From 4d6481dd6dd9632567ed5b2577cba83209e0d122 Mon Sep 17 00:00:00 2001 From: Philipp Dallig Date: Fri, 30 Sep 2016 18:08:01 +0200 Subject: [PATCH] pfizer - add some security header + a little bit cleanup --- .../pfizer/web01-pfizer-de.pixelpark.net.yaml | 300 +++++++----------- 1 file changed, 112 insertions(+), 188 deletions(-) diff --git a/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml b/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml index ea8296e0..be4fc34e 100644 --- a/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml +++ b/customer/pfizer/web01-pfizer-de.pixelpark.net.yaml @@ -928,6 +928,11 @@ site::profile::apache::vhosts: - www-pfizer-berlin.pixelpark.net # Upgrade - www02-pfizer-berlin.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' ich-beim-arzt: servername: www.ich-beim-arzt.de @@ -947,6 +952,11 @@ site::profile::apache::vhosts: - ich-beim-arzt.de - ich-beim-arzt-de.pixelpark.net - www-ich-beim-arzt-de.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' lungenkrebs-testen-at: servername: www.lungenkrebs-testen.at @@ -968,45 +978,12 @@ site::profile::apache::vhosts: - www-lungenkrebs-testen-at.pixelpark.net # Upgrade - www02-lungenkrebs-testen-at.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' - lungenkrebs-testen-de: - servername: www.lungenkrebs-testen.de - docroot: '/srv/www/www.lungenkrebs-testen.de' - ip: 217.66.55.99 - add_listen: false - port: 80 - docroot_owner: apache - docroot_group: apache - docroot_mode: '0770' - options: - - FollowSymLinks - - MultiViews - serveraliases: - - lungenkrebs-testen.de - - www-lungenkrebs-testen-de.pixelpark.net - # Upgrade - - www02-lungenkrebs-testen-de.pixelpark.net - lungenkrebs-testen-de_ssl: - servername: www.lungenkrebs-testen.de - docroot: '/srv/www/www.lungenkrebs-testen.de' - ip: 217.66.55.99 - add_listen: false - port: 443 - docroot_owner: apache - docroot_group: apache - docroot_mode: '0770' - options: - - FollowSymLinks - - MultiViews - ssl: true - ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san - ssl_chain: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san - ssl_key: /etc/pki/tls/private/www.pfizer.de-key.pem.san - serveraliases: - - lungenkrebs-testen.de - - www-lungenkrebs-testen-de.pixelpark.net - # Upgrade - - www02-lungenkrebs-testen-de.pixelpark.net impf2ab60: servername: www.impf2ab60.de @@ -1040,6 +1017,11 @@ site::profile::apache::vhosts: - impf2-ab-60-de.pixelpark.net # Upgrade - www02-impf2ab60-de.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' rewrites: - alias: comment: 'Alle Aliase auf Servername' @@ -1062,10 +1044,9 @@ site::profile::apache::vhosts: rewrite_rule: - ^(.*)$ http://www.impf2.de$1 [R=301,L] - wegweiser-rheuma-psoriasis: - servername: www.wegweiser-rheuma-psoriasis.de - docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' - manage_docroot: false + static.pfizer: + servername: static.pfizer.de + docroot: '/srv/www/static.pfizer.de' ip: 217.66.55.99 add_listen: false port: 80 @@ -1076,35 +1057,51 @@ site::profile::apache::vhosts: - FollowSymLinks - MultiViews serveraliases: - - wegweiser-rheuma-psoriasis.de - # Upgrade - - www02-wegweiser-rheuma-psoriasis-de.pixelpark.net + - static-pfizer-de.pixelpark.net + - www02-static-pfizer-de.pixelpark.net +site::profile::apache::pp_vhosts: + dialogrunde-blutkrebs: + servername: www.dialogrunde-brustkrebs.de + ssl: true + ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san + ssl_chain: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san + ssl_key: /etc/pki/tls/private/www.pfizer.de-key.pem.san + docroot: '/srv/www/dialogrunde-blutkrebs' + serveraliases: + - dialogrunde-brustkrebs.de + - www-dialogrunde-brustkrebs-de.pixelpark.net # Pixelpark-Domain + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' + docroot_owner: apache + docroot_group: apache + docroot_mode: '0770' + ip: 217.66.55.99 + add_listen: false + directories: + - directory_root: + provider: directory + path: '/srv/www/dialogrunde-blutkrebs' + options: + - FollowSymLinks + - MultiViews + allow_override: + - All rewrites: - - www: - comment: 'Alles nach www' - rewrite_cond: - - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-rheuma-psoriasis.de$' - rewrite_rule: - - ^(.