# Config basics
ServerRoot /opt/opsware/httpsProxy
DefaultRuntimeDir /var/opt/opsware/httpsProxy
ServerTokens ProductOnly
Header unset "Server"

PidFile /var/opt/opsware/httpsProxy/httpd.pid
ScoreBoardFile /var/opt/opsware/httpsProxy/httpd.scoreboard

# Connection control
Timeout 3600
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 65
MinSpareServers 10
MaxSpareServers 50
StartServers 10
MaxClients 250
MaxRequestsPerChild 0

# Basic modules only
LoadModule env_module			modules/mod_env.so
#LoadModule define_module		modules/mod_define.so
LoadModule log_config_module	modules/mod_log_config.so
LoadModule mime_magic_module	modules/mod_mime_magic.so
LoadModule mime_module			modules/mod_mime.so
LoadModule negotiation_module	modules/mod_negotiation.so
LoadModule include_module		modules/mod_include.so
LoadModule asis_module			modules/mod_asis.so
LoadModule actions_module		modules/mod_actions.so
LoadModule rewrite_module		modules/mod_rewrite.so
LoadModule authz_host_module	modules/mod_authz_host.so
LoadModule auth_basic_module	modules/mod_auth_basic.so
LoadModule proxy_module			modules/mod_proxy.so
LoadModule proxy_http_module    modules/mod_proxy_http.so
LoadModule expires_module		modules/mod_expires.so
LoadModule headers_module		modules/mod_headers.so
LoadModule setenvif_module		modules/mod_setenvif.so
LoadModule ssl_module			modules/mod_ssl.so
LoadModule unixd_module         modules/mod_unixd.so
LoadModule socache_dbm_module   modules/mod_socache_dbm.so
LoadModule authz_core_module    modules/mod_authz_core.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule dumpio_module modules/mod_dumpio.so

# Global server stuff
ServerName sly98
ServerAdmin root@sly98
Listen 80
Listen 4433
User nobody
Group nobody
DocumentRoot "/opt/opsware/httpsProxy/docs"
UseCanonicalName Off
HostnameLookups Off
ServerSignature On
SSLFIPS on
TraceEnable off

# The page can only be displayed in a frame on the same origin as the page itself.
# This setting prevents clipjacking attacks. See https://www.owasp.org/index.php/Clickjacking.
Header always append X-Frame-Options SAMEORIGIN

<Directory />
    Options FollowSymLinks
    Require all denied
    AllowOverride None
</Directory>


<Directory "/opt/opsware/httpsProxy/docs">

    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
</Directory>


<IfModule mod_mime.c>
    TypesConfig /etc/opt/opsware/httpsProxy/mime.types
</IfModule>

<IfModule mod_mime_magic.c>
    MIMEMagicFile /etc/opt/opsware/httpsProxy/magic
</IfModule>


LogLevel trace8
DumpIOInput On
DumpIOOutput On
LogFormat "%h %l %u %t \"%r\" %>s %b" common
# 2419200 = 28 days in seconds
CustomLog "|/opt/opsware/httpsProxy/bin/rotatelogs -n 10 -l -f /var/log/opsware/httpsProxy/access_log 2419200 100M" common
ErrorLog "|/opt/opsware/httpsProxy/bin/rotatelogs -n 10 -l -f /var/log/opsware/httpsProxy/error_log 2419200 100M"


<IfModule mod_mime.c>
    AddEncoding x-compress Z
    AddEncoding x-gzip gz tgz

    AddLanguage da .dk
    AddLanguage nl .nl
    AddLanguage en .en
    AddLanguage et .ee
    AddLanguage fr .fr
    AddLanguage de .de
    AddLanguage el .el
    AddLanguage he .he
    AddCharset ISO-8859-8 .iso8859-8
    AddLanguage it .it
    AddLanguage ja .ja
    AddCharset ISO-2022-JP .jis
    AddLanguage kr .kr
    AddCharset ISO-2022-KR .iso-kr
    AddLanguage no .no
    AddLanguage pl .po
    AddCharset ISO-8859-2 .iso-pl
    AddLanguage pt .pt
    AddLanguage pt-br .pt-br
    AddLanguage ltz .lu
    AddLanguage ca .ca
    AddLanguage es .es
    AddLanguage sv .se
    AddLanguage cz .cz
    AddLanguage ru .ru
    AddLanguage zh-tw .tw
    AddLanguage tw .tw
    AddCharset Big5         .Big5    .big5
    AddCharset WINDOWS-1251 .cp-1251
    AddCharset CP866        .cp866
    AddCharset ISO-8859-5   .iso-ru
    AddCharset KOI8-R       .koi8-r
    AddCharset UCS-2        .ucs2
    AddCharset UCS-4        .ucs4
    AddCharset UTF-8        .utf8
    AddType application/x-tar .tgz
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl

    <IfModule mod_negotiation.c>
        LanguagePriority en da nl et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
    </IfModule>
</IfModule>

<IfModule mod_ssl.c>
    SSLPassPhraseDialog  builtin
    SSLSessionCache         dbm:/var/opt/opsware/httpsProxy/ssl_scache
    SSLSessionCacheTimeout  600
    Mutex file:/var/opt/opsware/httpsProxy/ssl_mutex ssl-cache
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin

    # Enable TLSv1.x, but not SSLv3 or below (security advisory)
    SSLProtocol -ALL -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:DES-CBC3-SHA
</IfModule>


# Secure redirector in apache
<VirtualHost *:80>

    RewriteEngine on

    CustomLog "|/opt/opsware/httpsProxy/bin/rotatelogs -n 10 -l -f /var/log/opsware/httpsProxy/redirector_request_log 2419200 100M" \
          "%t %h \"%r\" %>s %b %T"

    # twist tunnelling (jboss-remoting)
    ProxyPass "/"  "ws://localhost:1026/" upgrade=jboss-remoting
</VirtualHost>

<VirtualHost *:4433>

    SSLEngine on
    SSLCertificateFile /var/opt/opsware/crypto/httpsProxy/owc.crt
    SSLCertificateKeyFile /var/opt/opsware/crypto/httpsProxy/owc.key
    SSLCertificateChainFile /var/opt/opsware/crypto/shared/opsware-ca.crt


    CustomLog "|/opt/opsware/httpsProxy/bin/rotatelogs -n 10 -l -f /var/log/opsware/httpsProxy/ssl_request_log 2419200 100M" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %>s %b %T"

    RewriteEngine on

    # Workaround for OCTCR19L1404220 affecting httpd 2.4.48. Should be removed once the issue is fixed in Apache httpd.
    #ProxyWebsocketFallbackToProxyHttp Off

    # prevent http access to this port
    #
    RewriteCond %{HTTPS} !^on
    RewriteRule ^/(.*) https://%{HTTP_HOST} [L]

    # twist tunnelling (jboss-remoting)
    ProxyPass "/"  "ws://localhost:1026/" upgrade=jboss-remoting
</VirtualHost>