forked from pool/apache2
9ac936a203
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
[boo#1228098]
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1228097]
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=706
235 lines
9.1 KiB
Plaintext
235 lines
9.1 KiB
Plaintext
#
|
|
# /etc/apache2/httpd.conf
|
|
#
|
|
# This is the main Apache server configuration file. It contains the
|
|
# configuration directives that give the server its instructions.
|
|
# See <URL:https://httpd.apache.org/docs/2.4/> for detailed information about
|
|
# the directives.
|
|
|
|
# Based upon the default apache configuration file that ships with apache,
|
|
# which is based upon the NCSA server configuration files originally by Rob
|
|
# McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>.
|
|
|
|
# If possible, avoid changes to this file. It does mainly contain Include
|
|
# statements and global settings that can/should be overridden in the
|
|
# configuration of your virtual hosts.
|
|
|
|
# Quickstart guide:
|
|
# https://en.opensuse.org/SDB:Apache_installation
|
|
|
|
|
|
# Overview of include files, chronologically:
|
|
#
|
|
# httpd.conf
|
|
# |
|
|
# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under
|
|
# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...)
|
|
# |-- loadmodule.conf . . . . . . . . . . . [*] load these modules
|
|
# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on
|
|
# |-- mod_log_config.conf . . . . . . . . . define logging formats
|
|
# |-- global.conf . . . . . . . . . . . . . [*] server-wide general settings
|
|
# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring)
|
|
# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info
|
|
# |-- mod_reqtimeout.conf . . . . . . . . . set timeout and minimum data rate for receiving requests
|
|
# |-- mod_cgid-timeout.conf . . . . . . . . set CGIDScriptTimeout if mod_cgid is loaded/active
|
|
# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking
|
|
# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings
|
|
# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration
|
|
# |-- errors.conf . . . . . . . . . . . . . customize error responses
|
|
# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts
|
|
# |-- protocols.conf . . . . . . . . . . . Protocol settings that applies to default server _and all_ virtual hosts
|
|
# |
|
|
# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests
|
|
# | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded)
|
|
# | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed)
|
|
# |
|
|
# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here
|
|
# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included)
|
|
#
|
|
#
|
|
# Files marked [*] are NOT read when server is started via systemd service. When server
|
|
# is started via service, defaults from /etc/sysconfig/apache2 are taken into account.
|
|
#
|
|
|
|
|
|
|
|
# Filesystem layout:
|
|
#
|
|
# /etc/apache2/
|
|
# |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap
|
|
# |-- conf.d/
|
|
# | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc
|
|
# | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4
|
|
# | `-- ... . . . . . . . . . . . . . . . other configuration added by packages
|
|
# |-- default-server.conf
|
|
# |-- errors.conf
|
|
# |-- httpd.conf . . . . . . . . . . . . . top level configuration file
|
|
# |-- listen.conf
|
|
# |-- magic
|
|
# |-- mime.types -> ../mime.types
|
|
# |-- mod_autoindex-defaults.conf
|
|
# |-- mod_info.conf
|
|
# |-- mod_log_config.conf
|
|
# |-- mod_mime-defaults.conf
|
|
# |-- mod_perl-startup.pl
|
|
# |-- mod_status.conf
|
|
# |-- mod_userdir.conf
|
|
# |-- mod_usertrack.conf
|
|
# |-- server-tuning.conf
|
|
# |-- ssl-global.conf
|
|
# |-- protocols.conf
|
|
# |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL)
|
|
# |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates
|
|
# |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests
|
|
# |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys
|
|
# |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files
|
|
# |-- global.conf
|
|
# |-- loadmodule.conf
|
|
# |-- uid.conf
|
|
# `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here
|
|
# |-- vhost-ssl.template
|
|
# `-- vhost.template
|
|
|
|
|
|
|
|
### Global Environment ######################################################
|
|
#
|
|
# The directives in this section affect the overall operation of Apache,
|
|
# such as the number of concurrent requests.
|
|
|
|
# run under this user/group id
|
|
Include /etc/apache2/uid.conf
|
|
|
|
# - how many server processes to start (server pool regulation)
|
|
# - usage of KeepAlive
|
|
Include /etc/apache2/server-tuning.conf
|
|
|
|
# ErrorLog: The location of the error log file.
|
|
# If you do not specify an ErrorLog directive within a <VirtualHost>
|
|
# container, error messages relating to that virtual host will be
|
|
# logged here. If you *do* define an error logfile for a <VirtualHost>
|
|
# container, that host's errors will be logged there and not here.
|
|
ErrorLog /var/log/apache2/error_log
|
|
|
|
# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
|
|
<IfDefine !SYSCONFIG>
|
|
Include /etc/apache2/loadmodule.conf
|
|
</IfDefine>
|
|
|
|
# IP addresses / ports to listen on
|
|
Include /etc/apache2/listen.conf
|
|
|
|
# predefined logging formats
|
|
Include /etc/apache2/mod_log_config.conf
|
|
|
|
# generated from default values of global settings in /etc/sysconfig/apache2
|
|
<IfDefine !SYSCONFIG>
|
|
Include /etc/apache2/global.conf
|
|
</IfDefine>
|
|
|
|
# optional mod_status, mod_info
|
|
Include /etc/apache2/mod_status.conf
|
|
Include /etc/apache2/mod_info.conf
|
|
|
|
# mod_reqtimeout protects the server from the so-called "slowloris"
|
|
# attack: The server is not swamped with requests in fast succession,
|
|
# but with slowly transmitted request headers and body, thereby filling up
|
|
# the request slots until the server runs out of them.
|
|
# mod_reqtimeout is lightweight and should deliver good results
|
|
# with the configured default values. You shouldn't notice it at all.
|
|
Include /etc/apache2/mod_reqtimeout.conf
|
|
|
|
# Fix for CVE-2014-0231 introduces new configuration parameter
|
|
# CGIDScriptTimeout. This directive and its effect prevent request
|
|
# workers to be eaten until starvation if cgi programs do not send
|
|
# output back to the server within the timout set by CGIDScriptTimeout.
|
|
Include /etc/apache2/mod_cgid-timeout.conf
|
|
|
|
# optional cookie-based user tracking
|
|
# read the documentation before using it!!
|
|
Include /etc/apache2/mod_usertrack.conf
|
|
|
|
# configuration of server-generated directory listings
|
|
Include /etc/apache2/mod_autoindex-defaults.conf
|
|
|
|
# associate MIME types with filename extensions
|
|
TypesConfig /etc/apache2/mime.types
|
|
Include /etc/apache2/mod_mime-defaults.conf
|
|
|
|
# set up (customizable) error responses
|
|
Include /etc/apache2/errors.conf
|
|
|
|
# global (server-wide) SSL configuration, that is not specific to
|
|
# any virtual host
|
|
Include /etc/apache2/ssl-global.conf
|
|
|
|
# global (server-wide) protocol configuration, that is not specific
|
|
# to any virtual host
|
|
Include /etc/apache2/protocols.conf
|
|
|
|
# forbid access to the entire filesystem by default
|
|
<Directory />
|
|
Options None
|
|
AllowOverride None
|
|
<IfModule !mod_access_compat.c>
|
|
Require all denied
|
|
</IfModule>
|
|
<IfModule mod_access_compat.c>
|
|
Order deny,allow
|
|
Deny from all
|
|
</IfModule>
|
|
</Directory>
|
|
|
|
# use .htaccess files for overriding,
|
|
AccessFileName .htaccess
|
|
# and never show them
|
|
<Files ~ "^\.ht">
|
|
<IfModule !mod_access_compat.c>
|
|
Require all denied
|
|
</IfModule>
|
|
<IfModule mod_access_compat.c>
|
|
Order allow,deny
|
|
Deny from all
|
|
</IfModule>
|
|
</Files>
|
|
|
|
# List of resources to look for when the client requests a directory
|
|
DirectoryIndex index.html index.html.var
|
|
|
|
### 'Main' server configuration #############################################
|
|
#
|
|
# The directives in this section set up the values used by the 'main'
|
|
# server, which responds to any requests that aren't handled by a
|
|
# <VirtualHost> definition. These values also provide defaults for
|
|
# any <VirtualHost> containers you may define later in the file.
|
|
#
|
|
# All of these directives may appear inside <VirtualHost> containers,
|
|
# in which case these default settings will be overridden for the
|
|
# virtual host being defined.
|
|
#
|
|
Include /etc/apache2/default-server.conf
|
|
|
|
|
|
### Virtual server configuration ############################################
|
|
#
|
|
# VirtualHost: If you want to maintain multiple domains/hostnames on your
|
|
# machine you can setup VirtualHost containers for them. Most configurations
|
|
# use only name-based virtual hosts so the server doesn't need to worry about
|
|
# IP addresses. This is indicated by the asterisks in the directives below.
|
|
#
|
|
# Please see the documentation at
|
|
# <URL:https://httpd.apache.org/docs/2.4/vhosts/>
|
|
# for further details before you try to setup virtual hosts.
|
|
#
|
|
# You may use the command line option '-S' to verify your virtual host
|
|
# configuration.
|
|
#
|
|
IncludeOptional /etc/apache2/vhosts.d/*.conf
|
|
|
|
|
|
# Note: instead of adding your own configuration here, consider
|
|
# adding it in your own file (/etc/apache2/httpd.conf.local)
|
|
# putting its name into APACHE_CONF_INCLUDE_FILES in
|
|
# /etc/sysconfig/apache2 -- this will make system updates
|
|
# easier :)
|