From c5859c68b4f18708edf7d908a8ca67646c8e5cb5 Mon Sep 17 00:00:00 2001 From: Christoph Date: Tue, 13 Mar 2018 16:48:49 +0100 Subject: [PATCH] install_roundcube.sh: virtual host configuration changed. --- install_roundcube.sh | 353 ++----------------------------------------- 1 file changed, 13 insertions(+), 340 deletions(-) diff --git a/install_roundcube.sh b/install_roundcube.sh index 249de01..b64b7cc 100755 --- a/install_roundcube.sh +++ b/install_roundcube.sh @@ -1167,7 +1167,7 @@ _failed=false cat < ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file # -- $WEBSITE_NAME -- # - + ServerAdmin $WEBMASTER_EMAIL @@ -1177,87 +1177,13 @@ cat < ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] - # ========== - # - HTTP security Headers - # ========== - - # - X-Frame-Options - # - - # - The X-Frame-Options header (RFC), or XFO header, protects your visitors - # - against clickjacking attacks. An attacker can load up an iframe on their - # - site and set your site as the source, it's quite easy: - # - - # - - # - - # - Using some crafty CSS they can hide your site in the background and create some - # - genuine looking overlays. When your visitors click on what they think is a harmless - # - link, they're actually clicking on links on your website in the background. That - # - might not seem so bad until we realise that the browser will execute those requests - # - in the context of the user, which could include them being logged in and authenticated - # - to your site! - # - - # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : - # - of you': - # - - # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html - # - - # - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows - # - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify - # -sites that are permitted to frame your own site. - # - - Header always set X-Frame-Options "SAMEORIGIN" - - # - X-Xss-Protection - # - - # - This header is used to configure the built in reflective XSS protection found - # - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header - # - are 0, which disables the protection, 1 which enables the protection - # - and 1; mode=block which tells the browser to block the response if it - # - detects an attack rather than sanitising the script. - # - - Header always set X-Xss-Protection "1; mode=block" - - # - X-Content-Type-Options - # - - # - Nice and easy to configure, this header only has one valid value, nosniff. - # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff - # - the content-type of a response away from the one being declared by the server. - # - It reduces exposure to drive-by downloads and the risks of user uploaded content - # - that, with clever naming, could be treated as a different content-type, like - # - an executable. - # - - Header always set X-Content-Type-Options "nosniff" - - # - Content Security Policy - # - - # - The CSP header allows you to define a whitelist of approved sources of content - # - for your site. By restricting the assets that a browser can load for your site, - # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I - # - have covered CSP in a lot more detail in my blog Content Security Policy - An - # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). - # - - # - Here is a basic policy to enforce TLS on all assets and prevent - # - mixed content warnings. - # - - # - Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" - - # - Referrer-Policy - # - - # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header - # - field that identifies the address of the webpage (i.e. the URI or IRI) that - # - linked to the resource being requested. By checking the referrer, the new - # - webpage can see where the request originated. - # - - Header set Referrer-Policy "strict-origin-when-cross-origin - CustomLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-access.log combined ErrorLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-error.log - + ServerAdmin $WEBMASTER_EMAIL @@ -1391,8 +1317,17 @@ cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file # - Here is a basic policy to enforce TLS on all assets and prevent # - mixed content warnings. # - - # - Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" + # - Allow Google Analytics, Google AJAX CDN and Same Origin + # - script-src 'self' www.google-analytics.com ajax.googleapis.com; + # - + # - Emmbedding Google Fonts + # - style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; + # - + # - Allow YouTube Videos (iframe embedded) + # - frame-src 'self' https://www.youtube.com + # - + #Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' ; object-src 'none'" + Header always set Content-Security-Policy "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ; img-src 'self' data: https: ; connect-src 'self'; font-src 'self'; object-src 'self'; media-src 'self' ; frame-src 'self'; worker-src ${WEBSITE_NAME}:443 ; form-action 'self'; base-uri 'self'; frame-ancestors 'self'; upgrade-insecure-requests" # - Referrer-Policy # - @@ -1424,268 +1359,6 @@ cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - -# --- -# --- IPv6 -# --- - - - - ServerAdmin $WEBMASTER_EMAIL - - ServerName $WEBSITE_NAME - - RewriteEngine on - RewriteCond %{HTTPS} !