Clever ISPConfig Directive Snippets List

Discussion in 'Tips/Tricks/Mods' started by Hairy, May 12, 2013.

  1. Hairy

    Hairy Member

    I would like to know if anyone has any clever snippets that they would like to share and add to the following list:

    /* Large PHP Uploads */
    Code:
    file_uploads = On
post_max_size = 200M
upload_max_filesize = 200M
    /* Display PHP Errors */
    Code:
    display_errors = On
    Thanks!
     
    Hairy, May 12, 2013
    #1
    orfi, DonMcCoy and borekon like this.
  2. MaddinXx

    MaddinXx Member

    Good idea. What I often override is open_short_tags and memory_limit per vhost - but the file upload limit one is very handy
     
    MaddinXx, May 12, 2013
    #2
  3. misuv

    misuv Member

    Development & test site

    Snippet for testing sites

    Code:
    max_execution_time = 0;
display_errors = On;
error_reporting =  E_ALL & E_STRICT & E_RECOVERABLE_ERROR & E_DEPRECATED & E_USER_DEPRECATED;
     
    misuv, May 5, 2014
    #3
  4. Nilpo

    Nilpo Member HowtoForge Supporter

    I'm not sure if they're of any use to anyone, but here are the ones that I use.

    Apache:

    /* Force SSL */
    Code:
    RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    /* Disable GeioIP2 (when installed) */
    Code:
    GeoIPEnable Off
    /* Block Certain Countries (with mod_geoip2) */
    Code:
    <IfModule mod_geoip.c>
	GeoIPEnable On
	GeoIPDBFile /usr/share/GeoIP/GeoIP.dat

	SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
	SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
	# ... place more countries here

	Deny from env=BlockCountry
</IfModule>
    /* Allow Only Specific Countries (with mod_geoip2) */
    Code:
    <IfModule mod_geoip.c>
	GeoIPEnable On
	GeoIPDBFile /usr/share/GeoIP/GeoIP.dat

	SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
	SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry
	SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry
	# ... place more countries here

	Deny from all
	Allow from env=AllowCountry
</IfModule>
    /* Prevent Static File Caching */
    Code:
    <FilesMatch "\.(html|htm|js|css)$">
FileETag None
<ifModule mod_headers.c>
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</ifModule>
</FilesMatch>
    /* Disable ModPagespeed (when installed) */
    Code:
    ModPagespeed Off
    /* ModPagespeed Wordpress Fix (when installed) */
    Code:
    ModPagespeedDisableFilters rewrite_javascript
     
    Nilpo, May 5, 2014
    #4
    ahrasis, TonyG, Richard Foley and 1 other person like this.
  5. sxlderek

    sxlderek New Member

    Nginx redirect http to https
    Code:
    #put this at top
if ($scheme = http) { return 301 https://$server_name$request_uri;}
    Nginx reverse proxy
    Code:
    location / {
 proxy_pass http://server-fqdn/; 
 proxy_set_header X-Real-IP  $remote_addr;
 proxy_set_header X-Forwarded-For $remote_addr;
 proxy_set_header Host $host;
 proxy_buffering off;
}
     
    sxlderek, Jun 12, 2015
    #5
    ahrasis likes this.
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    HSTS security header (apache):
    Code:
    <If "%{HTTPS} == 'on'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
        Header always set X-Frame-Options SAMEORIGIN
    </IfModule>
</If>
     
    Last edited: Aug 9, 2016
    Jesse Norell, Jul 13, 2016
    #6
    borekon likes this.
  7. agentmoller001

    agentmoller001 Member

    Only allow TLS 1.2 and ciphers (from Mozilla SSL Configuration Generator modern option - Apache 2.4.10 OpenSSL 1.0.1t)
    Code:
    <IfModule mod_ssl.c>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
</IfModule>
     
    agentmoller001, Aug 13, 2016
    #7
  8. borekon

    borekon New Member

    the site may not wrk on old borwsers if you apply that snippet
    /** hardening SSL ** /
    HTML:
     SSLProtocol             all -SSLv2 -SSLv3
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
    SSLHonorCipherOrder     on
     
    borekon, Apr 4, 2017
    #8
  9. Loveless

    Loveless Member

    I override all nginx ssl tags in ISPconfig templates, because this gives our sites an A+ rating at Qualys SSL-labs. This is in a file called /etc/nginx/TLS
    Code:
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dh4096.pem;
resolver 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 18s;
ssl_stapling on;
ssl_stapling_verify off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 2h;
ssl_buffer_size 4k;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    and then I use the following in /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master :

    server {
    listen <tmpl_var name='http_port'>;
    <tmpl_if name='ipv6_enabled'>
    listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>;
    </tmpl_if>

    <tmpl_if name='ssl_enabled'>
    listen <tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
    include /etc/nginx/TLS;
    <tmpl_if name='ipv6_enabled'>
    listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if};
    </tmpl_if>
    ssl_certificate <tmpl_var name='ssl_crt_file'>;
    ssl_certificate_key <tmpl_var name='ssl_key_file'>;
    </tmpl_if>​
    etc.
     
    Loveless, Apr 11, 2017
    #9
  10. Go2Device

    Go2Device New Member

    Hello,
    and where I have to put this code?
    And how I can save some custom web server configs (like this above) to use it in a Template or in the drop down list?
    [​IMG]
    Thank you for the support.
     
    Go2Device, Jul 13, 2017
    #10
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Add them under System > Directive Snippets
     
    Jesse Norell, Jul 17, 2017
    #11

Share This Page