Clever ISPConfig Directive Snippets List

Discussion in 'Tips/Tricks/Mods' started by Hairy, May 12, 2013.

  1. Hairy

    Hairy New Member

    I would like to know if anyone has any clever snippets that they would like to share and add to the following list:

    /* Large PHP Uploads */
    Code:
    file_uploads = On
    post_max_size = 200M
    upload_max_filesize = 200M
    
    /* Display PHP Errors */
    Code:
    display_errors = On
    
    Thanks!
     
    DonMcCoy and borekon like this.
  2. MaddinXx

    MaddinXx Member HowtoForge Supporter

    Good idea. What I often override is open_short_tags and memory_limit per vhost - but the file upload limit one is very handy
     
  3. misuv

    misuv New Member

    Development & test site

    Snippet for testing sites

    Code:
    max_execution_time = 0;
    display_errors = On;
    error_reporting =  E_ALL & E_STRICT & E_RECOVERABLE_ERROR & E_DEPRECATED & E_USER_DEPRECATED;
     
  4. Nilpo

    Nilpo Member HowtoForge Supporter

    I'm not sure if they're of any use to anyone, but here are the ones that I use.

    Apache:

    /* Force SSL */
    Code:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    /* Disable GeioIP2 (when installed) */
    Code:
    GeoIPEnable Off
    /* Block Certain Countries (with mod_geoip2) */
    Code:
    <IfModule mod_geoip.c>
    	GeoIPEnable On
    	GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
    
    	SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
    	SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
    	# ... place more countries here
    
    	Deny from env=BlockCountry
    </IfModule>
    /* Allow Only Specific Countries (with mod_geoip2) */
    Code:
    <IfModule mod_geoip.c>
    	GeoIPEnable On
    	GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
    
    	SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
    	SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
    	SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry
    	# ... place more countries here
    
    	Deny from all
    	Allow from env=AllowCountry
    </IfModule>
    /* Prevent Static File Caching */
    Code:
    <FilesMatch "\.(html|htm|js|css)$">
    FileETag None
    <ifModule mod_headers.c>
    Header unset ETag
    Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
    Header set Pragma "no-cache"
    Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
    </ifModule>
    </FilesMatch>
    /* Disable ModPagespeed (when installed) */
    Code:
    ModPagespeed Off
    /* ModPagespeed Wordpress Fix (when installed) */
    Code:
    ModPagespeedDisableFilters rewrite_javascript
     
  5. sxlderek

    sxlderek New Member

    Nginx redirect http to https
    Code:
    #put this at top
    if ($scheme = http) { return 301 https://$server_name$request_uri;}
    
    Nginx reverse proxy
    Code:
    location / {
     proxy_pass http://server-fqdn/; 
     proxy_set_header X-Real-IP  $remote_addr;
     proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header Host $host;
     proxy_buffering off;
    }
    
     
  6. Jesse Norell

    Jesse Norell Well-Known Member

    HSTS security header (apache):
    Code:
    <If "%{HTTPS} == 'on'">
        <IfModule mod_headers.c>
            Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
            Header always set X-Frame-Options SAMEORIGIN
        </IfModule>
    </If>
     
    Last edited: Aug 9, 2016
  7. Only allow TLS 1.2 and ciphers (from Mozilla SSL Configuration Generator modern option - Apache 2.4.10 OpenSSL 1.0.1t)
    Code:
    <IfModule mod_ssl.c>
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    </IfModule>
     
  8. borekon

    borekon New Member

    the site may not wrk on old borwsers if you apply that snippet
    /** hardening SSL ** /
    HTML:
     SSLProtocol             all -SSLv2 -SSLv3
        SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
        SSLHonorCipherOrder     on
     
  9. Loveless

    Loveless New Member

    I override all nginx ssl tags in ISPconfig templates, because this gives our sites an A+ rating at Qualys SSL-labs. This is in a file called /etc/nginx/TLS
    Code:
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/ssl/dh4096.pem;
    resolver 208.67.222.222 208.67.220.220 valid=300s;
    resolver_timeout 18s;
    ssl_stapling on;
    ssl_stapling_verify off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 2h;
    ssl_buffer_size 4k;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Frame-Options SAMEORIGIN;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    and then I use the following in /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master :

    server {
    listen <tmpl_var name='http_port'>;
    <tmpl_if name='ipv6_enabled'>
    listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
    </tmpl_if>

    <tmpl_if name='ssl_enabled'>
    listen <tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
    include /etc/nginx/TLS;
    <tmpl_if name='ipv6_enabled'>
    listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
    </tmpl_if>
    ssl_certificate <tmpl_var name='ssl_crt_file'>;
    ssl_certificate_key <tmpl_var name='ssl_key_file'>;
    </tmpl_if>​
    etc.
     

Share This Page