Example Apache with SSL and reverse p...

Example Apache with SSL and reverse proxy configuration

ServerTokens OS

ServerRoot "/etc/httpd"
PidFile run/httpd.pid

# Keepalive settings

Timeout 120
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

<IfModule prefork.c>

StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000

<IfModule worker.c>

StartServers         2
MaxClients         150
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  0

Listen 80

LoadModule auth_basic_module modules/mod_auth_basic.so

LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so

Include conf.d/*.conf

#ExtendedStatus On

User webadmin

Group webadmin

# Main configuration

# UseCanonicalName: When set "On", Apache will use the value of the

# ServerName directive. Otherwise apache will use the client provided host name
UseCanonicalName Off

DirectoryIndex index.html index.htm index.php

AccessFileName .htaccess


# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all


# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
TypesConfig /etc/mime.types
DefaultType text/plain

<IfModule mod_mime_magic.c>

#   MIMEMagicFile /usr/share/magic.mime
    MIMEMagicFile conf/magic

HostnameLookups Off


<Directory "/www/">

        EnableMMAP off
        EnableSendfile off

#CacheRoot /web_cache

#CacheDirLevels 5
#CacheDirLength 3
#MCacheSize 409600
#MCacheMinObjectSize 1
#MCacheMaxObjectSize 256000

#CacheEnable disk /

#CacheEnable mem /

ErrorLog /log/nohost_error.log

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b  \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog

SetEnvIf Remote_Addr "-" dontlog

SetEnvIf Host "^$" dontlog

SetEnvIf Request_URI \.gif dontlog

SetEnvIf Request_URI \.jpg dontlog
SetEnvIf Request_URI \.jpeg dontlog
SetEnvIf Request_URI \.png dontlog
CustomLog /log/nohost_access.log combined

ServerSignature Off

Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">

    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all

# IndexOptions: Controls the appearance of server-generated directory

# listings.
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*

AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe

AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..

AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html

HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

AddLanguage ca .ca

AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

ForceLanguagePriority Prefer Fallback

AddDefaultCharset UTF-8

AddType application/x-compress .Z

AddType application/x-gzip .gz .tgz

AddHandler type-map var

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>

<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback



BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully

BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
FileETag MTime Size
ProxyRequests Off
TraceEnable Off
NameVirtualHost *:80
Include conf/sites/*
In the sites folder create your vhost such as www.sysxperts.com.conf
<VirtualHost _default_:80>
        ServerName www.sysxperts.com
        ServerAlias www1-sysxperts www1-sysxperts.sysxperts.com
        ServerAdmin pvalentino@sysxperts.com

        ErrorLog /var/log/httpd/www1-sysxperts-error_log

        CustomLog /var/log/httpd/www1-sysxperts-access_log combined env=!dontlog

        RewriteEngine On

        RewriteRule ^/myapp/?(.*)$ https://%{HTTP_HOST}/myapp/$1 [R,L]
        RewriteRule ^/myapp2/?(.*)$ https://%{HTTP_HOST}/myapp2/$1 [R,L]

        Include conf/all_vhosts.conf

        DocumentRoot /www/www.sysxperts.com

        <Directory "/www/www.sysxperts.com/">

                Options +Includes -Indexes
                AllowOverride None
                AddOutputFilter INCLUDES .htm
                AddOutputFilter INCLUDES .html
                Order Allow,Deny
                Allow From All

Listen www.sysxperts.com:443

<VirtualHost www.sysxperts.com:443>
        ServerName www.sysxperts.com
        ServerAlias www1-sysxperts www1-sysxperts.sysxperts.com
        ServerAdmin pvalentino@sysxperts.com

        ErrorLog /var/log/httpd/www1-sysxperts-error_log

        CustomLog /var/log/httpd/www1-sysxperts-access_log combined env=!dontlog

        RewriteEngine On

        RewriteRule ^/$ http://%{HTTP_HOST}/ [R,L]

        SSLEngine On

        SSLCertificateFile    ssl/www.sysxperts.com.crt
        SSLCertificateKeyFile ssl/www.sysxperts.com.key
        Include conf/ssl.conf
        Include conf/all_vhosts.conf

        DocumentRoot /www/www.sysxperts.com

        <Directory "/www/www.sysxperts.com/">

                Options +Includes -Indexes
                AllowOverride None
                AddOutputFilter INCLUDES .htm
                AddOutputFilter INCLUDES .html
                Order Allow,Deny
                Allow From All

        RewriteRule /myapp$ /myapp/ [R,L]

        <Location "/myapp/">
                ProxyPass http://myapp.sysxperts.com:8080/myapp/
                ProxyPassReverse http://myapp.sysxperts.com:8080/myapp/
                ProxyPassReverse /

        RewriteRule /myapp2$ /myapp2/ [R,L]

        <Location "/myapp2/">
                ProxyPass http://myapp2.sysxperts.com:8080/myapp2/
                ProxyPassReverse http://myapp2.sysxperts.com:8080/myapp2/
                ProxyPassReverse /
 The include file all_vhosts.conf should have entries common to all virtual hosts i.e.:
# Rewrite engine must be turned on prior to including this config file
RewriteRule .* - [F]
 The ssl include file should contain entries common to all SSL vhosts i.e. :
SSLProtocol -ALL +SSLv3 +TLSv1
For PCI Scans you may also need to add an .htaccess file to /var/www/manual/images with Options -Indexes or you can disable the manual altogether. 

No comments: