logged to the error_log.
-# Possible values include: debug, info, notice, warn, error, crit,
-# alert, emerg.
-LogLevel warn
-
-<IfModule log_config_module>
-    #
-    # The following directives define some format nicknames for use with
-    # a CustomLog directive (see below).
-    #
-    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
-    LogFormat "%h %l %u %t \"%r\" %>s %b" common
-
-    <IfModule logio_module>
-      # You need to enable mod_logio.c to use %I and %O
-      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
-    </IfModule>
-
-    #
-    # The location and format of the access logfile (Common Logfile Format).
-    # If you do not define any access logfiles within a <VirtualHost>
-    # container, they will be logged here.  Contrariwise, if you *do*
-    # define per-<VirtualHost> access logfiles, transactions will be
-    # logged therein and *not* in this file.
-    #
-    CustomLog /proc/self/fd/1 common
-
-    #
-    # If you prefer a logfile with access, agent, and referer information
-    # (Combined Logfile Format) you can use the following directive.
-    #
-    #CustomLog "logs/access_log" combined
-</IfModule>
-
-<IfModule headers_module>
-    #
-    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
-    # backend servers which have lingering "httpoxy" defects.
-    # 'Proxy' request header is undefined by the IETF, not listed by IANA
-    #
-    RequestHeader unset Proxy early
-</IfModule>
-
-<IfModule mime_module>
-    #
-    # TypesConfig points to the file containing the list of mappings from
-    # filename extension to MIME-type.
-    #
-    TypesConfig conf/mime.types
-
-    #
-    # AddType allows you to add to or override the MIME configuration
-    # file specified in TypesConfig for specific file types.
-    #
-    #AddType application/x-gzip .tgz
-    #
-    # AddEncoding allows you to have certain browsers uncompress
-    # information on the fly. Note: Not all browsers support this.
-    #
-    #AddEncoding x-compress .Z
-    #AddEncoding x-gzip .gz .tgz
-    #
-    # If the AddEncoding directives above are commented-out, then you
-    # probably should define those extensions to indicate media types:
-    #
-    AddType application/x-compress .Z
-    AddType application/x-gzip .gz .tgz
-
-    #
-    # AddHandler allows you to map certain file extensions to "handlers":
-    # actions unrelated to filetype. These can be either built into the server
-    # or added with the Action directive (see below)
-    #
-    # To use CGI scripts outside of ScriptAliased directories:
-    # (You will also need to add "ExecCGI" to the "Options" directive.)
-    #
-    #AddHandler cgi-script .cgi
-
-    # For type maps (negotiated resources):
-    #AddHandler type-map var
-
-    #
-    # Filters allow you to process content before it is sent to the client.
-    #
-    # To parse .shtml files for server-side includes (SSI):
-    # (You will also need to add "Includes" to the "Options" directive.)
-    #
-    #AddType text/html .shtml
-    #AddOutputFilter INCLUDES .shtml
-</IfModule>
-
-Redirect permanent "/tt-rss" "/tt-rss/"
-
-ProxyPreserveHost On
-<Location /tt-rss/>
-ProxyPass http://tt-rss/tt-rss/
-ProxyPassReverse http://tt-rss/tt-rss/
-Use Auth
-Require valid-user
-RewriteEngine on
-RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
-RequestHeader set X-Forwarded-User %{RU}e
-</Location>
-
-Redirect permanent "/rss-bridge" "/rss-bridge/"
-
-<Location /rss-bridge/>
-ProxyPass http://rss-bridge/
-ProxyPassReverse http://rss-bridge/
-Require all granted
-</Location>
-
-<Location /panel/>
-ProxyPass http://panel:8000/panel/
-ProxyPassReverse http://panel:8000/panel/
-Use Auth
-Require valid-user
-RewriteEngine on
-RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
-RequestHeader set X-Forwarded-User %{RU}e
-</Location>
-
-# vim: set ft=apache bkc=yes:
+ServerRoot "/usr/local/apache2"
+
+Listen 80
+
+LoadModule mpm_event_module modules/mod_mpm_event.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule env_module modules/mod_env.so
+#LoadModule expires_module modules/mod_expires.so
+LoadModule headers_module modules/mod_headers.so
+#LoadModule setenvif_module modules/mod_setenvif.so
+#LoadModule remoteip_module modules/mod_remoteip.so
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule unixd_module modules/mod_unixd.so
+#LoadModule status_module modules/mod_status.so
+#LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule alias_module modules/mod_alias.so
+
+LoadModule session_module modules/mod_session.so
+LoadModule session_crypto_module modules/mod_session_crypto.so
+LoadModule session_cookie_module modules/mod_session_cookie.so
+LoadModule request_module modules/mod_request.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule auth_form_module modules/mod_auth_form.so
+LoadModule authn_dbd_module modules/mod_authn_dbd.so
+LoadModule dbd_module modules/mod_dbd.so
+
+LoadModule macro_module modules/mod_macro.so
+LoadModule rewrite_module modules/mod_rewrite.so
+
+<IfModule unixd_module>
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.  
