ServerAdmin webmaster@leadtributor.com ServerName test.leadtributor.com Redirect permanent / https://test.leadtributor.com/ ServerAdmin webmaster@leadtributor.com ServerName test.leadtributor.com DocumentRoot /usr/share/apache-tomcat-7.0.53/lms_test RedirectMatch ^/$ /test/Lms.jsp RedirectMatch ^/test$ /test/Lms.jsp RedirectMatch ^/test/$ /test/Lms.jsp ErrorLog /var/www/test.leadtributor.com/logs/error_log_ssl CustomLog /var/www/test.leadtributor.com/logs/access_log_ssl combined LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" SetEnvIfNoCase Request_URI ".(gif)|(jpg)|(jpeg)|(png)|(css)|(js)|(ico)$" dontlog SSLEngine on #SSLCACertificateFile /root/ssl/RapidSSL_Intermediate.crt SSLCertificateChainFile /root/ssl/RapidSSL_Intermediate.crt SSLCertificateFile /root/ssl/_wildcard__leadtributor_com_d3757_ed8ad.crt SSLCertificateKeyFile /root/ssl/_wildcard__leadtributor_com_d3757_ed8ad.key # https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy # http://serverfault.com/questions/667333/cannot-disable-rc4 # openssl ciphers -v 'EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4' SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4" SSLHonorCipherOrder on Header set Strict-Transport-Security "max-age=31536000; includeSubdomains" #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 JkMount /test/j_security_check worker1 JkMount /test/*.jsp worker1 JkMount /test/lms/sc/IDACall worker1 JkMount /test/lms/sc/IDACall/* worker1 JkMount /test/lms/sc/DataSourceLoader worker1 JkMount /test/lms/sc/screenLoader worker1 JkMount /test/lms/sc/HttpProxy worker1 JkMount /test/lms/sc/ worker1 JkMount /test/ServletLogin worker1 JkMount /test/ServletLogout worker1 JkMount /test/SendMail worker1 SSLOptions +StdEnvVars AllowOverride FileInfo AuthConfig Limit Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec AddOutputFilterByType DEFLATE text/plain text/html application/json text/xml text/css text/javascript Order allow,deny Allow from all ExpiresActive on ExpiresDefault "now plus 1 year" ExpiresActive on ExpiresDefault "now plus 1 year" ExpiresActive on ExpiresDefault "now plus 1 year" ExpiresActive on ExpiresDefault "now plus 1 year" ExpiresActive on ExpiresDefault "now" Header merge Cache-Control "public, max-age=0, must-revalidate" ExpiresActive on ExpiresDefault "now" Header merge Cache-Control "public, max-age=0, must-revalidate" # Wäre korrekt, aber wird von Tomcat gemacht. ExpiresActive on ExpiresDefault "now" Header merge Cache-Control "public, max-age=0, must-revalidate" Order allow,deny Deny from all Order allow,deny Allow from all Order allow,deny Allow from all Order allow,deny Allow from all #Only in tst! Order allow,deny Allow from all Order allow,deny Allow from all Order allow,deny Deny from all