408 lines
12 KiB
Text
408 lines
12 KiB
Text
# {{ ansible_managed }}
|
|
|
|
|
|
BufferedLogs Off
|
|
TraceEnable Off
|
|
Timeout 300
|
|
KeepAlive On
|
|
MaxKeepAliveRequests 512
|
|
KeepAliveTimeout 15
|
|
|
|
# Configuration MPM Event
|
|
ServerLimit 64
|
|
ThreadsPerChild 32
|
|
AsyncRequestWorkerFactor 2
|
|
MaxRequestWorkers 2048
|
|
MaxRequestsPerChild 16384
|
|
GracefulShutdownTimeout 2
|
|
|
|
|
|
# Supprime les informations version
|
|
ServerTokens ProductOnly
|
|
ServerSignature Off
|
|
SecServerSignature ";-)"
|
|
|
|
|
|
# Configuration headers
|
|
Header unset X-Powered-By
|
|
Header unset X-AspNet-Version
|
|
Header unset Server
|
|
Header set X-Frame-Options SAMEORIGIN
|
|
Header set X-XSS-Protection 1;mode=block
|
|
Header set X-Content-Type-Options nosniff
|
|
Header set Strict-Transport-Security "max-age=16070400"
|
|
|
|
# Configuration Modsecurity par défaut pour l'analyse des requêtes
|
|
SecResponseBodyAccess Off
|
|
SecRequestBodyLimit 104857600
|
|
SecRequestBodyNoFilesLimit 131072
|
|
SecRequestBodyInMemoryLimit 131072
|
|
SecRequestBodyLimitAction ProcessPartial
|
|
|
|
# Macros
|
|
<Macro Empty>
|
|
</Macro>
|
|
|
|
<Macro OpenAccessPolicy>
|
|
Require all granted
|
|
</Macro>
|
|
|
|
<Macro InternalAccessPolicy>
|
|
Require ip 10.0.0.0/8
|
|
Require ip 172.16.0.0/12
|
|
Require ip 192.168.0.0/16
|
|
</Macro>
|
|
|
|
<Macro LDAPUserAccessPolicy>
|
|
Authname "Acces reserve aux utilisateurs disposant d'un compte valide (annuaire)"
|
|
Authtype Basic
|
|
AuthBasicProvider ldap
|
|
AuthLDAPBindAuthoritative on
|
|
AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }}
|
|
AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }}
|
|
AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
|
|
Require valid-user
|
|
</Macro>
|
|
|
|
<Macro LDAPAdminAccessPolicy>
|
|
Authname "Acces reserve aux administrateurs (annuaire)"
|
|
Authtype Basic
|
|
AuthBasicProvider ldap
|
|
AuthLDAPBindAuthoritative on
|
|
AuthLDAPBindDN {{ reverse_proxy_ldap_bind_dn }}
|
|
AuthLDAPBindPassword {{ reverse_proxy_ldap_bind_password }}
|
|
AuthLDAPUrl ldap://{{ reverse_proxy_ldap_srv }}/{{ reverse_proxy_ldap_basedn }}?{{ reverse_proxy_ldap_userdn }}
|
|
Require valid-user
|
|
Require ldap-user {{ reverse_proxy_ldap_admins }}
|
|
</Macro>
|
|
|
|
|
|
<Macro BlockCrawlerIndexing>
|
|
Header set X-Robots-Tag "noindex, nofollow"
|
|
ProxyPass /robots.txt !
|
|
RewriteEngine On
|
|
RewriteRule ^/robots\.txt$ /rp_ressources/robots_disabled.txt [L]
|
|
</Macro>
|
|
|
|
<Macro AllowCrawlerIndexing>
|
|
Header set X-Robots-Tag "all"
|
|
ProxyPass /robots.txt !
|
|
RewriteEngine On
|
|
RewriteRule ^/robots\.txt$ /rp_ressources/robots_enabled.txt [L]
|
|
</Macro>
|
|
|
|
|
|
<Macro ErrorDocumentPages>
|
|
ProxyErrorOverride On
|
|
ErrorDocument 400 /rp_ressources/400.html
|
|
ErrorDocument 401 /rp_ressources/401.html
|
|
ErrorDocument 403 /rp_ressources/403.html
|
|
ErrorDocument 404 /rp_ressources/404.html
|
|
ErrorDocument 500 /rp_ressources/500.html
|
|
ErrorDocument 502 /rp_ressources/502.html
|
|
ErrorDocument 503 /rp_ressources/503.html
|
|
ErrorDocument 504 /rp_ressources/504.html
|
|
ErrorDocument {{ reverse_proxy_http_modsecurity_error_code }} /rp_ressources/{{ reverse_proxy_http_modsecurity_error_code }}.html
|
|
</Macro>
|
|
|
|
|
|
<Macro CheckMaintenancePage $vhostFQDN>
|
|
RewriteEngine On
|
|
|
|
<Location "/rp_maintenance/auth/">
|
|
Use LDAPAdminAccessPolicy
|
|
</Location>
|
|
|
|
# Si on est en maintenance
|
|
<If "-f %{DOCUMENT_ROOT} . '/rp_maintenance/$vhostFQDN.html'">
|
|
RewriteCond %{REMOTE_ADDR} !127.0.0.1
|
|
RewriteCond %{REQUEST_URI} !^/rp_ressources/*
|
|
RewriteCond %{REQUEST_URI} !^/rp_maintenance/*
|
|
RewriteCond %{HTTP_COOKIE} !rp_acces_maintenance=([^;]+)
|
|
RewriteRule ^.*$ %{DOCUMENT_ROOT}/rp_maintenance/$vhostFQDN.html
|
|
Header Set Cache-Control "no-store"
|
|
</If>
|
|
</Macro>
|
|
|
|
|
|
# Configuration de la fonction reverse proxy
|
|
<Macro ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf>
|
|
# Definition du virtualhost
|
|
ServerName $vhostFQDN
|
|
DocumentRoot "/var/www/html"
|
|
|
|
# Niveau de log souhaite
|
|
LogLevel $logPolicy
|
|
ErrorLog ${APACHE_LOG_DIR}/$vhostFQDN-error.log
|
|
CustomLog ${APACHE_LOG_DIR}/$vhostFQDN-access.log combined
|
|
|
|
# Politique vis a vis des moteurs de recherche
|
|
Use $indexingConf
|
|
|
|
# Configuration de l'accessibilite du virtualhost (public, interne, restreint)
|
|
<Location />
|
|
Use $accessPolicy
|
|
</Location>
|
|
# On autorise quand même l'accès a .well-known pour letsencrypt
|
|
<Location /.well-known>
|
|
Use OpenAccessPolicy
|
|
</Location>
|
|
ProxyRequests Off
|
|
ProxyVia Off
|
|
ProxyPreserveHost On
|
|
ProxyPass /rp_ressources !
|
|
ProxyPass /rp_maintenance !
|
|
ProxyPass /balancer-manager !
|
|
ProxyPass / $protoDest://$urlDest/
|
|
ProxyPassReverse / $protoDest://$vhostFQDN/
|
|
|
|
# Ajoute un entete X-Real-Ip avec l'adresse du client utile à traefik,
|
|
# le cas échéant, pour propager l'adresse du vrai client jusqu'à l'application
|
|
RequestHeader set X-Real-Ip "%{REMOTE_ADDR}s"
|
|
|
|
# Configuration du chemin vers la page de status du load balancer
|
|
<Location "/balancer-manager">
|
|
SecRuleEngine off
|
|
SetHandler balancer-manager
|
|
Use InternalAccessPolicy
|
|
</Location>
|
|
# Configuration du chemin vers les ressources reverse proxy
|
|
<Location "/rp_ressources">
|
|
SecRuleEngine off
|
|
Use OpenAccessPolicy
|
|
</Location>
|
|
# Definition des pages d'erreur
|
|
Use ErrorDocumentPages
|
|
# Gestion de la page de maintenance
|
|
Use CheckMaintenancePage $vhostFQDN
|
|
</Macro>
|
|
|
|
|
|
# Redirige un domaine http vers https
|
|
<Macro vhost_redirect_http-https $domain>
|