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User daemon
+Group daemon
+</IfModule>
+
+ServerAdmin you@example.com
+
+ServerName feedati-fe:80
+
+DBDriver pgsql
+DBDParams "host=db dbname=feeds user=apache password=apachepass"
+
+<Macro Auth>
+    AuthFormLoginRequiredLocation "/login/"
+# authn
+    AuthFormProvider dbd
+    AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
+# form
+    AuthType form
+    AuthName "authenticationform"
+# mod_session
+    Session On
+    SessionCookieName session path=/;httponly
+    SessionCryptoPassphrase changeme!really!
+</Macro>
+
+<Location "/login/do">
+SetHandler form-login-handler
+Use Auth
+AuthFormLoginSuccessLocation "/panel/"
+</Location>
+<Location "/logout">
+    SetHandler form-logout-handler
+    AuthFormLogoutLocation "/login/logout.html"
+    Session on
+</Location>
+
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+DocumentRoot "/var/www"
+<Directory "/var/www">
+    Options None
+    AllowOverride None
+    Use Auth
+    Require all granted
+</Directory>
+
+<Files ".ht*">
+    Require all denied
+</Files>
+
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+ErrorLog /proc/self/fd/2
+
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    CustomLog /proc/self/fd/1 common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    #CustomLog "logs/access_log" combined
+</IfModule>
+
+<IfModule headers_module>
+    #
+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
+    # backend servers which have lingering "httpoxy" defects.
+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
+    #
+    RequestHeader unset Proxy early
+</IfModule>
+
+<IfModule mime_module>
+    #
+    # TypesConfig points to the file containing the list of mappings from
+    # filename extension to MIME-type.
+    #
+    TypesConfig conf/mime.types
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file specified in TypesConfig for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    # For type maps (negotiated resources):
+    #AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includesC (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    #AddType text/html .shtml
+    #AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+Redirect permanent "/tt-rss" "/tt-rss/"
+
+Header always set Referrer-Policy "same-origin"
+Header always setifempty Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+Header always setifempty X-XSS-Protection "1; mode=block"
+Header always setifempty X-Frame-Options "deny"
+
+ProxyPreserveHost On
+<Location /tt-rss/>
+ProxyPass http://tt-rss/tt-rss/
+ProxyPassReverse http://tt-rss/tt-rss/
+Use Auth
+Require valid-user
+RewriteEngine on
+RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
+RequestHeader set X-Forwarded-User %{RU}e
+</Location>
+
+Redirect permanent "/rss-bridge" "/rss-bridge/"
+
+<Location /rss-bridge/>
+ProxyPass http://rss-bridge/
+ProxyPassReverse http://rss-bridge/
+Require all granted
+</Location>
+
+<Location /panel/>
+ProxyPass http://panel:8000/panel/
+ProxyPassReverse http://panel:8000/panel/
+Use Auth
+Require valid-user
+RewriteEngine on
+RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
+RequestHeader set X-Forwarded-User %{RU}e
+</Location>
+
+# vim: set ft=apache bkc=yes: