Optimizations for Nginx/Apache configs

2025-08-09 08:35:05 +02:00 · 2021-06-08 19:48:27 -04:00
parent fe0fbaeda6 d8eef085c7
commit 432436c7f1
26 changed files with 247 additions and 168 deletions
--- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf
+++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache.conf
@ -43,6 +43,14 @@
        </files>
    </Directory>

+    <Directory "/usr/share/zabbix/locale">
+        Require all denied
+        <files *.php>
+            Order deny,allow
+            Deny from all
+        </files>
+    </Directory>
+
    <Directory "/usr/share/zabbix/vendor">
        Require all denied
        <files *.php>
--- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf
+++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/apache_ssl.conf
@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

 <IfModule mod_ssl.c>
    <VirtualHost *:8443>
-        SSLEngine on
-
        DocumentRoot /usr/share/zabbix/
        ServerName zabbix
        DirectoryIndex index.php
@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
        # Enable/Disable SSL for this virtual host.
        SSLEngine on

-        SSLProtocol             all -SSLv2 -SSLv3
-        SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-        SSLHonorCipherOrder     on
+        # intermediate configuration
+        SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+        SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+        SSLHonorCipherOrder     off
+        SSLSessionTickets       off

        SSLCertificateFile /etc/ssl/apache2/ssl.crt
        SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
        # SSLCACertificatePath /etc/ssl/apache2/chain/

-        # HSTS (mod_headers is required) (15768000 seconds = 6 months)
-        Header always set Strict-Transport-Security "max-age=15768000"
+        # enable HTTP/2, if available
+        Protocols h2 http/1.1
+
+        # HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
+        Header always set Strict-Transport-Security "max-age=63072000"

        <Directory "/usr/share/zabbix">
            Options FollowSymLinks
@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
            </files>
        </Directory>

+        <Directory "/usr/share/zabbix/locale">
+            Require all denied
+            <files *.php>
+                Order deny,allow
+                Deny from all
+            </files>
+        </Directory>
+
        <Directory "/usr/share/zabbix/vendor">
            Require all denied
            <files *.php>