summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
AgeCommit message (Collapse)Author
2016-10-24Set X-XSS-Protection HTTP response header to '1'.Micah Anderson
This HTTP response header enables the Cross-site scripting (XSS) filter built into some modern web browsers. This header is usually enabled by default anyway, so the role of this header is to re-enable the filter if it was disabled maliciously, or by accident.
2016-10-24Set X-Content-Type-Options nosniff.Micah Anderson
Setting this header will prevent the browser from interpreting files as something else than declared by the content type in the HTTP headers. This will prevent the browser from MIME-sniffing a response away from the declared content-type. When this is not set, older versions of Internet Explorer and Chrome perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type.
2016-05-03migrate from obsolete SSLCertificateChainFile apache option (#8055)kwadronaut
2015-12-12[bug] Use guess_apache_version in apache templatesvarac
The apache_version() fact only works if apache is already installed. So we use the guess_apache_version() function from the apache module to determine which apache version is to be installed. - Resolves: #7681
2015-11-17[deprec] use @ in front of erb template tagsvarac
Puppet 3 shows now deprecation warnings if the "@" is missing. see https://docs.puppetlabs.com/puppet/latest/reference/lang_template_erb.html#non-printing-tags#[bug|feat|docs|style|refactor|test|pkg|i18n]
2015-11-17[bug] [jessie] Allow apache to access webapp dirvarac
- Resolves: #7580
2014-12-22Adds a ssl_common.inc file to use inside vhosts for the SSL config (solves ↵guido
#5103) Change-Id: I717bf7ca2c5679165a99370c4540f8b8dc1a48ea
2014-10-15Disable SSLv3, and RC4 ciphersMicah Anderson
Change-Id: I7214aa4334e3d817dd1b6d8dce43523e3d955b5d
2014-09-25stop logging user-agent in apache, fixes #6129Micah Anderson
Change-Id: I66384ae4a723be063790362f70e57228a0f1539b
2014-04-02Update TLS apache vhost TLS configuration (#5137):Micah Anderson
. We want to allow for TLS1.2 to be enabled (supported in wheezy) . Explicitly disable SSLCompression. This aids in protecting against the BREACH attack: see http://breachattack.com), and SPDY version 3 is vulnerable to the CRIME attack when compression is on . Switch the cipher suites to match https://wiki.mozilla.org/Security/Server_Side_TLS#Apache for these reasons: . Prefer PFS, with ECDHE first then DHE (TLS 1.2, not many implementations support this, and there are no known attacks). . Prefer AES128 to AES256 because the key schedule in AES256 is considered weaker, and maybe AES128 is more resistant to timing attacks . Prefer AES to RC4. BEAST attacks on AES are mitigated in >=TLS1.1, and difficult in TLS1.0. They are not in RC4, and likely to become more dangerous . RC4 is on the path to removal, but still present for backward compatibility Change-Id: I99a7f0ebf2ac438f075835d1cb38f63080321043
2013-09-24Webapp doesn't serve commercial cert (Bug #3916)varac
2013-09-22Merge branch 'api-crt-3384' into develop fixes #3384kwadronaut
2013-09-22adding fqdn as default servername and moving service.domain to ServerAlias ↵kwadronaut
(fixing #3384) node name and dns fqdn could be different Also note that on local deploys that warning from #3384 will continue to exist (because of dns)
2013-09-20fix whitespace issues from https://review.leap.se/r/82varac
2013-09-19tidy webapp api x509 definitions (#3840)varac
2013-08-22add HSTS if hiera value for webapp['secure'] is set (#3514)Micah Anderson
Change-Id: Idd413349ec0b99835a1cbb4fb4c4fcef1a8fdeab
2013-08-21Disable verbose, identifying apache headers (#3462):Micah Anderson
. Disable ServerSignature . Set ServerTokens Prod . unset the X-Powered-By and X-Runtime apache headers Change-Id: Iddb2cb9a0465bc7f657581adaacbbf748479fd7a
2013-05-22change paths for leap webapp to be under /srv/leap/webapp from /srv/leap-webappMicah Anderson
2013-04-18webapp: removed "Alias /1" from apache configelijah
2012-12-19webapp api now uses a customizable port (so that we don't try to rely on SNI ↵elijah
for hosting two TLS domains on one IP).
2012-12-11replace Documentroot path from - to _Micah Anderson
2012-11-27fix location of SSLCertificateChainFile locationMicah Anderson
2012-11-27map /1 -> document rootMicah Anderson
2012-11-27add site_webapp class to install the certs/keys/CAs and virtual host ↵Micah Anderson
configurations
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-30 08:08:57 +0000