[PATCH 1/4] httpd: remove compatibility instructions for very old browsers

[PATCH 1/4] httpd: remove compatibility instructions for very old browsers

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1573 bytes --]

These are not in use any more - and if they would, we don't support them.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/httpd/server-tuning.conf                 | 10 ----------
 config/httpd/vhosts.d/ipfire-interface-ssl.conf |  3 ---
 2 files changed, 13 deletions(-)

diff --git a/config/httpd/server-tuning.conf b/config/httpd/server-tuning.conf
index 5642a1e44..9ee651e45 100644
--- a/config/httpd/server-tuning.conf
+++ b/config/httpd/server-tuning.conf
@@ -22,13 +22,3 @@ MaxSpareThreads 20
 StartServers 2
 MaxRequestWorkers 256
 ThreadsPerChild 16
-
-#
-# The following directives modify normal HTTP response behavior to
-# handle known problems with browser implementations.
-#
-BrowserMatch "Mozilla/2" nokeepalive
-BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
-BrowserMatch "RealPlayer 4\.0" force-response-1.0
-BrowserMatch "Java/1\.0" force-response-1.0
-BrowserMatch "JDK/1\.0" force-response-1.0
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index de7b8559d..8c4cf3806 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -64,9 +64,6 @@
 	SSLOptions +StdEnvVars
     </Directory>
     SetEnv HOME /home/nobody
-    SetEnvIf User-Agent ".*MSIE.*" \
-	nokeepalive ssl-unclean-shutdown \
-	downgrade-1.0 force-response-1.0
     CustomLog /var/log/httpd/ssl_request_log \
 	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
-- 
2.26.2

[PATCH 2/4] httpd: disable sending ETag header completely

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 689 bytes --]

These cause caching trouble and pose a potential security risk due to
exposing inode numbers of files within the Apache site directories on an
IPFire machine.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/httpd/global.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/httpd/global.conf b/config/httpd/global.conf
index cc8000379..46878baf5 100644
--- a/config/httpd/global.conf
+++ b/config/httpd/global.conf
@@ -8,6 +8,7 @@ Include /etc/httpd/conf/hostname.conf
 HostnameLookups off
 AddHandler cgi-script .cgi
 EnableSendfile Off
+FileETag None
 
 # Always unset HTTP_PROXY variable, https://httpoxy.org
 RequestHeader unset Proxy early
-- 
2.26.2

[PATCH 3/4] httpd: apply the same security headers on the captive portal instance as we do elsewhere

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 903 bytes --]

The Captive Portal should not be framed or leak sensitive detail via
Referrers either.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/httpd/vhosts.d/captive.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index 629fa8180..51af6eac4 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -11,6 +11,8 @@ Listen 1013
 
 	Header always set X-Content-Type-Options nosniff
 	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+	Header always set Referrer-Policy strict-origin
+	Header always set X-Frame-Options sameorigin
 
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/
-- 
2.26.2

[PATCH 4/4] httpd: delete comment blocks and unused directives from our configuration

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 10095 bytes --]

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/httpd/default-server.conf |  3 --
 config/httpd/httpd.conf          | 81 +++-----------------------------
 config/httpd/mod_log_config.conf | 33 +------------
 config/httpd/ssl-global.conf     | 45 ++----------------
 4 files changed, 13 insertions(+), 149 deletions(-)

diff --git a/config/httpd/default-server.conf b/config/httpd/default-server.conf
index db082298a..e82dfa088 100644
--- a/config/httpd/default-server.conf
+++ b/config/httpd/default-server.conf
@@ -2,7 +2,4 @@
 # Global configuration that will be applicable for all virtual hosts, unless
 # deleted here, or overriden elswhere.
 #
-
 DocumentRoot /srv/web/ipfire/html
-
-#Include /etc/httpd/conf/conf.d/*.conf
diff --git a/config/httpd/httpd.conf b/config/httpd/httpd.conf
index 14dcc735c..c694bffe2 100644
--- a/config/httpd/httpd.conf
+++ b/config/httpd/httpd.conf
@@ -1,37 +1,4 @@
-#
-# /etc/httpd/conf/httpd.conf 
-#
-# This is the main Apache2 server configuration file for IPFire.
-# Plese do not change this file!
-
-# Overview of include files, chronologically:
-#
-# httpd.conf
-#  | 
-#  |-- uid.conf  . . . . . . . . . . . . . .  UserID/GroupID to run under
-#  |-- server-tuning.conf  . . . . . . . . .  sizing of the server (how many processes to start, ...)
-#  |-- loadmodule.conf . . . . . . . . . . .  load these modules
-#  |-- listen.conf . . . . . . . . . . . . .  IP adresses / ports to listen on
-#  |-- mod_log_config.conf . . . . . . . . .  define logging formats
-#  |-- sysconfig.d/global.conf . . . . . . .  server-wide general settings
-#  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
-#  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
-#  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
-#  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
-#  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
-#  |-- errors.conf . . . . . . . . . . . . .  customize error responses
-#  |-- ssl-global.conf . . . . . . . . . . .  SSL conf that applies to default server _and all_ virtual hosts
-#  |
-#  |-- default-server.conf . . . . . . . . .  set up the default server that replies to non-virtual-host requests
-#  |
-#  `-- vhosts.d/ . . . . . . . . . . . . . .  for each virtual host, place one file here
-#       `-- *.conf . . . . . . . . . . . . .     (*.conf is automatically included)
-#
-
-### Global Environment ######################################################
-#
-# The directives in this section affect the overall operation of Apache,
-# such as the number of concurrent requests.
+# Apache2 server configuration file for IPFire
 
 # run under this user/group id
 Include /etc/httpd/conf/uid.conf
@@ -40,17 +7,13 @@ Include /etc/httpd/conf/uid.conf
 # - usage of KeepAlive
 Include /etc/httpd/conf/server-tuning.conf
 
-# ErrorLog: The location of the error log file.
-# If you do not specify an ErrorLog directive within a <VirtualHost>
-# container, error messages relating to that virtual host will be
-# logged here.  If you *do* define an error logfile for a <VirtualHost>
-# container, that host's errors will be logged there and not here.
+# ErrorLog: The location of the error log file
 ErrorLog /var/log/httpd/error_log
 
 # Load Modules here
 Include /etc/httpd/conf/loadmodule.conf
 
-# IP addresses / ports to listen on
+# IP addresses and ports to listen on
 Include /etc/httpd/conf/listen.conf
 
 # predefined logging formats
@@ -59,15 +22,10 @@ Include /etc/httpd/conf/mod_log_config.conf
 # global settings
 Include /etc/httpd/conf/global.conf
 
-# optional mod_status, mod_info
-#Include /etc/httpd/conf/mod_status.conf
-#Include /etc/httpd/conf/mod_info.conf
-
 # associate MIME types with filename extensions
 TypesConfig /etc/mime.types
 
-# global (server-wide) SSL configuration, that is not specific to 
-# any virtual host
+# global (server-wide) SSL configuration, that is not specific to any virtual host
 Include /etc/httpd/conf/ssl-global.conf
 
 <Directory />
@@ -85,35 +43,10 @@ AccessFileName .htaccess
 # List of resources to look for when the client requests a directory
 DirectoryIndex index.html index.htm index.shtml index.cgi
 
-### 'Main' server configuration #############################################
-#
-# The directives in this section set up the values used by the 'main'
-# server, which responds to any requests that aren't handled by a
-# <VirtualHost> definition.  These values also provide defaults for
-# any <VirtualHost> containers you may define later in the file.
-#
-# All of these directives may appear inside <VirtualHost> containers,
-# in which case these default settings will be overridden for the
-# virtual host being defined.
-#
+# 'Main' server configuration
 Include /etc/httpd/conf/default-server.conf
 
-
-### Virtual server configuration ############################################
-#
-# VirtualHost: If you want to maintain multiple domains/hostnames on your
-# machine you can setup VirtualHost containers for them. Most configurations
-# use only name-based virtual hosts so the server doesn't need to worry about
-# IP addresses. This is indicated by the asterisks in the directives below.
-#
-# Please see the documentation at
-# <URL:http://httpd.apache.org/docs-2.0/vhosts/>
-# for further details before you try to setup virtual hosts.
-#
-# You may use the command line option '-S' to verify your virtual host
-# configuration.
-#
+# Virtual server configuration
 Include /etc/httpd/conf/vhosts.d/*.conf
 
-# Dummy LoadModule directive to aid module installations
-#LoadModule dummy_module /usr/lib/apache2/modules/mod_dummy.so
+# EOF
diff --git a/config/httpd/mod_log_config.conf b/config/httpd/mod_log_config.conf
index 89ad09a80..94151c29d 100644
--- a/config/httpd/mod_log_config.conf
+++ b/config/httpd/mod_log_config.conf
@@ -1,31 +1,2 @@
-#
-# The following directives define some format nicknames for use with
-# a CustomLog directive.
-#
-
-#
-#         Format string:				Nickname:
-#
-LogFormat "%h %l %u %t \"%r\" %>s %b"		common
-LogFormat "%v %h %l %u %t \"%r\" %>s %b"		vhost_common
-LogFormat "%{Referer}i -> %U"			referer
-LogFormat "%{User-agent}i"				agent
-LogFormat "%h %l %u %t \"%r\" %>s %b \
-\"%{Referer}i\" \"%{User-Agent}i\""		combined
-LogFormat "%v %h %l %u %t \"%r\" %>s %b \
-\"%{Referer}i\" \"%{User-Agent}i\""		vhost_combined
-
-# To use %I and %O, you need to enable mod_logio
-<IfModule mod_logio.c>
-LogFormat "%h %l %u %t \"%r\" %>s %b \
-\"%{Referer}i\" \"%{User-Agent}i\" %I %O"		combinedio
-</IfModule>
-
-# Use one of these when you want a compact non-error SSL logfile on a virtual
-# host basis:
-<IfModule mod_ssl.c>
-Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
-\"%r\" %b"						ssl_common
-Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
-\"%r\" %b \"%{Referer}i\" \"%{User-Agent}i\""	ssl_combined
-</IfModule>
+LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""		combined
+LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""		vhost_combined
diff --git a/config/httpd/ssl-global.conf b/config/httpd/ssl-global.conf
index 154815cea..0c3a96a6c 100644
--- a/config/httpd/ssl-global.conf
+++ b/config/httpd/ssl-global.conf
@@ -1,54 +1,17 @@
-##
-##  SSL Global Context
-##
-##  All SSL configuration in this context applies both to
-##  the main server and all SSL-enabled virtual hosts.
-##
-
-# These are the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.
-
 <IfModule mod_ssl.c>
 
