# {{ ansible_managed }} BufferedLogs Off TraceEnable Off Timeout 300 KeepAlive On MaxKeepAliveRequests 512 KeepAliveTimeout 15 # Configuration MPM Event ServerLimit 64 ThreadsPerChild 32 AsyncRequestWorkerFactor 2 MaxRequestWorkers 2048 MaxRequestsPerChild 16384 GracefulShutdownTimeout 2 # Supprime les informations version ServerTokens ProductOnly ServerSignature Off SecServerSignature ";-)" # Configuration headers Header unset X-Powered-By Header unset X-AspNet-Version Header unset Server Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection 1;mode=block Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=16070400" # Configuration Modsecurity par défaut pour l'analyse des requêtes SecResponseBodyAccess Off SecRequestBodyLimit 104857600 SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction ProcessPartial # Macros Require all granted Require ip 10.0.0.0/8 Require ip 172.16.0.0/12 Require ip 192.168.0.0/16 Authname "Acces reserve aux utilisateurs disposant d'un compte valide (annuaire)" Authtype Basic AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }} AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }} AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }} Require valid-user Authname "Acces reserve aux administrateurs (annuaire)" Authtype Basic AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }} AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }} AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }} Require valid-user Require ldap-user {{ reverse_proxy_ldap_admins }} Header set X-Robots-Tag "noindex, nofollow" ProxyPass /robots.txt ! RewriteEngine On RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L] Header set X-Robots-Tag "all" ProxyPass /robots.txt ! RewriteEngine On RewriteRule ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L] ProxyErrorOverride On ErrorDocument 400 /rp_ressources/400.html ErrorDocument 401 /rp_ressources/401.html ErrorDocument 403 /rp_ressources/403.html ErrorDocument 404 /rp_ressources/404.html ErrorDocument 500 /rp_ressources/500.html ErrorDocument 502 /rp_ressources/502.html ErrorDocument 503 /rp_ressources/503.html ErrorDocument 504 /rp_ressources/504.html ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html RewriteEngine On Use LDAPAdminAccessPolicy # Si on est en maintenance RewriteCond %{REMOTE_ADDR} !127.0.0.1 RewriteCond %{REQUEST_URI} !^/rp_ressources/* RewriteCond %{REQUEST_URI} !^/rp_maintenance/* RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+) RewriteRule ^.*$ %{DOCUMENT_ROOT}/rp_maintenance/$vhostFQDN.html Header Set Cache-Control "no-store" # Configuration de la fonction reverse proxy # Definition du virtualhost ServerName $vhostFQDN DocumentRoot "/var/www/html" # Niveau de log souhaite LogLevel $logPolicy ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined # Politique vis a vis des moteurs de recherche Use $indexingConf # Configuration de l'accessibilite du virtualhost (public, interne, restreint) Use $accessPolicy # On autorise quand même l'accès a .well-known pour letsencrypt Use OpenAccessPolicy ProxyRequests Off ProxyVia Off ProxyPreserveHost On ProxyPass /rp_ressources ! ProxyPass /rp_maintenance ! ProxyPass /balancer-manager ! ProxyPass / $protoDest://$urlDest/ ProxyPassReverse / $protoDest://$vhostFQDN/ # Configuration du chemin vers la page de status du load balancer SecRuleEngine off SetHandler balancer-manager Use InternalAccessPolicy # Configuration du chemin vers les ressources reverse proxy SecRuleEngine off Use OpenAccessPolicy # Definition des pages d'erreur Use ErrorDocumentPages # Gestion de la page de maintenance Use CheckMaintenancePage $vhostFQDN # Redirige un domaine http vers https ServerName $domain Redirect permanent / https://$domain/ # Redirige un domaine http vers n'importe qu'elle autre adresse http où https ServerName $domainSource Redirect permanent / $domainDest/ #Restriction configuration Use $accessPolicy Use ErrorDocumentPages Use vhost_redirect_http-https $vhostFQDN if ( $cert eq "LE" ) { print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n"; $MDomain{"$vhostFQDN"} = { MDCertificateAgreement => 'accepted', MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}', MDStapling => 'on', }; } $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n"; Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf SSLEngine on # Inclusion de la configuration additionnelle my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/1_vhost_additional.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } RequestHeader set X-Forwarded-Proto "https" # Gestion mod_security et inclusion des exceptions SecRuleEngine $modsecurityStatus my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/2_mds_exclusion.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n"; $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n"; Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf # Inclusion de la configuration additionnelle my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/1_vhost_additional.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } RequestHeader set X-Forwarded-Proto "http" # Gestion mod_security et inclusion des exceptions SecRuleEngine $modsecurityStatus my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/2_mds_exclusion.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n"; # Virtualhosts techniques # Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er Redirect / https://www.libretic.fr/error # Permet l'acces a des pages d'info apache ExtendedStatus on Listen 9090 http ServerName localhost DocumentRoot /var/www/html/ SetHandler server-info Use InternalAccessPolicy Require host localhost SetHandler server-status Use InternalAccessPolicy Require host localhost LogLevel info ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined # Perl scan vhosts.d PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf PerlSetEnv PERL_CONF_DEBUG 1 PerlSetVar StatusOptionsAll On PerlSetVar StatusDeparseOptions "-p -sC" $Apache2::Server::SaveConfig = 1 my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?'; my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`; $ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n"; for my $subdir (@vhosts_sub_dirs) { chomp $subdir; my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}"; open my $vhost_file, "<", $config_file or die; while(my $line = <$vhost_file>) { if(my @matches = $line =~ /$VHOSTS_REGEX/) { my $vhost_name=${matches[0]}; $ENV{'PERL_CONF_DEBUG'} and print "Identification du vhost: $vhost_name\n"; push @PerlSetEnv, ["$vhost_name" => "$subdir"]; } } close $config_file; } $ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n"; use Apache2::PerlSections ( ); $ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n"; foreach my $key (keys %ENV) { my $subdir=$ENV{$key}; my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}"; if( -f $config_file ) { $ENV{'PERL_CONF_DEBUG'} and print "Ajout du vhost: $key\n"; push @Include, "$config_file"; } } $ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n"; print STDERR Apache::PerlSections->dump( );