# Apache configuration file for Zope # Automatically generated # Basic server configuration PidFile "{{ pid_file }}" ServerName {{ domain }} DocumentRoot {{ document_root }} ServerRoot {{ instance_home }} {% for ip in (ipv4_addr, "[%s]" % ipv6_addr) -%} {% for port in (http_port, https_port) -%} {{ "Listen %s:%s" % (ip, port) }} {% endfor -%} {% endfor -%} ServerAdmin {{ server_admin }} DefaultType text/plain TypesConfig {{ httpd_home }}/conf/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # As backend is trusting REMOTE_USER header unset it always RequestHeader unset REMOTE_USER ServerTokens Prod # Disable TRACE Method TraceEnable off # Log configuration ErrorLog "{{ error_log }}" LogLevel info # LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined # LogFormat "%h %{REMOTE_USER}i %{Host}i %l %u %t \"%r\" %>s %b" common # CustomLog "{{ access_log }}" common LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined CustomLog "{{ access_log }}" combined <Directory {{ protected_path }}> Order Deny,Allow Allow from {{ access_control_string }} </Directory> <Directory {{ document_root }}> Order Allow,Deny Allow from All Options -Indexes ErrorDocument 404 /notfound.html RewriteEngine on RewriteRule ^/?$ notfound.html [R=404,L] </Directory> # List of modules #LoadModule unixd_module modules/mod_unixd.so #LoadModule access_compat_module modules/mod_access_compat.so #LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_host_module {{ httpd_home }}/modules/mod_authz_host.so LoadModule log_config_module {{ httpd_home }}/modules/mod_log_config.so LoadModule deflate_module {{ httpd_home }}/modules/mod_deflate.so LoadModule setenvif_module {{ httpd_home }}/modules/mod_setenvif.so LoadModule version_module {{ httpd_home }}/modules/mod_version.so LoadModule proxy_module {{ httpd_home }}/modules/mod_proxy.so LoadModule proxy_http_module {{ httpd_home }}/modules/mod_proxy_http.so LoadModule ssl_module {{ httpd_home }}/modules/mod_ssl.so LoadModule mime_module {{ httpd_home }}/modules/mod_mime.so LoadModule dav_module {{ httpd_home }}/modules/mod_dav.so LoadModule dav_fs_module {{ httpd_home }}/modules/mod_dav_fs.so LoadModule negotiation_module {{ httpd_home }}/modules/mod_negotiation.so LoadModule rewrite_module {{ httpd_home }}/modules/mod_rewrite.so LoadModule headers_module {{ httpd_home }}/modules/mod_headers.so LoadModule cache_module {{ httpd_home }}/modules/mod_cache.so LoadModule mem_cache_module {{ httpd_home }}/modules/mod_mem_cache.so LoadModule antiloris_module {{ httpd_home }}/modules/mod_antiloris.so LoadModule alias_module {{ httpd_home }}/modules/mod_alias.so LoadModule autoindex_module {{ httpd_home }}/modules/mod_autoindex.so LoadModule auth_basic_module {{ httpd_home }}/modules/mod_auth_basic.so LoadModule authz_user_module {{ httpd_home }}/modules/mod_authz_user.so LoadModule authn_file_module {{ httpd_home }}/modules/mod_authn_file.so # The following directives modify normal HTTP response behavior to # handle known problems with browser implementations. BrowserMatch "Mozilla/2" nokeepalive BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "MS FrontPage" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully BrowserMatch "^XML Spy" redirect-carefully BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully # Increase IPReadLimit to 10 <IfModule antiloris_module> # IPReadLimit - Maximum simultaneous connections in READ state per IP address IPReadLimit {{ slapparameter_dict.get('ip-read-limit', '10') }} </IfModule> # Deflate AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # SSL Configuration SSLCertificateFile {{ login_certificate }} SSLCertificateKeyFile {{ login_key }} {% if slapparameter_dict.get('apache-ca-certificate') %} SSLCACertificateFile {{ login_ca_crt }} {% endif %} SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLSessionCache shmcb:/{{ httpd_mod_ssl_cache_directory }}/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup /dev/urandom 256 SSLRandomSeed connect builtin SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5 SSLHonorCipherOrder on <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> # Accept proxy to sites using self-signed SSL certificates SSLProxyCheckPeerCN off SSLProxyCheckPeerExpire off include {{frontend_configuration.get('log-access-configuration')}} NameVirtualHost *:{{ http_port }} NameVirtualHost *:{{ https_port }} include {{ slave_configuration_directory }}/*.conf ErrorDocument 404 /notfound.html RewriteRule (.*) /notfound.html [R=404,L]