# {{ ansible_managed }} BufferedLogs Off TraceEnable Off Timeout 300 KeepAlive On MaxKeepAliveRequests 512 KeepAliveTimeout 15 # Configuration MPM Event ServerLimit 64 ThreadsPerChild 32 AsyncRequestWorkerFactor 2 MaxRequestWorkers 2048 MaxRequestsPerChild 16384 GracefulShutdownTimeout 2 # Supprime les informations version ServerTokens ProductOnly ServerSignature Off SecServerSignature ";-)" # Configuration headers Header unset X-Powered-By Header unset X-AspNet-Version Header unset Server Header set X-Frame-Options SAMEORIGIN Header set X-XSS-Protection 1;mode=block Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=16070400" # Configuration modsecurity SecTmpDir /var/lib/mod_security SecDataDir /var/lib/mod_security # ModSecurity Core Rules Set configuration IncludeOptional modsecurity.d/*.conf IncludeOptional modsecurity.d/activated_rules/*.conf # Default recommended configuration SecRuleEngine On SecRequestBodyAccess On SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" # 300 Mo SecRequestBodyLimit 314572800 # 128 Ko SecRequestBodyNoFilesLimit 131072 SecRequestBodyInMemoryLimit 131072 SecRequestBodyLimitAction Reject SecRule REQBODY_ERROR "!@eq 0" \ "id:'200001', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2" SecRule MULTIPART_STRICT_ERROR "!@eq 0" \ "id:'200002',phase:2,t:none,log,deny,status:44,msg:'Multipart request body \ failed strict validation: \ PE %{REQBODY_PROCESSOR_ERROR}, \ BQ %{MULTIPART_BOUNDARY_QUOTED}, \ BW %{MULTIPART_BOUNDARY_WHITESPACE}, \ DB %{MULTIPART_DATA_BEFORE}, \ DA %{MULTIPART_DATA_AFTER}, \ HF %{MULTIPART_HEADER_FOLDING}, \ LF %{MULTIPART_LF_LINE}, \ SM %{MULTIPART_MISSING_SEMICOLON}, \ IQ %{MULTIPART_INVALID_QUOTING}, \ IP %{MULTIPART_INVALID_PART}, \ IH %{MULTIPART_INVALID_HEADER_FOLDING}, \ FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'" SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \ "id:'200003',phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'" #SecPcreMatchLimit 50000 #SecPcreMatchLimitRecursion 50000 SecPcreMatchLimit 250000000 SecPcreMatchLimitRecursion 250000000 SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" SecResponseBodyAccess Off SecDebugLog /var/log/apache2/modsec_debug.log #SecDebugLogLevel 4 SecDebugLogLevel 0 #SecAuditEngine RelevantOnly SecAuditEngine Off SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogParts ABIJDEFHZ SecAuditLogType Serial SecAuditLog /var/log/apache2/modsec_audit.log SecArgumentSeparator & SecCookieFormat 0 # Macros ProxyRequests Off ProxyVia Off ProxyPreserveHost On Require all granted Require ip 10.0.0.0/8 Require ip 172.16.0.0/12 Require ip 192.168.0.0/16 Require ip 192.168.3.11/32 Authname "Acces reserve aux utilisateurs disposant d'un compte valide" Authtype Basic AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }} Require valid-user Authname "Acces reserve aux administrateurs" Authtype Basic AuthBasicProvider ldap AuthLDAPBindAuthoritative on AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }} Require valid-user Require ldap-user {{ reverse_proxy_ldap_admins }} Header set X-Robots-Tag "noindex, nofollow" ProxyPass /robots.txt ! RewriteEngine On RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L] Header set X-Robots-Tag "all" ProxyPass /robots.txt ! RewriteEngine On RewriteRule ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L] ProxyErrorOverride On ErrorDocument 400 /rp_ressources/400.html ErrorDocument 401 /rp_ressources/401.html ErrorDocument 403 /rp_ressources/403.html ErrorDocument 404 /rp_ressources/404.html ErrorDocument 500 /rp_ressources/500.html ErrorDocument 502 /rp_ressources/502.html ErrorDocument 503 /rp_ressources/503.html ErrorDocument 504 /rp_ressources/504.html ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html RewriteEngine On Use LDAPAdminAccessPolicy # Si on est en maintenance RewriteCond %{REMOTE_ADDR} !127.0.0.1 RewriteCond %{REQUEST_URI} !^/rp_ressources/* RewriteCond %{REQUEST_URI} !^/rp_maintenance/* RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+) RewriteRule ^.*$ %{DOCUMENT_ROOT}/maintenance/$vhostFQDN Header Set Cache-Control "no-store" # Redirige un domaine http vers https ServerName $domain Redirect permanent / https://$domain/ # Redirige un domaine http vers n'importe qu'elle autre adresse http où https ServerName $domainSource Redirect permanent / $domainDest/ #Restriction configuration Use $accessPolicy Use ErrorDocumentPages Use vhost_redirect_http-https $vhostFQDN if ( $cert eq "LE" ) { print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n"; $MDomain{"$vhostFQDN"} = { MDCertificateAgreement => 'accepted', MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}', MDStapling => 'on', }; } $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n"; # Definition du virtualhost ServerName $vhostFQDN DocumentRoot "/var/www/html" # Configuration SSL avec le bon certificat # Include conf.patterns.d/01_ssl_$cert.conf SSLEngine on # Niveau de log souhaite LogLevel $logPolicy ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined # Politique vis a vis des moteurs de recherche Use $indexingConf # Configuration de l'accessibilite du virtualhost (public, interne, restreint) Use $accessPolicy # Inclusion de la configuration additionnelle my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/1_vhost_additional.