*)$ https://www.wegweiser-rheuma-psoriasis.de$1 [R=301,L] - - rheuma: - comment: 'Redirect to rheuma domain' - rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/rheuma.html$' - rewrite_rule: - - ^/rheuma.html$ https://www.wegweiser-rheuma.de [R=301,L] - - psoriasis: - comment: 'Redirect to psoriasis domain' + - alias: + comment: 'Alle Aliase auf Servername' rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/psoriasis.html$' + - '%%{ich-trickse}{HTTP_HOST} !^www\.dialogrunde-brustkrebs\.de$ [NC]' + - '%%{ich-trickse}{HTTP_HOST} !^www-dialogrunde-brustkrebs-de\.pixelpark\.net$ [NC]' rewrite_rule: - - ^/psoriasis.html$ https://www.wegweiser-psoriasis.de [R=301,L] - wegweiser-rheuma-psoriasis_ssl: - servername: www.wegweiser-rheuma-psoriasis.de - docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' - manage_docroot: false + - '^(.*)$ http://www.dialogrunde-brustkrebs.de$1 [L,R=301]' + lungenkrebs-testen-de: + servername: www.lungenkrebs-testen.de + docroot: '/srv/www/www.lungenkrebs-testen.de' ip: 217.66.55.99 add_listen: false - port: 443 docroot_owner: apache docroot_group: apache docroot_mode: '0770' @@ -1116,67 +1113,60 @@ site::profile::apache::vhosts: ssl_chain: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san ssl_key: /etc/pki/tls/private/www.pfizer.de-key.pem.san serveraliases: - - wegweiser-rheuma-psoriasis.de + - lungenkrebs-testen.de + - www-lungenkrebs-testen-de.pixelpark.net # Upgrade - - www02-wegweiser-rheuma-psoriasis-de.pixelpark.net - rewrites: - - www: - comment: 'Alles nach www' - rewrite_cond: - - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-rheuma-psoriasis.de$' - rewrite_rule: - - ^(.*)$ https://www.wegweiser-rheuma-psoriasis.de$1 [R=301,L] - - rheuma: - comment: 'Redirect to rheuma domain' - rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/rheuma.html$' - rewrite_rule: - - ^/rheuma.html$ https://www.wegweiser-rheuma.de [R=301,L] - - psoriasis: - comment: 'Redirect to psoriasis domain' - rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/psoriasis.html$' - rewrite_rule: - - ^/psoriasis.html$ https://www.wegweiser-psoriasis.de [R=301,L] - - wegweiser-rheuma: - servername: www.wegweiser-rheuma.de + - www02-lungenkrebs-testen-de.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' + wegweiser-psoriasis: + servername: www.wegweiser-psoriasis.de docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' manage_docroot: false ip: 217.66.55.99 add_listen: false - port: 80 docroot_owner: apache docroot_group: apache docroot_mode: '0770' - directoryindex: rheuma.html + ssl: true + ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san + ssl_chain: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san + ssl_key: /etc/pki/tls/private/www.pfizer.de-key.pem.san + directoryindex: psoriasis.html options: - FollowSymLinks - MultiViews serveraliases: - - wegweiser-rheuma.de + - wegweiser-psoriasis.de # Upgrade - - www02-wegweiser-rheuma-de.pixelpark.net + - www02-wegweiser-psoriasis-de.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' rewrites: - www: comment: 'Alles nach www' rewrite_cond: - - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-rheuma.de$' + - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-psoriasis.de$' rewrite_rule: - - ^(.*)$ http://www.wegweiser-rheuma.de$1 [R=301,L] + - ^(.*)$ http://www.wegweiser-psoriasis.de$1 [R=301,L] - rheuma: comment: 'Redirect to rheuma domain' rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/rheuma.html$' + - '%%{ich-trickse}{REQUEST_URI} ^/psoriasis.html' rewrite_rule: - - ^/rheuma.html$ http://www.wegweiser-rheuma.de [R=301,L] - wegweiser-rheuma_ssl: + - ^/psoriasis.html(.*)$ http://www.wegweiser-psoriasis.de$1 [R=301,L] + wegweiser-rheuma: servername: www.wegweiser-rheuma.de docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' manage_docroot: false ip: 217.66.55.99 add_listen: false - port: 443 docroot_owner: apache docroot_group: apache docroot_mode: '0770' @@ -1192,6 +1182,11 @@ site::profile::apache::vhosts: - wegweiser-rheuma.de # Upgrade - www02-wegweiser-rheuma-de.