-	#
-	#   Some MIME-types for downloading Certificates and CRLs
-	#
+	# Some MIME-types for downloading Certificates and CRLs
 	AddType application/x-x509-ca-cert .crt
 	AddType application/x-pkcs7-crl    .crl
 
-	#   Pass Phrase Dialog:
-	#   Configure the pass phrase gathering process.
-	#   The filtering dialog program (`builtin' is a internal
-	#   terminal dialog) has to provide the pass phrase on stdout.
+	# Pass Phrase Dialog
 	SSLPassPhraseDialog  builtin
 
-	#   Inter-Process Session Cache:
-	#   Configure the SSL Session Cache: First the mechanism 
-	#   to use and second the expiring timeout (in seconds).
-	#   shm means the same as shmht. 
-	#   Note that on most platforms shared memory segments are not allowed to be on 
-	#   network-mounted drives, so in that case you need to use the dbm method.
-	#SSLSessionCache        none
-	#SSLSessionCache         dbm:/var/log/httpd/ssl_scache
-	#SSLSessionCache        shmht:/var/log/httpd/ssl_scache(512000)
+	# Inter-Process Session Cache
 	SSLSessionCache         shmcb:/var/log/httpd/ssl_scache(512000)
 	SSLSessionCacheTimeout  900
 
-	#   Pseudo Random Number Generator (PRNG):
-	#   Configure one or more sources to seed the PRNG of the 
-	#   SSL library. The seed data should be of good random quality.
-	#   WARNING! On some platforms /dev/random blocks if not enough entropy
-	#   is available. This means you then cannot use the /dev/random device
-	#   because it would lead to very long connection times (as long as
-	#   it requires to make more entropy available). But usually those
-	#   platforms additionally provide a /dev/urandom device which doesn't
-	#   block. So, if available, use this one instead. Read the mod_ssl User
-	#   Manual for more details.
+	# Pseudo Random Number Generator (PRNG)
 	SSLRandomSeed startup builtin
 	SSLRandomSeed connect builtin
 
-- 
2.26.2

Re: [PATCH 1/4] httpd: remove compatibility instructions for very old browsers

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1760 bytes --]

Thank you. Excellent work.

> On 12 Apr 2021, at 22:00, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> These are not in use any more - and if they would, we don't support them.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> config/httpd/server-tuning.conf                 | 10 ----------
> config/httpd/vhosts.d/ipfire-interface-ssl.conf |  3 ---
> 2 files changed, 13 deletions(-)
> 
> diff --git a/config/httpd/server-tuning.conf b/config/httpd/server-tuning.conf
> index 5642a1e44..9ee651e45 100644
> --- a/config/httpd/server-tuning.conf
> +++ b/config/httpd/server-tuning.conf
> @@ -22,13 +22,3 @@ MaxSpareThreads 20
> StartServers 2
> MaxRequestWorkers 256
> ThreadsPerChild 16
> -
> -#
> -# The following directives modify normal HTTP response behavior to
> -# handle known problems with browser implementations.
> -#
> -BrowserMatch "Mozilla/2" nokeepalive
> -BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
> -BrowserMatch "RealPlayer 4\.0" force-response-1.0
> -BrowserMatch "Java/1\.0" force-response-1.0
> -BrowserMatch "JDK/1\.0" force-response-1.0
> diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> index de7b8559d..8c4cf3806 100644
> --- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> +++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
> @@ -64,9 +64,6 @@
> 	SSLOptions +StdEnvVars
>     </Directory>
>     SetEnv HOME /home/nobody
> -    SetEnvIf User-Agent ".*MSIE.*" \
> -	nokeepalive ssl-unclean-shutdown \
> -	downgrade-1.0 force-response-1.0
>     CustomLog /var/log/httpd/ssl_request_log \
> 	"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> 
> -- 
> 2.26.2