diff options
| author | Graham Leggett <minfrin@apache.org> | 2011-12-21 11:42:34 +0100 |
|---|---|---|
| committer | Graham Leggett <minfrin@apache.org> | 2011-12-21 11:42:34 +0100 |
| commit | a03bcce31d66aac6556a5160b51f9c9643f61b29 (patch) | |
| tree | cd141d91d5801077854c8a70fad445627c2739ec /docs | |
| parent | Move ab, logresolve, httxt2dbm and apxs to bin from sbin, along with (diff) | |
| download | apache2-a03bcce31d66aac6556a5160b51f9c9643f61b29.tar.xz apache2-a03bcce31d66aac6556a5160b51f9c9643f61b29.zip | |
mod_policy: Add a new testing module to help server administrators
enforce a configurable level of protocol compliance on their
servers and application servers behind theirs.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1221668 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/conf/extra/httpd-policy.conf.in | 61 | ||||
| -rw-r--r-- | docs/conf/httpd.conf.in | 3 |
2 files changed, 64 insertions, 0 deletions
diff --git a/docs/conf/extra/httpd-policy.conf.in b/docs/conf/extra/httpd-policy.conf.in new file mode 100644 index 0000000000..966c82a20c --- /dev/null +++ b/docs/conf/extra/httpd-policy.conf.in @@ -0,0 +1,61 @@ + +# +# Load the module if not already present +<IfModule !mod_policy.c> + LoadModule policy_module modules/mod_policy.so +</IfModule> + +# +# Typical policy for static content. +# Swap "enforce" for "log" to complain about violations rather +# than failing. +<Location /> + SetOutputFilter POLICY_TYPE;POLICY_LENGTH;POLICY_KEEPALIVE;POLICY_VARY;POLICY_VALIDATION;POLICY_CONDITIONAL;POLICY_NOCACHE;POLICY_MAXAGE + + # content type must be present and valid, but can be anything<br /> + PolicyType enforce */*<br /> + + # reject if no explicitly declared content length<br /> + PolicyLength enforce<br /> + + # covered by the policy length filter<br /> + PolicyKeepalive ignore<br /> + + # reject if User-Agent appears within Vary headers<br /> + PolicyVary enforce User-Agent<br /> + + # we want to enforce validation<br /> + PolicyValidation enforce<br /> + + # non-functional conditional responses should be rejected<br /> + PolicyConditional enforce<br /> + + # no-cache responses should be rejected<br /> + PolicyNocache enforce<br /> + + # maxage must be at least a day<br /> + PolicyMaxage enforce 86400<br /> + + # request version can be anything<br /> + PolicyVersion ignore HTTP/1.1<br /> + + # define documentation links + PolicyConditionalURL http://httpd.apache.org/docs/trunk/compliance.html#policyconditional + PolicyLengthURL http://httpd.apache.org/docs/trunk/compliance.html#policylength + PolicyTypeURL http://httpd.apache.org/docs/trunk/compliance.html#policytype + PolicyKeepaliveURL http://httpd.apache.org/docs/trunk/compliance.html#policykeepalive + PolicyMaxageURL http://httpd.apache.org/docs/trunk/compliance.html#policymaxage + PolicyNocacheURL http://httpd.apache.org/docs/trunk/compliance.html#policynocache + PolicyValidationURL http://httpd.apache.org/docs/trunk/compliance.html#policyvalidation + PolicyVaryURL http://httpd.apache.org/docs/trunk/compliance.html#policyvary + PolicyVersionURL http://httpd.apache.org/docs/trunk/compliance.html#policyversion + +</Location> + +# +# Server status can be bypassed +<Location /server-status> + PolicyFilter off +</Location> + + diff --git a/docs/conf/httpd.conf.in b/docs/conf/httpd.conf.in index 6edb323cfd..643ee39706 100644 --- a/docs/conf/httpd.conf.in +++ b/docs/conf/httpd.conf.in @@ -389,6 +389,9 @@ LogLevel warn # Various default settings #Include @rel_sysconfdir@/extra/httpd-default.conf +# Policy enforcement +#Include @rel_sysconfdir@/extra/httpd-policy.conf + # Configure mod_proxy_html to understand HTML4/XHTML1 <IfModule proxy_html_module> Include @rel_sysconfdir@/extra/proxy-html.conf |