Reverse Proxy Apache HTTPS High Security and Mod_Security

/ / Pubblicato il Networking, Sistemistica, Tips & Tricks 
Listen 443
# security
ServerTokens Prod
ServerSignature Off
# modules
LoadModule allowmethods_module modules/mod_allowmethods.so
<Proxy "balancer://cluster443">
        BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=1
        BalancerMember "https://XXX.XXX.XXX.XXX:443" ttl=240 keepalive=On route=2
        ProxySet stickysession=ROUTEID
</Proxy>
<VirtualHost <FQDN>:443>
        ServerName <FQDN>
        # Status manager bilanciamento
        ProxyPass /balancer-manager !
        ProxyPass               "/"     "balancer://cluster443/"
        ProxyPassReverse        "/"     "balancer://cluster443/"
        #ProxyPreserveHost On
        ProxyRequests On
        ProxyVia off
        # autenticazione server ------------------------------------------
        <IfModule mod_ssl.c>
                SSLEngine On
                #SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!SSLv2:!LOW
                SSLCertificateFile <CRT>
                SSLCertificateChainFile <PEM>
                SSLCertificateKeyFile <KEY>
                SSLCACertificateFile <PEM>
                SSLProxyEngine On
                SSLProxyCheckPeerName off
                SSLProxyVerify none
                SSLProxyCheckPeerCN off
                SSLProxyCheckPeerExpire off
                # Cipher Suite e Protocolli
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder On
                SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        </IfModule>
        RewriteEngine On
        RewriteCond %{SSL:SSL_PROTOCOL} ^SSLv3$
        RewriteRule ^.*$ http://<SERVER>/SSLv3/ [L,R=302]
        # No HTTP1.0
        RewriteCond %{THE_REQUEST} !HTTP/1.1$
        RewriteRule .* - [F]
        # - direttive generali -------------------------------------------
        DocumentRoot <ROOT>
        # sicurezza
        RequestReadTimeout header=20-40,MinRate=500 body=20-60,MinRate=500
        RequestHeader set X-Forwarded-Proto "https" env=HTTPS
        Header always set X-XSS-Protection "1; mode=block"
        Header always set Content-Security-Policy "upgrade-insecure-requests; default-src https:"
        Header always append X-Frame-Options SAMEORIGIN
        Header always set X-Content-Type-Options "nosniff"
        Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
        FileETag None
        TraceEnable off
        <Location "/">
                AllowMethods GET POST OPTIONS
        </Location>
        # cache
        ExpiresActive On
        Header unset Etag
        Header unset Cache-Control
        Header unset Expires
        Header unset Pragma
        Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"
        Header set Pragma "no-cache"
        # mod_security
        SecRuleEngine DetectionOnly
        #SecRule ARGS:testparam "@contains test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_20_protocol_violations.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_23_request_limits.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_42_tight_security.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_21_protocol_anomalies.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_50_outbound.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_45_trojans.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_60_correlation.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_59_outbound_blocking.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_49_inbound_blocking.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_30_http_policy.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_35_bad_robots.conf
        IncludeOptional /etc/modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_marketing.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_47_skip_outbound_checks.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_42_comment_spam.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_13_xml_enabler.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_11_avs_traffic.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_25_cc_known.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_session_hijacking.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_55_application_defects.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_49_header_tagging.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_46_av_scanning.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_username_tracking.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_43_csrf_protection.conf
        IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_16_authentication_tracking.conf
        #IncludeOptional /etc/modsecurity/optional_rules/modsecurity_crs_10_ignore_static.conf
        IncludeOptional /etc/modsecurity/git/crs-setup.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-901-INITIALIZATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9001-DRUPAL-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-903.9005-CPANEL-EXCLUSION-RULES.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-905-COMMON-EXCEPTIONS.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-910-IP-REPUTATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-911-METHOD-ENFORCEMENT.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-912-DOS-PROTECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-913-SCANNER-DETECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-914-FILE-DETECTION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-921-PROTOCOL-ATTACK.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-930-APPLICATION-ATTACK-LFI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-931-APPLICATION-ATTACK-RFI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-932-APPLICATION-ATTACK-RCE.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-933-APPLICATION-ATTACK-PHP.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-941-APPLICATION-ATTACK-XSS.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-942-APPLICATION-ATTACK-SQLI.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-944-APPLICATION-ATTACK-JAVA.conf
        IncludeOptional /etc/modsecurity/git/REQUEST-949-BLOCKING-EVALUATION.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-950-DATA-LEAKAGES.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-951-DATA-LEAKAGES-SQL.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-952-DATA-LEAKAGES-JAVA.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-953-DATA-LEAKAGES-PHP.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-954-DATA-LEAKAGES-IIS.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-959-BLOCKING-EVALUATION.conf
        IncludeOptional /etc/modsecurity/git/RESPONSE-980-CORRELATION.conf
        SecAuditEngine On
#       SecAuditEngine RelevantOnly
#       SecAuditLogRelevantStatus ^1-5
#       SecAuditLogParts ABCIFHZ
        SecAuditLogType Serial
        SecAuditLog /var/log/apache2/modsec_audit.log
</VirtualHost>

andrea

Taggato in: , , , , , , ,

Che altro puoi leggere

LTSP Ubuntu Remote Desktop con PC di Recupero
PROXMOX Tablet Pointer vs vmMouse
Cordova Phonegap installazione ed utilizzo in ambiente Android

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.