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } # Configuration du chemin vers la page de status du load balancer SecRuleEngine off SetHandler balancer-manager Use InternalAdminAccessPolicy # Configuration du chemin vers les ressources reverse proxy SecRuleEngine off Use OpenAccessPolicy # Configuration de la fonction reverse proxy Use ProxyCommon ProxyPass /rp_ressources ! ProxyPass /rp_maintenance ! ProxyPass /balancer-manager ! ProxyPass / $protoDest://$urlDest/ ProxyPassReverse / $protoDest://$vhostFQDN/ RequestHeader set X-Forwarded-Proto "https" # Definition des pages d'erreur Use ErrorDocumentPages # Gestion de la page de maintenance Use CheckMaintenancePage $vhostFQDN # Gestion mod_security et inclusion des exceptions SecRuleEngine $modsecurityStatus my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/2_mds_exclusion.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n"; $ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n"; # Definition du virtualhost ServerName $vhostFQDN DocumentRoot "/var/www/html" # Niveau de log souhaite LogLevel $logPolicy ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined # Politique vis a vis des moteurs de recherche Use $indexingConf # Configuration de l'accessibilite du virtualhost (public, interne, restreint) Use $accessPolicy # Inclusion de la configuration additionnelle my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/1_vhost_additional.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } # Configuration du chemin vers la page de status du load balancer SecRuleEngine off SetHandler balancer-manager Use InternalAdminAccessPolicy # Configuration du chemin vers les ressources reverse proxy SecRuleEngine off Use OpenAccessPolicy # Configuration de la fonction reverse proxy Use ProxyCommon ProxyPass /rp_ressources ! ProxyPass /rp_maintenance ! ProxyPass /balancer-manager ! ProxyPass / $protoDest://$urlDest/ ProxyPassReverse / $protoDest://$vhostFQDN/ RequestHeader set X-Forwarded-Proto "http" # Definition des pages d'erreur Use ErrorDocumentPages # Gestion de la page de maintenance Use CheckMaintenancePage $vhostFQDN # Gestion mod_security et inclusion des exceptions SecRuleEngine $modsecurityStatus my $dir=$ENV{"$vhostFQDN"}; my $config_file="$dir/2_mds_exclusion.conf"; if( -f $config_file) { $ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n"; push @Include, "$config_file"; } $ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n"; # Virtualhosts techniques # Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er Redirect / http://erreur.libretic.fr/ # Permet l'acces a des pages d'info apache ExtendedStatus on Listen 9090 http ServerName localhost DocumentRoot /var/www/html/ SetHandler server-info Use InternalAdminAccessPolicy Require host localhost SetHandler server-status Use InternalAdminAccessPolicy Require host localhost LogLevel info ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined # Perl scan vhosts.d PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf PerlSetEnv PERL_CONF_DEBUG 1 PerlSetVar StatusOptionsAll On PerlSetVar StatusDeparseOptions "-p -sC" $Apache2::Server::SaveConfig = 1 my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?'; my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`; $ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n"; for my $subdir (@vhosts_sub_dirs) { chomp $subdir; my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}"; open my $vhost_file, "<", $config_file or die; while(my $line = <$vhost_file>) { if(my @matches = $line =~ /$VHOSTS_REGEX/) { my $vhost_name=${matches[0]}; $ENV{'PERL_CONF_DEBUG'} and print "Identification du vhost: $vhost_name\n"; push @PerlSetEnv, ["$vhost_name" => "$subdir"]; } } close $config_file; } $ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n"; use Apache2::PerlSections ( ); $ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n"; foreach my $key (keys %ENV) { my $subdir=$ENV{$key}; my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}"; if( -f $config_file ) { $ENV{'PERL_CONF_DEBUG'} and print "Ajout du vhost: $key\n"; push @Include, "$config_file"; } } $ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n"; print STDERR Apache::PerlSections->dump( );