<IfModule prefork.c>
StartServers 10
MinSpareServers 10
MaxSpareServers 20
ServerLimit 1050
MaxClients 1000
MaxRequestsPerChild 10000
</IfModule>
ServerTokens Prod
ServerSignature Off
MaxRanges none (2.2.21+)
TraceEnable Off
FileETag MTime Size
RequestHeader unset Proxy
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always set Content-Security-Policy "default-src 'self'"
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS
SSLHonorCipherOrder on
SSLCompression off (2.2.24+)
echo "export OPENSSL_NO_DEFAULT_ZLIB=1" >> /etc/sysconfig/httpd
apr_finfo_t oinfo, finfo;
if (apr_file_info_get(&oinfo, APR_FINFO_USER, fd) == 0
&& apr_stat(&finfo, r->filename, APR_FINFO_LINK | APR_FINFO_OWNER, r->pool) == APR_SUCCESS
) {
if (apr_uid_compare(oinfo.user, finfo.user) != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
"link permissions deny server access: %s [o:%d] [f:%d]", r->filename, oinfo.user, finfo.user);
apr_file_close(fd);
return HTTP_FORBIDDEN;
}
}
