-
benedikt.kroening authored
SSL now works on CentOS/RHEL
benedikt.kroening authoredSSL now works on CentOS/RHEL
Code owners
Assign users and groups as approvers for specific file changes. Learn more.
ox-https.conf 3.69 KiB
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
# Directory permissions and options
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/html>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
<Directory /var/www/html/appsuite>
Options None +SymLinksIfOwnerMatch
AllowOverride Indexes FileInfo
</Directory>
# Rewrite
RewriteEngine On
# Redirect requests from /
RedirectMatch ^/$ /appsuite/
# TLS
SSLEngine on
# Consider deploying a trusted TLS certificate
SSLCertificateFile /opt/open-xchange/certs/frontend.crt
SSLCertificateKeyFile /opt/open-xchange/certs/frontend.key
#SSLCertificateFile {{env "APACHE_SSL_CRT"}}
#SSLCertificateKeyFile {{env "APACHE_SSL_KEY"}}
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!aNULL
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
# Security related headers
Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Download-Options "noopen"
Header always set X-Permitted-Cross-Domain-Policies "none"
Header unset Server
# GZip compression is enabled by default for faster content transfer. Consider disabling mod_deflate to mitigate BREACH
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
# Add HPKP PINs here
#Header always set Public-Key-Pins "pin-sha256="PIN1"; pin-sha256="PIN2"; max-age=2592000; includeSubDomains"
# OCSP Staping requires a TLS certificate with issuer information, consider getting a trusted certificate
#SSLUseStapling On
# Setting ECDH Parameters requires OpenSSL 1.0.2 or later, uncomment if available
#SSLOpenSSLConfCmd ECDHParameters secp384r1
<Directory "/var/www/html/">
# Rewrite DAV Client requests to DAV servlet
RewriteCond %{HTTP_USER_AGENT} Calendar [OR]
RewriteCond %{HTTP_USER_AGENT} Reminders [OR]
RewriteCond %{HTTP_USER_AGENT} DataAccess [OR]
RewriteCond %{HTTP_USER_AGENT} DAVKit [OR]
RewriteCond %{HTTP_USER_AGENT} Lightning [OR]
RewriteCond %{HTTP_USER_AGENT} Adresboek [OR]
RewriteCond %{HTTP_USER_AGENT} dataaccessd [OR]
RewriteCond %{HTTP_USER_AGENT} Preferences [OR]
RewriteCond %{HTTP_USER_AGENT} Adressbuch [OR]
RewriteCond %{HTTP_USER_AGENT} AddressBook [OR]
RewriteCond %{HTTP_USER_AGENT} Address\ Book [OR]
RewriteCond %{HTTP_USER_AGENT} CalendarStore [OR]
RewriteCond %{HTTP_USER_AGENT} CalendarAgent [OR]
RewriteCond %{HTTP_USER_AGENT} accountsd [OR]
RewriteCond %{HTTP_USER_AGENT} eM\ Client [OR]
RewriteCond %{HTTP_USER_AGENT} OX\ Sync [OR]
RewriteCond %{HTTP_USER_AGENT} CoreDAV
RewriteRule (.*) http://localhost:8009/servlet/dav/$1 [P]
</Directory>
# Logging
LogLevel warn
# ErrorLog ${APACHE_LOG_DIR}/ox-https-error.log
# CustomLog ${APACHE_LOG_DIR}/ox-https-access.log combined
</VirtualHost>