Reverse Proxy Apache HTTPS High Security and Mod_Security

/ / Pubblicato il Networking, Sistemistica, Tips & Tricks 
Listen 443
# security
ServerTokens Prod
ServerSignature Off
# modules
LoadModule allowmethods_module modules/mod_allowmethods.so
<Proxy "balancer://cluster443">
        BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=1
        BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=2
        ProxySet stickysession=ROUTEID
</Proxy>
<VirtualHost <FQDN>:443>
        ServerName <FQDN>
        # Status manager bilanciamento
        ProxyPass /balancer-manager !
        ProxyPass               "/"     "balancer://cluster443/"
        ProxyPassReverse        "/"     "balancer://cluster443/"
        #ProxyPreserveHost On
        ProxyRequests On
        ProxyVia off
        # autenticazione server ------------------------------------------
        <IfModule mod_ssl.c>
                SSLEngine On
                #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
                SSLCertificateFile <CRT>
                SSLCertificateChainFile <PEM>
                SSLCertificateKeyFile <KEY>
                SSLCACertificateFile <PEM>
                SSLProxyEngine On
                SSLProxyCheckPeerName off
                SSLProxyVerify none
                SSLProxyCheckPeerCN off
                SSLProxyCheckPeerExpire off
                # Cipher Suite e Protocolli
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder On
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        </IfModule>
        RewriteEngine On
        RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
        RewriteRule ^.*$ http://<SERVER>/SSLv3/ [L,R=302]
        # No HTTP1.0
        RewriteCond %{THE_REQUEST} !HTTP/1.1$
        RewriteRule .* - [F]
        # - direttive generali -------------------------------------------
        DocumentRoot <ROOT>
        # sicurezza
        RequestReadTimeout header=20-40,MinRate=500 body=20-60,MinRate=500
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        Header always set X-XSS-Protection "1; mode=block"
        Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https:"
        Header always append X-Frame-Options SAMEORIGIN
        Header always set X-Content-Type-Options "nosniff"
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
        FileETag None
        TraceEnable off
        <Location "/">
                AllowMethods GET POST OPTIONS
        </Location>
        # cache
        ExpiresActive On
        Header unset Etag
        Header unset Cache-Control
        Header unset Expires
        Header unset Pragma
        Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
        Header set Pragma "no-cache"
        # mod_security
        SecRuleEngine DetectionOnly
        #SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_23_request_limits.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_42_tight_security.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_50_outbound.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_45_trojans.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_49_inbound_blocking.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_35_bad_robots.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf
        IncludeOptional /etc/modsecurity/git/crs-setup.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-901-INITIALIZATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-905-COMMON-EXCEPTIONS.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-910-IP-REPUTATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-911-METHOD-ENFORCEMENT.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-912-DOS-PROTECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-913-SCANNER-DETECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-914-FILE-DETECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-921-PROTOCOL-ATTACK.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-930-APPLICATION-ATTACK-LFI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-931-APPLICATION-ATTACK-RFI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-932-APPLICATION-ATTACK-RCE.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-933-APPLICATION-ATTACK-PHP.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-941-APPLICATION-ATTACK-XSS.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-949-BLOCKING-EVALUATION.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-950-DATA-LEAKAGES.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-951-DATA-LEAKAGES-SQL.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-953-DATA-LEAKAGES-PHP.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-954-DATA-LEAKAGES-IIS.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-959-BLOCKING-EVALUATION.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-980-CORRELATION.conf
        SecAuditEngine On
#       SecAuditEngine RelevantOnly
#       SecAuditLogRelevantStatus ^1-5
#       SecAuditLogParts ABCIFHZ
        SecAuditLogType Serial
        SecAuditLog /var/log/apache2/modsec_audit.log
</VirtualHost>

andrea

Taggato in: , , , , , , ,

Che altro puoi leggere

Reverse Proxy
ZFS su Ubuntu/Debian
Autenticazione SSSD/LDAP su AD

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.