Netlite IT

  • COSA
    • Auctory
    • Automazione Industriale
    • Sviluppo Software
    • Cloud
    • Consulenza Sistemistica
    • Sicurezza
    • Block Chain
    • Idee e Partnership
    • Jobs
  • DOVE
  • KB
  • CONTATTO
    • Privacy
  • Home
  • Blog
  • Networking
  • Reverse Proxy Apache HTTPS High Security and Mod_Security
8 Febbraio 2023

Reverse Proxy Apache HTTPS High Security and Mod_Security

Reverse Proxy Apache HTTPS High Security and Mod_Security

da netlite-team / venerdì, 14 Settembre 2018 / Pubblicato il Networking, Sistemistica, Tips & Tricks
Listen 443
# security
ServerTokens Prod
ServerSignature Off
# modules
LoadModule allowmethods_module modules/mod_allowmethods.so
<Proxy "balancer://cluster443">
        BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=1
        BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=2
        ProxySet stickysession=ROUTEID
</Proxy>
<VirtualHost <FQDN>:443>
        ServerName <FQDN>
        # Status manager bilanciamento
        ProxyPass /balancer-manager !
        ProxyPass               "/"     "balancer://cluster443/"
        ProxyPassReverse        "/"     "balancer://cluster443/"
        #ProxyPreserveHost On
        ProxyRequests On
        ProxyVia off
        # autenticazione server ------------------------------------------
        <IfModule mod_ssl.c>
                SSLEngine On
                #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
                SSLCertificateFile <CRT>
                SSLCertificateChainFile <PEM>
                SSLCertificateKeyFile <KEY>
                SSLCACertificateFile <PEM>
                SSLProxyEngine On
                SSLProxyCheckPeerName off
                SSLProxyVerify none
                SSLProxyCheckPeerCN off
                SSLProxyCheckPeerExpire off
                # Cipher Suite e Protocolli
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder On
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        </IfModule>
        RewriteEngine On
        RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
        RewriteRule ^.*$ http://<SERVER>/SSLv3/ [L,R=302]
        # No HTTP1.0
        RewriteCond %{THE_REQUEST} !HTTP/1.1$
        RewriteRule .* - [F]
        # - direttive generali -------------------------------------------
        DocumentRoot <ROOT>
        # sicurezza
        RequestReadTimeout header=20-40,MinRate=500 body=20-60,MinRate=500
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        Header always set X-XSS-Protection "1; mode=block"
        Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https:"
        Header always append X-Frame-Options SAMEORIGIN
        Header always set X-Content-Type-Options "nosniff"
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
        FileETag None
        TraceEnable off
        <Location "/">
                AllowMethods GET POST OPTIONS
        </Location>
        # cache
        ExpiresActive On
        Header unset Etag
        Header unset Cache-Control
        Header unset Expires
        Header unset Pragma
        Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
        Header set Pragma "no-cache"
        # mod_security
        SecRuleEngine DetectionOnly
        #SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_23_request_limits.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_42_tight_security.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_50_outbound.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_45_trojans.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_49_inbound_blocking.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_35_bad_robots.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf
        IncludeOptional /etc/modsecurity/git/crs-setup.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-901-INITIALIZATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-905-COMMON-EXCEPTIONS.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-910-IP-REPUTATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-911-METHOD-ENFORCEMENT.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-912-DOS-PROTECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-913-SCANNER-DETECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-914-FILE-DETECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-921-PROTOCOL-ATTACK.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-930-APPLICATION-ATTACK-LFI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-931-APPLICATION-ATTACK-RFI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-932-APPLICATION-ATTACK-RCE.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-933-APPLICATION-ATTACK-PHP.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-941-APPLICATION-ATTACK-XSS.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-949-BLOCKING-EVALUATION.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-950-DATA-LEAKAGES.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-951-DATA-LEAKAGES-SQL.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-953-DATA-LEAKAGES-PHP.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-954-DATA-LEAKAGES-IIS.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-959-BLOCKING-EVALUATION.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-980-CORRELATION.conf
        SecAuditEngine On
#       SecAuditEngine RelevantOnly
#       SecAuditLogRelevantStatus ^1-5
#       SecAuditLogParts ABCIFHZ
        SecAuditLogType Serial
        SecAuditLog /var/log/apache2/modsec_audit.log
</VirtualHost>

andrea

  • Tweet
Taggato in: bond, bond0, bonding, dynamic, hp trunk, lacp, network, vmbr0

Su netlite-team

Che altro puoi leggere

LTSP Ubuntu Remote Desktop con PC di Recupero
PROXMOX Tablet Pointer vs vmMouse
Cordova Phonegap installazione ed utilizzo in ambiente Android

Lascia un commento Annulla risposta

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.

Ricerca

Recent Posts

  • Qemu fsfreeze hook

    Tratto da https://kb.kurgan.org/PVE Uso di Qemu...
  • Autenticazione SSSD/LDAP su AD

    /etc/portage/package.use emerge sssd /etc/sshd/...
  • HP Tools per il controller SAS [SSACLI]

    Crea un file hp.list in /etc/apt/sources.list.d...
  • Reverse Proxy Apache HTTPS High Security and Mod_Security

    andrea...
  • Debian Bonding LACP con Switch HP 1820-24G

    Una volta configurato lo switch HP 1820-24G Swi...

Recent Comments

  • PROXMOX RAID Setup | netlite su PROXMOX tips

Archives

  • Maggio 2019
  • Febbraio 2019
  • Ottobre 2018
  • Settembre 2018
  • Aprile 2018
  • Agosto 2017
  • Luglio 2017
  • Giugno 2017
  • Aprile 2015
  • Dicembre 2014
  • Novembre 2014
  • Ottobre 2014
  • Settembre 2014
  • Agosto 2014
  • Giugno 2014
  • Marzo 2014
  • Febbraio 2014
  • Dicembre 2013
  • Settembre 2013
  • Agosto 2013
  • Luglio 2013
  • Giugno 2013
  • Maggio 2013

Categories

  • Android
  • APP
  • Cluster
  • Networking
  • Non categorizzato
  • Sistemistica
  • Tips & Tricks
  • Virtualizzazione
  • vpn
  • Windows

Meta

  • Accedi
  • Feed dei contenuti
  • Feed dei commenti
  • WordPress.org

Featured Posts

  • Qemu fsfreeze hook

    0 commenti
  • Autenticazione SSSD/LDAP su AD

    0 commenti
  • HP Tools per il controller SAS [SSACLI]

    0 commenti
  • Reverse Proxy Apache HTTPS High Security and Mod_Security

    0 commenti
  • Debian Bonding LACP con Switch HP 1820-24G

    0 commenti

NETLITE SNC

Corso Vittorio Emanuele II, 188
37069 Villafranca di Verona (VR)
C.C.I.A.A di Verona N.ro 364993
PIVA/CF 03782800233

Sedi Operative:
Via Roberto da Sanseverino, 95 38122 Trento (TN)
Via Walter Fleming, 13 37026 Settimo di Pescantina (VR)
Via Norberto Bobbio, 9 20096 Pioltello (MI)

Contatti

Tel: +39 045 4856656
Fax: +39 045 4856655
Email: [email protected]
PEC: [email protected]
Codice Destinatario: M5UXCR1
Netlite IT


© 2008-2020
All rights reserved.

TORNA SU