=on - RewriteRule (.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L] - - # ========== - # - HTTP security Headers - # ========== - - # - X-Frame-Options - # - - # - The X-Frame-Options header (RFC), or XFO header, protects your visitors - # - against clickjacking attacks. An attacker can load up an iframe on their - # - site and set your site as the source, it's quite easy: - # - - # - - # - - # - Using some crafty CSS they can hide your site in the background and create some - # - genuine looking overlays. When your visitors click on what they think is a harmless - # - link, they're actually clicking on links on your website in the background. That - # - might not seem so bad until we realise that the browser will execute those requests - # - in the context of the user, which could include them being logged in and authenticated - # - to your site! - # - - # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : - # - of you': - # - - # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html - # - - # - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows - # - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify - # -sites that are permitted to frame your own site. - # - - Header always set X-Frame-Options "SAMEORIGIN" - - # - X-Xss-Protection - # - - # - This header is used to configure the built in reflective XSS protection found - # - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header - # - are 0, which disables the protection, 1 which enables the protection - # - and 1; mode=block which tells the browser to block the response if it - # - detects an attack rather than sanitising the script. - # - - Header always set X-Xss-Protection "1; mode=block" - - # - X-Content-Type-Options - # - - # - Nice and easy to configure, this header only has one valid value, nosniff. - # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff - # - the content-type of a response away from the one being declared by the server. - # - It reduces exposure to drive-by downloads and the risks of user uploaded content - # - that, with clever naming, could be treated as a different content-type, like - # - an executable. - # - - Header always set X-Content-Type-Options "nosniff" - - # - Content Security Policy - # - - # - The CSP header allows you to define a whitelist of approved sources of content - # - for your site. By restricting the assets that a browser can load for your site, - # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I - # - have covered CSP in a lot more detail in my blog Content Security Policy - An - # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). - # - - # - Here is a basic policy to enforce TLS on all assets and prevent - # - mixed content warnings. - # - - # - Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" - - # - Referrer-Policy - # - - # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header - # - field that identifies the address of the webpage (i.e. the URI or IRI) that - # - linked to the resource being requested. By checking the referrer, the new - # - webpage can see where the request originated. - # - - Header set Referrer-Policy "strict-origin-when-cross-origin - - CustomLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-access.log combined - ErrorLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-error.log - - - - - - - ServerAdmin $WEBMASTER_EMAIL - - ServerName $WEBSITE_NAME - -EOF -if [[ $? -ne 0 ]]; then - _failed=true -fi - -if [[ "$PHP_TYPE" = "mod_php" ]]; then - - cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - ## - its allowed to overwrite by .htaccess - ## - - php_value error_reporting "E_ALL & ~E_NOTICE" - - ## - Overwriting by .htaccess NOT allowd - ## - - php_admin_value upload_tmp_dir "${WEBSITE_BASEDIR}/tmp/" - php_admin_flag log_errors on - php_admin_value error_log "${WEBSITE_BASEDIR}/logs/php_error.log" - php_admin_value session.save_path "${WEBSITE_BASEDIR}/sessions" - - DocumentRoot "${WEBSITE_BASEDIR}/htdocs/" -EOF - if [[ $? -ne 0 ]]; then - _failed=true - fi -elif [[ "$PHP_TYPE" = "fcgid" ]]; then - cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - DocumentRoot "${WEBSITE_BASEDIR}/htdocs/" - - Require all granted - FCGIWrapper ${WEBSITE_BASEDIR}/conf/fcgid .php - - SetHandler fcgid-script - - Options +ExecCGI - -EOF - if [[ $? -ne 0 ]]; then - _failed=true - fi -elif [[ "$PHP_TYPE" = "php_fpm" ]]; then - cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - DocumentRoot "${WEBSITE_BASEDIR}/htdocs/" - - -EOF - if $PHP_DEBIAN_INSTALLATION ; then - cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - SetHandler "proxy:unix:/var/run/php$(echo $php_major_version | cut -d'.' -f1)-fpm.sock|fcgi://127.0.0.1" -EOF - else - cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - SetHandler "proxy:unix:/tmp/php-${php_latest_ver}-fpm.www.sock|fcgi://127.0.0.1" -EOF - fi - cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - - - - DirectoryIndex index.php index.html - -EOF - if [[ $? -ne 0 ]]; then - failed=true - fi -fi -cat <> ${APACHE_VHOST_DIR}/${WEBSITE_NAME}.conf 2>> $log_file - - # ========== - # - HTTP security Headers - # ========== - - # - X-Frame-Options - # - - # - The X-Frame-Options header (RFC), or XFO header, protects your visitors - # - against clickjacking attacks. An attacker can load up an iframe on their - # - site and set your site as the source, it's quite easy: - # - - # - - # - - # - Using some crafty CSS they can hide your site in the background and create some - # - genuine looking overlays. When your visitors click on what they think is a harmless - # - link, they're actually clicking on links on your website in the background. That - # - might not seem so bad until we realise that the browser will execute those requests - # - in the context of the user, which could include them being logged in and authenticated - # - to your site! - # - - # - Troy Hunt has a great blog on 'Clickjack attack – the hidden threat right in front : - # - of you': - # - - # - http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html - # - - # - Valid values include DENY meaning your site can't be framed, SAMEORIGIN which allows - # - you to frame your own site or ALLOW-FROM https://example.com/ which lets you specify - # -sites that are permitted to frame your own site. - # - - Header always set X-Frame-Options "SAMEORIGIN" - - # - X-Xss-Protection - # - - # - This header is used to configure the built in reflective XSS protection found - # - in Internet Explorer, Chrome and Safari (Webkit). Valid settings for the header - # - are 0, which disables the protection, 1 which enables the protection - # - and 1; mode=block which tells the browser to block the response if it - # - detects an attack rather than sanitising the script. - # - - Header always set X-Xss-Protection "1; mode=block" - - # - X-Content-Type-Options - # - - # - Nice and easy to configure, this header only has one valid value, nosniff. - # - It prevents Google Chrome and Internet Explorer from trying to mime-sniff - # - the content-type of a response away from the one being declared by the server. - # - It reduces exposure to drive-by downloads and the risks of user uploaded content - # - that, with clever naming, could be treated as a different content-type, like - # - an executable. - # - - Header always set X-Content-Type-Options "nosniff" - - # - Content Security Policy - # - - # - The CSP header allows you to define a whitelist of approved sources of content - # - for your site. By restricting the assets that a browser can load for your site, - # - like js and css, CSP can act as an effective countermeasure to XSS attacks. I - # - have covered CSP in a lot more detail in my blog Content Security Policy - An - # - Introduction (https://scotthelme.co.uk/content-security-policy-an-introduction/). - # - - # - Here is a basic policy to enforce TLS on all assets and prevent - # - mixed content warnings. - # - - # - Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" - - # - Referrer-Policy - # - - # - The HTTP referer (originally a misspelling of referrer[1]) is an HTTP header - # - field that identifies the address of the webpage (i.e. the URI or IRI) that - # - linked to the resource being requested. By checking the referrer, the new - # - webpage can see where the request originated. - # - - Header set Referrer-Policy "strict-origin-when-cross-origin - - # - HTTP Strict Transport Security (HSTS) - # - - # - HSTS tells a browser that the website should only be accessed through - # - a secure connection. The HSTS header will be remembered by a standard - # compliant browser for max-age seconds. - # - - # - Remember this settings for 1 year - # - - Header always set Strict-Transport-Security "max-age=31536000" - - SSLEngine on - - SSLCertificateFile ${APACHE_CERT_DIR}/$APACHE_SERVER_CERT - SSLCertificateKeyFile ${APACHE_CERT_DIR}/$APACHE_SERVER_KEY - $SSLCertificateChainFile - - CustomLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-access.log combined - ErrorLog ${APACHE_LOG_DIR}/${WEBSITE_NAME}-error.log - - EOF if [[ $? -ne 0 ]]; then _failed=true