-
Notifications
You must be signed in to change notification settings - Fork 690
/
Copy pathjournalist.conf
78 lines (66 loc) · 2.42 KB
/
journalist.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
ServerName {{ securedrop_app_apache_listening_address }}
<VirtualHost {{ securedrop_app_apache_listening_address }}:8080>
WSGIDaemonProcess journalist processes=2 threads=30 display-name=%{GROUP} python-path=/var/www/securedrop
WSGIScriptAlias / /var/www/journalist.wsgi process-group=journalist application-group=journalist
WSGIPassAuthorization On
# Tell the browser not to cache HTML responses in order to minimize the chance
# of the inadvertent release or retention of sensitive data. For more, see
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2.
Header set Cache-Control "no-store"
Alias /static /var/www/securedrop/static
<Directory /var/www/securedrop/static>
Order allow,deny
Allow from all
# Cache static resources for 1 hour
Header set Cache-Control "max-age=3600"
</Directory>
XSendFile On
XSendFilePath /var/lib/securedrop/store/
XSendFilePath /var/lib/securedrop/tmp/
Header edit Set-Cookie ^(.*)$ $1;HttpOnly
Header always append X-Frame-Options: DENY
Header set Referrer-Policy "no-referrer"
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-Download-Options: noopen
Header set X-Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
Header set Content-Security-Policy: "default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';"
# Limit the max submitted size of requests.
LimitRequestBody 524288000
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory /var/www/>
Options {{ apache_dir_options | default('None') }}
AllowOverride None
<Limit GET POST HEAD DELETE>
Order allow,deny
allow from {{ securedrop_app_apache_allow_from }}
</Limit>
<LimitExcept GET POST HEAD DELETE>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
<Directory /var/www/securedrop>
Options {{ apache_dir_options | default('None') }}
AllowOverride None
<Limit GET POST HEAD DELETE>
Order allow,deny
allow from {{ securedrop_app_apache_allow_from }}
</Limit>
<LimitExcept GET POST HEAD DELETE>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
RewriteEngine On
RewriteCond %{THE_REQUEST} !HTTP/1\.1$
RewriteRule .* - [F]
ErrorLog /var/log/apache2/journalist-error.log
CustomLog /var/log/apache2/journalist-access.log combined
LogLevel info
</VirtualHost>