################################################################################
# VirtualHosts for screenFOOD CS Server                                        
################################################################################
ServerTokens Prod

###### settings for http
<VirtualHost *:80>
   ErrorLog "|bin/rotatelogs.exe -l logs/servername.error.%Y-%m-%d.log 86400" 
   CustomLog "|bin/rotatelogs.exe -l logs/servername.%Y-%m-%d.log 86400" combined

#settings for AJP to tomcat
   ProxyPass / ajp://localhost:8009/ connectiontimeout=300 timeout=300
   ProxyPassReverse / ajp://localhost:8009/
   ProxyPassReverseCookiePath / /
   RedirectMatch 403 favicon.ico 

</VirtualHost>
 

###### settings for https, please uncomment, if needed.
# for descriptions of the settings, see extra/httpd-ssl.conf
Listen 443

SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4

SSLHonorCipherOrder on 

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3

SSLPassPhraseDialog  builtin

SSLSessionCacheTimeout  300

<VirtualHost *:443>
   ErrorLog "|bin/rotatelogs.exe -l logs/servername.error.%Y-%m-%d.log 86400"
   CustomLog "|bin/rotatelogs.exe -l logs/servername.%Y-%m-%d.log 86400" combined

   SSLEngine on
  #change path to your key and cert
   SSLCertificateKeyFile "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-key.pem"
   SSLCertificateFile "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-chain.pem"

#settings for AJP to tomcat
   ProxyPass / ajp://localhost:8009/ connectiontimeout=300 timeout=300
   ProxyPassReverse / ajp://localhost:8009/
   ProxyPassReverseCookiePath / /
   RedirectMatch 403 favicon.ico 

</VirtualHost>

## below some security enhancemente, uncomment if needed
#
#SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
#SSLCipherSuite          ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#SSLHonorCipherOrder     on
#SSLCompression          off
#SSLSessionTickets       off

###### OCSP Stapling, only in httpd 2.3.3 and later
#SSLUseStapling          on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
#SSLStaplingCache        shmcb:/var/run/ocsp(128000)


###### Default security headers
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "same-origin"
# replace below example.com and servername.com
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://*.ftcdn.net/ http://*.fotolia.com https://*.ftcdn.net/ https://*.fotolia.com; connect-src 'self' wss://*.servername.com wss://*.example.com;"
Header set Strict-Transport-Security "max-age=63072000; includeSubdomains;"