# Apache configuration file for Zope # Automatically generated # Basic server configuration PidFile "{{ pid_file }}" ServerName {{ domain }} DocumentRoot {{ document_root }} ServerRoot {{ instance_home }} {{ "Listen %s:%s" % (ipv4_addr, cached_port) }} {{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port) }} {% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%} {% for port in (http_port, https_port) -%} {{ "Listen %s:%s" % (ip, port) }} {% endfor -%} {% endfor -%} ServerAdmin {{ server_admin }} TypesConfig {{ httpd_home }}/conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # As backend is trusting REMOTE_USER header unset it always RequestHeader unset REMOTE_USER ServerTokens Prod # Disable TRACE Method TraceEnable off # Log configuration ErrorLog "{{ error_log }}" LogLevel notice # LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined # LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common # CustomLog "{{ access_log }}" common LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined CustomLog "{{ access_log }}" combined <Directory {{ protected_path }}> Order Deny,Allow Allow from {{ access_control_string }} </Directory> <Directory {{ document_root }}> Require all granted Options -Indexes ErrorDocument 404 /notfound.html RewriteEngine on RewriteRule ^/?$ notfound.html [R=404,L] </Directory> # List of modules LoadModule unixd_module {{ httpd_home }}/modules/mod_unixd.so LoadModule access_compat_module {{ httpd_home }}/modules/mod_access_compat.so LoadModule authz_core_module {{ httpd_home }}/modules/mod_authz_core.so LoadModule authz_host_module {{ httpd_home }}/modules/mod_authz_host.so LoadModule authn_core_module {{ httpd_home }}/modules/mod_authn_core.so LoadModule log_config_module {{ httpd_home }}/modules/mod_log_config.so LoadModule deflate_module {{ httpd_home }}/modules/mod_deflate.so LoadModule setenvif_module {{ httpd_home }}/modules/mod_setenvif.so LoadModule version_module {{ httpd_home }}/modules/mod_version.so LoadModule proxy_module {{ httpd_home }}/modules/mod_proxy.so LoadModule proxy_http_module {{ httpd_home }}/modules/mod_proxy_http.so LoadModule ssl_module {{ httpd_home }}/modules/mod_ssl.so LoadModule mime_module {{ httpd_home }}/modules/mod_mime.so LoadModule dav_module {{ httpd_home }}/modules/mod_dav.so LoadModule dav_fs_module {{ httpd_home }}/modules/mod_dav_fs.so LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so LoadModule rewrite_module {{ httpd_home }}/modules/mod_rewrite.so LoadModule headers_module {{ httpd_home }}/modules/mod_headers.so LoadModule cache_module {{ httpd_home }}/modules/mod_cache.so LoadModule cache_socache_module {{ httpd_home }}/modules/mod_cache_socache.so LoadModule socache_shmcb_module {{ httpd_home }}/modules/mod_socache_shmcb.so LoadModule antiloris_module {{ httpd_home }}/modules/mod_antiloris.so LoadModule alias_module {{ httpd_home }}/modules/mod_alias.so LoadModule autoindex_module {{ httpd_home }}/modules/mod_autoindex.so LoadModule auth_basic_module {{ httpd_home }}/modules/mod_auth_basic.so LoadModule authz_user_module {{ httpd_home }}/modules/mod_authz_user.so LoadModule authn_file_module {{ httpd_home }}/modules/mod_authn_file.so LoadModule filter_module {{ httpd_home }}/modules/mod_filter.so LoadModule http2_module {{ httpd_home }}/modules/mod_http2.so LoadModule info_module {{ httpd_home }}/modules/mod_info.so LoadModule status_module {{ httpd_home }}/modules/mod_status.so LoadModule reqtimeout_module {{ httpd_home }}/modules/mod_reqtimeout.so # The following directives modify normal HTTP response behavior to # handle known problems with browser implementations. BrowserMatch "Mozilla/2" nokeepalive BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully {% if slapparameter_dict.get('enable-http2-by-default', 'true') == 'true' %} Protocols h2 http/1.1 {% endif %} # Increase IPReadLimit to 10 <IfModule antiloris_module> # IPReadLimit - Maximum simultaneous connections in READ state per IP address IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }} </IfModule> ExtendedStatus On <Location /server-status> SetHandler server-status Order Deny,Allow Deny from all Allow from All AuthType basic AuthName "Apache Server Status" AuthBasicProvider file AuthUserFile {{ instance_home }}/etc/monitor-htpasswd Require valid-user </Location> ServerLimit {{ slapparameter_dict.get('mpm-server-limit', '16') }} MaxClients {{ slapparameter_dict.get('mpm-max-clients', '400') }} StartServers {{ slapparameter_dict.get('mpm-start-servers', '3') }} ThreadsPerChild {{ slapparameter_dict.get('mpm-thread-per-child', '25') }} #MaxRequestsPerChild 0 // Default value is 0 GracefulShutdownTimeout {{ slapparameter_dict.get('mpm-graceful-shutdown-timeout', '5') }} # Deflate AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # SSL Configuration SSLCertificateFile {{ login_certificate }} SSLCertificateKeyFile {{ login_key }} {% if slapparameter_dict.get('apache-ca-certificate') %} SSLCACertificateFile {{ login_ca_crt }} {% endif %} SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup /dev/urandom 256 SSLRandomSeed connect builtin SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> # Accept proxy to sites using self-signed SSL certificates SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire off include {{frontend_configuration.get('log-access-configuration')}} include {{ slave_configuration_directory }}/*.conf include {{ slave_with_cache_configuration_directory }}/*.conf ErrorDocument 404 /notfound.html RewriteRule (.*) /notfound.html [R=404,L]