|
<VirtualHost *:80>
|
|
ServerName $domain
|
|
Redirect permanent / https://$domain/
|
|
</VirtualHost>
|
|
</Macro>
|
|
|
|
|
|
# Redirige un domaine http vers n'importe qu'elle autre adresse http où https
|
|
<Macro vhost_redirect_http_generic $domainSource $domainDest $accessPolicy>
|
|
<VirtualHost *:80>
|
|
ServerName $domainSource
|
|
Redirect permanent / $domainDest/
|
|
|
|
#Restriction configuration
|
|
<Location />
|
|
Use $accessPolicy
|
|
Use ErrorDocumentPages
|
|
</Location>
|
|
</VirtualHost>
|
|
</Macro>
|
|
|
|
|
|
|
|
|
|
<Macro vhost_HTTPS_Generic $vhostFQDN $cert $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
|
|
Use vhost_redirect_http-https $vhostFQDN
|
|
|
|
<Perl>
|
|
if ( $cert eq "LE" )
|
|
{
|
|
print "------- Utilisation d'un certificat LetsEncrypt pour $vhostFQDN -------\n";
|
|
$MDomain{"$vhostFQDN"} = {
|
|
MDCertificateAgreement => 'accepted',
|
|
MDContactEmail => '{{ reverse_proxy_default_serveradmin_email }}',
|
|
MDStapling => 'on',
|
|
};
|
|
}
|
|
</Perl>
|
|
|
|
<VirtualHost *:443>
|
|
<Perl>
|
|
$ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
|
|
</Perl>
|
|
|
|
Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf
|
|
|
|
SSLEngine on
|
|
# Inclusion de la configuration de certificat spécifique (wildcard ou autre)
|
|
<Perl>
|
|
if ( $cert ne "LE" )
|
|
{
|
|
my $dir=$ENV{"$vhostFQDN"};
|
|
my $config_file="$dir/../../certs-conf/cert_$cert.conf";
|
|
print "------- Utilisation de la configuration certificat $config_file pour $vhostFQDN -------\n";
|
|
push @Include, "$config_file";
|
|
}
|
|
</Perl>
|
|
|
|
# Inclusion de la configuration additionnelle
|
|
<Perl>
|
|
my $dir=$ENV{"$vhostFQDN"};
|
|
my $config_file="$dir/1_vhost_additional.conf";
|
|
if( -f $config_file)
|
|
{
|
|
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
|
|
push @Include, "$config_file";
|
|
}
|
|
</Perl>
|
|
|
|
<If "'$protoDest' == 'http'">
|
|
RequestHeader set X-Forwarded-Proto "https"
|
|
</If>
|
|
|
|
# Gestion mod_security et inclusion des exceptions
|
|
<IfModule mod_security2.c>
|
|
SecRuleEngine $modsecurityStatus
|
|
<Perl>
|
|
my $dir=$ENV{"$vhostFQDN"};
|
|
my $config_file="$dir/2_mds_exclusion.conf";
|
|
if( -f $config_file)
|
|
{
|
|
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
|
|
push @Include, "$config_file";
|
|
}
|
|
</Perl>
|
|
</IfModule>
|
|
|
|
<Perl>
|
|
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
|
|
</Perl>
|
|
|
|
</VirtualHost>
|
|
</Macro>
|
|
|
|
|
|
|
|
|
|
<Macro vhost_HTTP_Generic $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf $modsecurityStatus>
|
|
|
|
<VirtualHost *:80>
|
|
<Perl>
|
|
$ENV{'PERL_CONF_DEBUG'} and print "------- Generation du vhosts $vhostFQDN -------\n";
|
|
</Perl>
|
|
|
|
Use ProxyCommon $vhostFQDN $protoDest $urlDest $logPolicy $accessPolicy $indexingConf
|
|
|
|
# Inclusion de la configuration additionnelle
|
|
<Perl>
|
|
my $dir=$ENV{"$vhostFQDN"};
|
|
my $config_file="$dir/1_vhost_additional.conf";
|
|
if( -f $config_file)
|
|
{
|
|
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
|
|
push @Include, "$config_file";
|
|
}
|
|
