apache.conf.in 7.1 KB
Newer Older
1 2 3 4 5
# Apache configuration file for Zope
# Automatically generated

# Basic server configuration
PidFile "{{ pid_file }}"
6
ServerName {{ domain }}
7 8 9
DocumentRoot {{ document_root }}
ServerRoot {{ instance_home }}

10 11
{{ "Listen %s:%s" % (ipv4_addr, cached_port)  }}
{{ "Listen %s:%s" % (ipv4_addr, ssl_cached_port)  }}
12
{% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%}
13 14 15 16 17 18 19 20 21 22 23 24
{%   for port in (http_port, https_port) -%}
{{ "Listen %s:%s" % (ip, port)  }}
{%   endfor -%}
{% endfor -%}

ServerAdmin {{ server_admin }}
TypesConfig {{ httpd_home }}/conf/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

ServerTokens Prod

25 26 27
# Disable TRACE Method
TraceEnable off

28 29
# Log configuration
ErrorLog "{{ error_log }}"
30
LogLevel notice
31 32 33 34 35 36 37 38 39 40 41 42
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
# LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common
# CustomLog "{{ access_log }}" common
LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
CustomLog "{{ access_log }}" combined

<Directory {{ protected_path }}>
  Order Deny,Allow
  Allow from {{ access_control_string }}
</Directory>

<Directory {{ document_root }}>
43
  Require all granted
44 45 46 47
  Options -Indexes
  ErrorDocument 404 /notfound.html
  RewriteEngine on
  RewriteRule ^/?$ notfound.html [R=404,L]
48 49 50
</Directory>

# List of modules
51 52 53
LoadModule unixd_module        {{ httpd_home }}/modules/mod_unixd.so
LoadModule access_compat_module {{ httpd_home }}/modules/mod_access_compat.so
LoadModule authz_core_module  {{ httpd_home }}/modules/mod_authz_core.so
54
LoadModule authz_host_module  {{ httpd_home }}/modules/mod_authz_host.so
55
LoadModule authn_core_module  {{ httpd_home }}/modules/mod_authn_core.so
56 57 58 59 60 61 62 63 64 65 66 67 68 69
LoadModule log_config_module  {{ httpd_home }}/modules/mod_log_config.so
LoadModule deflate_module     {{ httpd_home }}/modules/mod_deflate.so
LoadModule setenvif_module    {{ httpd_home }}/modules/mod_setenvif.so
LoadModule version_module     {{ httpd_home }}/modules/mod_version.so
LoadModule proxy_module       {{ httpd_home }}/modules/mod_proxy.so
LoadModule proxy_http_module  {{ httpd_home }}/modules/mod_proxy_http.so
LoadModule ssl_module         {{ httpd_home }}/modules/mod_ssl.so
LoadModule mime_module        {{ httpd_home }}/modules/mod_mime.so
LoadModule dav_module         {{ httpd_home }}/modules/mod_dav.so
LoadModule dav_fs_module      {{ httpd_home }}/modules/mod_dav_fs.so
LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so
LoadModule rewrite_module     {{ httpd_home }}/modules/mod_rewrite.so
LoadModule headers_module     {{ httpd_home }}/modules/mod_headers.so
LoadModule cache_module       {{ httpd_home }}/modules/mod_cache.so
70 71
LoadModule cache_socache_module   {{ httpd_home }}/modules/mod_cache_socache.so
LoadModule socache_shmcb_module   {{ httpd_home }}/modules/mod_socache_shmcb.so
72
LoadModule antiloris_module   {{ httpd_home }}/modules/mod_antiloris.so
73 74 75 76 77
LoadModule alias_module       {{ httpd_home }}/modules/mod_alias.so
LoadModule autoindex_module   {{ httpd_home }}/modules/mod_autoindex.so
LoadModule auth_basic_module  {{ httpd_home }}/modules/mod_auth_basic.so
LoadModule authz_user_module  {{ httpd_home }}/modules/mod_authz_user.so
LoadModule authn_file_module  {{ httpd_home }}/modules/mod_authn_file.so
78
LoadModule filter_module       {{ httpd_home }}/modules/mod_filter.so
79
LoadModule http2_module       {{ httpd_home }}/modules/mod_http2.so
80 81
LoadModule info_module        {{ httpd_home }}/modules/mod_info.so
LoadModule status_module      {{ httpd_home }}/modules/mod_status.so
82
LoadModule reqtimeout_module  {{ httpd_home }}/modules/mod_reqtimeout.so
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \
                        downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

105 106 107 108 109

{% if slapparameter_dict.get('enable-http2-by-default', 'true') == 'true' %}
Protocols h2 http/1.1
{% endif %}

110 111 112 113 114 115
# Increase IPReadLimit to 10
<IfModule antiloris_module>
   # IPReadLimit - Maximum simultaneous connections in READ state per IP address 
   IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }}
</IfModule>

116 117 118 119 120 121 122 123 124 125 126 127 128 129
ExtendedStatus On
<Location /server-status>
    SetHandler server-status
    Order Deny,Allow
    Deny from all
    Allow from All

    AuthType basic
    AuthName "Apache Server Status"
    AuthBasicProvider file
    AuthUserFile {{ instance_home }}/etc/monitor-htpasswd
    Require valid-user
</Location>

130 131 132 133 134 135
ServerLimit {{ slapparameter_dict.get('mpm-server-limit', '16') }}
MaxClients {{ slapparameter_dict.get('mpm-max-clients', '400') }}
StartServers {{ slapparameter_dict.get('mpm-start-servers', '3') }}
ThreadsPerChild {{ slapparameter_dict.get('mpm-thread-per-child', '25') }}
#MaxRequestsPerChild 0 // Default value is 0
GracefulShutdownTimeout {{ slapparameter_dict.get('mpm-graceful-shutdown-timeout', '5') }}
136

137
# Deflate
138
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/json application/x-javascript application/javascript application/wasm
139 140 141 142 143 144 145
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

# SSL Configuration
SSLCertificateFile {{ login_certificate }}
SSLCertificateKeyFile {{ login_key }}
146 147 148
{% if slapparameter_dict.get('apache-ca-certificate') %}
SSLCACertificateFile {{ login_ca_crt }}
{% endif %}
149 150 151 152 153 154
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup /dev/urandom 256
SSLRandomSeed connect builtin
155
SSLProtocol all -SSLv2 -SSLv3
156 157
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
SSLHonorCipherOrder on
158 159 160 161 162 163 164
<FilesMatch "\.(cgi|shtml|phtml|php)$">
      SSLOptions +StdEnvVars
</FilesMatch>
# Accept proxy to sites using self-signed SSL certificates
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off

165
include {{frontend_configuration.get('log-access-configuration')}}
166 167
includeoptional {{ slave_configuration_directory }}/*.conf
includeoptional {{ slave_with_cache_configuration_directory }}/*.conf
168

169 170
ErrorDocument 404 /notfound.html
RewriteRule (.*) /notfound.html [R=404,L]