diff --git a/dev/setup/apache/virtualhost b/dev/setup/apache/virtualhost index c3a2dff3e43..8c7682fe3d9 100644 --- a/dev/setup/apache/virtualhost +++ b/dev/setup/apache/virtualhost @@ -1,62 +1,93 @@ -#php_admin_value sendmail_path "/usr/sbin/sendmail -t -i" -#php_admin_value mail.force_extra_parameters "-f postmaster@mydomain.com" -php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f postmaster@mydomain.com" -php_admin_value open_basedir /tmp/:/home/../htdocs + #php_admin_value sendmail_path "/usr/sbin/sendmail -t -i" + #php_admin_value mail.force_extra_parameters "-f postmaster@mydomain.com" + php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f postmaster@mydomain.com" + php_admin_value open_basedir /tmp/:/home/.../htdocs:/home/.../dolibarr_documents: + + ServerName myvirtualalias + ServerAlias myvirtualalias + + UseCanonicalName On + + KeepAlive On + KeepAliveTimeout 5 + MaxKeepAliveRequests 20 + + AddDefaultCharset UTF-8 + + DocumentRoot "/home/.../htdocs" + + + AllowOverride None + Options -Indexes -MultiViews +FollowSymLinks -ExecCGI + Require all granted -ServerName myvirtualalias -ServerAlias myvirtualalias + # To restrict access by a HTTP basic auth + #AuthType Basic + #AuthName "Authenticate to backoffice" + #AuthUserFile /etc/apache2/.htpasswd + #require valid-user + + + # Leaving /public and /api, /dav, .well_known but also wrappers for document and viewimage accessible to everyone + + AuthType None + Require all granted + Satisfy any + + + AuthType None + Require all granted + Satisfy any + + + AuthType None + Require all granted + Satisfy any + + + AuthType None + Require all granted + Satisfy any + + + AuthType None + Require all granted + Satisfy any + -UseCanonicalName On - -AddDefaultCharset UTF-8 - -DocumentRoot "/home/.../htdocs" - - - AllowOverride None - Options -Indexes -MultiViews +FollowSymLinks -ExecCGI - Require all granted - - - - Deny from all - RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml - AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml - - - -ErrorLog /var/log/apache2/myvirtualalias_error_log -TransferLog /var/log/apache2/myvirtualalias_access_log - -# Compress returned resources of type php pages, text file export, css and javascript -AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript - -AddType text/javascript .jgz -AddEncoding gzip .jgz -ExpiresActive On -ExpiresByType image/x-icon A2592000 -ExpiresByType image/gif A2592000 -ExpiresByType image/png A2592000 -ExpiresByType image/jpeg A2592000 -ExpiresByType text/css A2592000 -ExpiresByType text/javascript A2592000 -ExpiresByType application/x-javascript A2592000 -ExpiresByType application/javascript A2592000 - -SSLEngine On - -# A self-signed (snakeoil) certificate can be created by installing -# the ssl-cert package. See -# /usr/share/doc/apache2.2-common/README.Debian.gz for more info. -# If both key and certificate are stored in the same file, only the -# SSLCertificateFile directive is needed. -SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/cert.pem -SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem -SSLCertificateChainFile /etc/letsencrypt/live/www.mydomain.com/chain.pem - -#RewriteEngine on -#RewriteCond %{SERVER_PORT} ^80$ -#RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R] + + ErrorLog /var/log/apache2/myvirtualalias_error_log + TransferLog /var/log/apache2/myvirtualalias_access_log + + # Compress returned resources of type php pages, text file export, css and javascript + AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/javascript application/x-javascript + + AddType text/javascript .jgz + AddEncoding gzip .jgz + ExpiresActive On + ExpiresByType image/x-icon A2592000 + ExpiresByType image/gif A2592000 + ExpiresByType image/png A2592000 + ExpiresByType image/jpeg A2592000 + ExpiresByType text/css A2592000 + ExpiresByType text/javascript A2592000 + ExpiresByType application/x-javascript A2592000 + ExpiresByType application/javascript A2592000 + + SSLEngine On + + # A self-signed (snakeoil) certificate can be created by installing + # the ssl-cert package. See + # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. + # If both key and certificate are stored in the same file, only the + # SSLCertificateFile directive is needed. + SSLCertificateFile /etc/letsencrypt/live/www.mydomain.com/cert.pem + SSLCertificateKeyFile /etc/letsencrypt/live/www.mydomain.com/privkey.pem + SSLCertificateChainFile /etc/letsencrypt/live/www.mydomain.com/chain.pem + + #RewriteEngine on + #RewriteCond %{SERVER_PORT} ^80$ + #RewriteRule ^(.*)$ https://%{SERVER_NAME}$1 [L,R] diff --git a/htdocs/core/tpl/login.tpl.php b/htdocs/core/tpl/login.tpl.php index 93efffa687e..88c1428e8f9 100644 --- a/htdocs/core/tpl/login.tpl.php +++ b/htdocs/core/tpl/login.tpl.php @@ -30,11 +30,16 @@ if (empty($conf) || !is_object($conf)) { exit; } +// DDOS protection +$size = (int) $_SERVER['CONTENT_LENGTH']; +if ($size > 10000) { + http_response_code(413); + exit; +} require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php'; - header('Cache-Control: Public, must-revalidate'); header("Content-type: text/html; charset=".$conf->file->character_set_client); diff --git a/htdocs/core/tpl/passwordforgotten.tpl.php b/htdocs/core/tpl/passwordforgotten.tpl.php index 97edcc1d3f2..b61ef22739a 100644 --- a/htdocs/core/tpl/passwordforgotten.tpl.php +++ b/htdocs/core/tpl/passwordforgotten.tpl.php @@ -27,6 +27,12 @@ if (empty($conf) || !is_object($conf)) { exit; } +// DDOS protection +$size = (int) $_SERVER['CONTENT_LENGTH']; +if ($size > 10000) { + http_response_code(413); + exit; +} require_once DOL_DOCUMENT_ROOT.'/core/lib/functions2.lib.php';