</Perl>
|
|
|
|
<If "'$protoDest' == 'https'">
|
|
RequestHeader set X-Forwarded-Proto "http"
|
|
</If>
|
|
|
|
# Gestion mod_security et inclusion des exceptions
|
|
<IfModule mod_security2.c>
|
|
SecRuleEngine $modsecurityStatus
|
|
<Perl>
|
|
my $dir=$ENV{"$vhostFQDN"};
|
|
my $config_file="$dir/2_mds_exclusion.conf";
|
|
if( -f $config_file)
|
|
{
|
|
$ENV{'PERL_CONF_DEBUG'} and print "Inclusion du fichier '$config_file'\n";
|
|
push @Include, "$config_file";
|
|
}
|
|
</Perl>
|
|
</IfModule>
|
|
|
|
<Perl>
|
|
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------------------------\n";
|
|
</Perl>
|
|
|
|
</VirtualHost>
|
|
</Macro>
|
|
|
|
|
|
|
|
|
|
# Virtualhosts techniques
|
|
|
|
# Fait en sorte que si fqdn demandé ne correspond a aucun connu apache ne serve pas le 1er
|
|
<VirtualHost *:80>
|
|
Redirect / https://www.libretic.fr/error
|
|
</VirtualHost>
|
|
|
|
|
|
# Permet l'acces a des pages d'info apache
|
|
ExtendedStatus on
|
|
Listen 9090 http
|
|
<VirtualHost *:9090>
|
|
ServerName localhost
|
|
DocumentRoot /var/www/html/
|
|
<Location /server-info>
|
|
SetHandler server-info
|
|
Use InternalAccessPolicy
|
|
Require host localhost
|
|
</Location>
|
|
<Location /status>
|
|
SetHandler server-status
|
|
Use InternalAccessPolicy
|
|
Require host localhost
|
|
</Location>
|
|
LogLevel info
|
|
ErrorLog ${APACHE_LOG_DIR}/monitoring-page-error.log
|
|
CustomLog ${APACHE_LOG_DIR}/monitoring-page-access.log combined
|
|
</VirtualHost>
|
|
|
|
|
|
|
|
# Perl scan vhosts.d
|
|
PerlSetEnv VHOSTS_DIR /etc/apache2/vhosts.d
|
|
PerlSetEnv VHOST_DEFAULT_FILE 0_vhost.conf
|
|
PerlSetEnv PERL_CONF_DEBUG 1
|
|
|
|
PerlSetVar StatusOptionsAll On
|
|
PerlSetVar StatusDeparseOptions "-p -sC"
|
|
|
|
<Perl>
|
|
$Apache2::Server::SaveConfig = 1
|
|
</Perl>
|
|
|
|
<Perl>
|
|
my $VHOSTS_REGEX='^\s*Use\s+vhost.+?\s+(.+?)\s+?';
|
|
my @vhosts_sub_dirs=`find $ENV{'VHOSTS_DIR'} -mindepth 1 -maxdepth 1 -type d`;
|
|
$ENV{'PERL_CONF_DEBUG'} and print "------ Pre-Traitement ------\n";
|
|
for my $subdir (@vhosts_sub_dirs)
|
|
{
|
|
chomp $subdir;
|
|
my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
|
|
open my $vhost_file, "<", $config_file or die;
|
|
while(my $line = <$vhost_file>)
|
|
{
|
|
if(my @matches = $line =~ /$VHOSTS_REGEX/)
|
|
{
|
|
my $vhost_name=${matches[0]};
|
|
$ENV{'PERL_CONF_DEBUG'} and print "Identification du vhost: $vhost_name\n";
|
|
push @PerlSetEnv, ["$vhost_name" => "$subdir"];
|
|
}
|
|
}
|
|
close $config_file;
|
|
}
|
|
$ENV{'PERL_CONF_DEBUG'} and print "----------------------------\n";
|
|
</Perl>
|
|
|
|
<Perl>
|
|
use Apache2::PerlSections ( );
|
|
$ENV{'PERL_CONF_DEBUG'} and print "------ Chargement des vhosts ------\n";
|
|
foreach my $key (keys %ENV) {
|
|
my $subdir=$ENV{$key};
|
|
my $config_file="${subdir}/$ENV{'VHOST_DEFAULT_FILE'}";
|
|
if( -f $config_file )
|
|
{
|
|
$ENV{'PERL_CONF_DEBUG'} and print "Ajout du vhost: $key\n";
|
|
push @Include, "$config_file";
|
|
}
|
|
}
|
|
$ENV{'PERL_CONF_DEBUG'} and print "-----------------------------------\n";
|
|
print STDERR Apache::PerlSections->dump( );
|
|
</Perl>
|