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' rewrites: - www: comment: 'Alles nach www' @@ -1205,121 +1200,50 @@ site::profile::apache::vhosts: - '%%{ich-trickse}{REQUEST_URI} ^/rheuma.html$' rewrite_rule: - ^/rheuma.html$ https://www.wegweiser-rheuma.de [R=301,L] - - wegweiser-psoriasis: - servername: www.wegweiser-psoriasis.de + wegweiser-rheuma-psoriasis: + servername: www.wegweiser-rheuma-psoriasis.de docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' manage_docroot: false ip: 217.66.55.99 add_listen: false - port: 80 docroot_owner: apache docroot_group: apache docroot_mode: '0770' - directoryindex: psoriasis.html options: - FollowSymLinks - MultiViews - serveraliases: - - wegweiser-psoriasis.de - # Upgrade - - www02-wegweiser-psoriasis-de.pixelpark.net - rewrites: - - www: - comment: 'Alles nach www' - rewrite_cond: - - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-psoriasis.de$' - rewrite_rule: - - ^(.*)$ http://www.wegweiser-psoriasis.de$1 [R=301,L] - - rheuma: - comment: 'Redirect to rheuma domain' - rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/psoriasis.html' - rewrite_rule: - - ^/psoriasis.html(.*)$ http://www.wegweiser-psoriasis.de$1 [R=301,L] - wegweiser-psoriasis_ssl: - servername: www.wegweiser-psoriasis.de - docroot: '/srv/www/www.wegweiser-rheuma-psoriasis.de/current' - manage_docroot: false - ip: 217.66.55.99 - add_listen: false - port: 443 - docroot_owner: apache - docroot_group: apache - docroot_mode: '0770' ssl: true ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san ssl_chain: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san ssl_key: /etc/pki/tls/private/www.pfizer.de-key.pem.san - directoryindex: psoriasis.html - options: - - FollowSymLinks - - MultiViews serveraliases: - - wegweiser-psoriasis.de + - wegweiser-rheuma-psoriasis.de # Upgrade - - www02-wegweiser-psoriasis-de.pixelpark.net + - www02-wegweiser-rheuma-psoriasis-de.pixelpark.net + headers: + - 'always unset "X-Powered-By"' + - 'set X-Content-Type-Options: nosniff' + - 'set X-XSS-Protection: "1; mode=block"' + - 'set X-Frame-Options: DENY' rewrites: - www: comment: 'Alles nach www' rewrite_cond: - - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-psoriasis.de$' + - '%%{ich-trickse}{HTTP_HOST} ^wegweiser-rheuma-psoriasis.de$' rewrite_rule: - - ^(.*)$ http://www.wegweiser-psoriasis.de$1 [R=301,L] + - ^(.*)$ https://www.wegweiser-rheuma-psoriasis.de$1 [R=301,L] - rheuma: comment: 'Redirect to rheuma domain' rewrite_cond: - - '%%{ich-trickse}{REQUEST_URI} ^/psoriasis.html' + - '%%{ich-trickse}{REQUEST_URI} ^/rheuma.html$' rewrite_rule: - - ^/psoriasis.html(.*)$ http://www.wegweiser-psoriasis.de$1 [R=301,L] - static.pfizer: - servername: static.pfizer.de - docroot: '/srv/www/static.pfizer.de' - ip: 217.66.55.99 - add_listen: false - port: 80 - docroot_owner: apache - docroot_group: apache - docroot_mode: '0770' - options: - - FollowSymLinks - - MultiViews - serveraliases: - - static-pfizer-de.pixelpark.net - - www02-static-pfizer-de.pixelpark.net -site::profile::apache::pp_vhosts: - dialogrunde-blutkrebs: - servername: www.dialogrunde-brustkrebs.de - ssl: true - ssl_cert: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san - ssl_chain: /etc/pki/tls/certs/www.pfizer.de-cert.pem.san - ssl_key: /etc/pki/tls/private/www.pfizer.de-key.pem.san - docroot: '/srv/www/dialogrunde-blutkrebs' - serveraliases: - - dialogrunde-brustkrebs.de - - www-dialogrunde-brustkrebs-de.pixelpark.net # Pixelpark-Domain - docroot_owner: apache - docroot_group: apache - docroot_mode: '0770' - ip: 217.66.55.99 - add_listen: false - directories: - - directory_root: - provider: directory - path: '/srv/www/dialogrunde-blutkrebs' - options: - - FollowSymLinks - - MultiViews - allow_override: - - All - rewrites: - - alias: - comment: 'Alle Aliase auf Servername' + - ^/rheuma.html$ https://www.wegweiser-rheuma.de [R=301,L] + - psoriasis: + comment: 'Redirect to psoriasis domain' rewrite_cond: - - '%%{ich-trickse}{HTTP_HOST} !^www\.dialogrunde-brustkrebs\.de$ [NC]' - - '%%{ich-trickse}{HTTP_HOST} !^www-dialogrunde-brustkrebs-de\.pixelpark\.net$ [NC]' + - '%%{ich-trickse}{REQUEST_URI} ^/psoriasis.html$' rewrite_rule: - - '^(.*)$ http://www.dialogrunde-brustkrebs.de$1 [L,R=301]' + - ^/psoriasis.html$ https://www.wegweiser-psoriasis.de [R=301,L] our_default: servername: default ssl: false -- 2.39.5