nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-04-15 09:51:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
FreedomBox/data/etc/apache2/conf-available/freedombox.conf
Sunil Mohan Adapa 72d7a05ead
apache: Fix logs still going into /var/log files 
Closes: #2264.

- Set apache-auth fail2ban jail's backend to read from journal instead of
syslog. Tweak the regex matching to deal with the custom format.

- Adjust the apache error log format to remove unnecessary timestamp. It causes
problems for fail2ban regex matching.

- There was an error in the earlier patch the make apache log into journald.
Configuration for TLS sites still contained ErrorLog and CustomLog directives.
Remove them.

- There is also file with CustomLog directive that logs for other vhosts.

- For some reason, for custom error log format, %T - thread ID did not work and
had to switch to %{g}T global thread ID.

- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.

Tests:

- In a container, apply the patch, run setup and start FreedomBox. Apache app is
updated to new version. Apache web server is reloaded. The
other-vhosts-access-log configuration is disabled.

- On a production machine, remove the directives in
freedombox-tls-site-macro.conf and disabling other-vhosts-access-log stopped the
logging into /var/log/apache2/ directory.

- Use TTRSS /tt-rss-app/ URL and type wrong credentials for 10 times. The client
is banned for 10 minutes. Repeat after unban. Client is banned again.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
2022-10-09 08:53:46 -04:00

152 lines
6.2 KiB
Plaintext
Raw Blame History

## SPDX-License-Identifier: AGPL-3.0-or-later
##
## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
##
## Apache configuration managed by FreedomBox. If customization is needed,
## create a new configuration file with higher priority and override directives.
##
##
## TLS configuration as recommended by Mozilla's SSL Configuration Generator
## with 'Intermediate' configuration. See:
## https://wiki.mozilla.org/Security/Server_Side_TLS
##
<IfModule mod_ssl.c>
# Disable ciphers that are weak or without forward secrecy.
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# Allow client to choose ciphers as they will know best if they have support
# for hardware-accelerated AES.
SSLHonorCipherOrder off
# TLS session tickets (RFC 5077) require restarting web server with an
# appropriate frequency. See:
# https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslsessiontickets
SSLSessionTickets off
# Send OCSP responses to the client and reduce their round trips.
<IfModule mod_socache_shmcb.c>
SSLUseStapling On
SSLStaplingCache "shmcb:${APACHE_RUN_DIR}/ssl_stapling(32768)"
</IfModule>
</IfModule>
##
## Enable HSTS, even for subdomains.
##
<If "%{HTTP_HOST} !~ /^.*\.onion$/i">
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
</If>
##
## Redirect traffic on home to /plinth as part of turning the machine
## into FreedomBox server. Plinth then acts as a portal to reach all
## other services.
##
RedirectMatch "^/$" "/plinth"
##
## Disable sending Referer (sic) header from FreedomBox web interface to
## external websites. This improves privacy by not disclosing FreedomBox
## domains/URLs to external domains. Apps such as blogs which want to popularize
## themselves with referrer header may still do so.
##
## A strict Content Security Policy.
## - @fonts are allowed only from FreedomBox itself.
## - <frame>/<iframe> sources are disabled.
## - <img> sources are allowed only from FreedomBox itself.
## - Manifest file is not allowed as there is none yet.
## - <audio>, <video>, <track> tags are not allowed yet.
## - <object>, <embed>, <applet> tags are not allowed yet.
## - Allow JS from FreedomBox itself (no inline and attribute scripts).
## - Allow inline CSS and CSS files from Freedombox itself.
## - Web worker sources are allowed only from FreedomBox itself (for JSXC).
## - All other fetch sources including Ajax are not allowed from FreedomBox
## itself.
## - <base> tag is not allowed.
## - No plugins types are alllowed since object-src is 'none'.
## - Form action should be to FreedomBox itself.
## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
## - When serving HTTPS, don't allow HTTP assets.
##
## Enable strict sandboxing enabled with some exceptions:
## - Allow running Javascript.
## - Allow popups as sometimes we use <a target=_blank>
## - Allow forms to support configuration forms.
## -
##
## Disable browser guessing of MIME types. FreedoBox already sets good content
## types for all the common file types.
##
<LocationMatch "^/(plinth|freedombox)">
Header set Referrer-Policy 'same-origin'
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
Header set X-Content-Type-Options 'nosniff'
</LocationMatch>
##
## On all sites, provide FreedomBox on a default path: /plinth
##
## Requires the following Apache modules to be enabled:
## mod_headers
## mod_proxy
## mod_proxy_http
##
<Location /freedombox>
ProxyPass http://127.0.0.1:8000/plinth
## Send the scheme from user's request to enable Plinth to redirect
## URLs, set cookies, set absolute URLs (if any) properly.
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
## Ignore any X-FORWARDED-FOR headers sent by the client and their
## proxies. Apache will still set this header with the remote
## address of the client. Apache is the first and only trusted entry
## point for FreedomBox. Any code that does not deal with this
## header properly will remain safe. For example:
## https://github.com/jazzband/django-axes/issues/286
RequestHeader unset X-Forwarded-For
</Location>
<Location /plinth>
ProxyPass http://127.0.0.1:8000/plinth
RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
RequestHeader unset X-Forwarded-For
</Location>
##
## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
## icon using <link rel=''>.
##
<Location ~ ^/favicon\.ico$>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
</IfModule>
</Location>
##
## Serve SVG files compressed using gzip.
##
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE image/svg+xml
</IfModule>
##
## Send all logs to systemd journal by default. This may be overridden per host
## in <VirtualHost>. With all system logs in journald, it is possible to turn
## off persistent logging to improve SD card lifetime and performance. It is
## also easy to improve privacy by turning off logging altogether.
##
## - To obtain the old style access log run the following command (note that the
## first field is the name of the virtual host accessed as Apache format logged
## is vhost_combined):
## journalctl --identifier apache-access --output cat > access.log
##
## - To obtain the old style error log run the following command:
## journalctl --identifier apache-error --output cat > error.log
##
ErrorLog "|/usr/bin/systemd-cat --identifier=apache-error"
# Remove timestamp at the beginning from the default log format. journald
# records its own timestamp.
ErrorLogFormat "[%-m:%l] [pid %P:tid %{g}T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
CustomLog "|/usr/bin/systemd-cat --identifier=apache-access" vhost_combined
Reference in New Issue View Git Blame Copy Permalink