################################################################################
# VirtualHosts for screenFOOD CS Server
################################################################################
ServerTokens Prod
###### settings for http
ErrorLog "|bin/rotatelogs.exe -l logs/servername.error.%Y-%m-%d.log 86400"
CustomLog "|bin/rotatelogs.exe -l logs/servername.%Y-%m-%d.log 86400" combined
#settings for AJP to tomcat
ProxyPass / ajp://localhost:8009/ connectiontimeout=300 timeout=300
ProxyPassReverse / ajp://localhost:8009/
ProxyPassReverseCookiePath / /
RedirectMatch 403 favicon.ico
###### settings for https, please uncomment, if needed.
# for descriptions of the settings, see extra/httpd-ssl.conf
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
ErrorLog "|bin/rotatelogs.exe -l logs/servername.error.%Y-%m-%d.log 86400"
CustomLog "|bin/rotatelogs.exe -l logs/servername.%Y-%m-%d.log 86400" combined
SSLEngine on
#change path to your key and cert
SSLCertificateKeyFile "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-key.pem"
SSLCertificateFile "C:/programdata/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/windowsserver.example.com-chain.pem"
#settings for AJP to tomcat
ProxyPass / ajp://localhost:8009/ connectiontimeout=300 timeout=300
ProxyPassReverse / ajp://localhost:8009/
ProxyPassReverseCookiePath / /
RedirectMatch 403 favicon.ico
## below some security enhancemente, uncomment if needed
#
#SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
#SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#SSLHonorCipherOrder on
#SSLCompression off
#SSLSessionTickets off
###### OCSP Stapling, only in httpd 2.3.3 and later
#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
#SSLStaplingCache shmcb:/var/run/ocsp(128000)
###### Default security headers
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "same-origin"
# replace below example.com and servername.com
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' http://*.ftcdn.net/ http://*.fotolia.com https://*.ftcdn.net/ https://*.fotolia.com; connect-src 'self' wss://*.servername.com wss://*.example.com;"
Header set Strict-Transport-Security "max-age=63072000; includeSubdomains;"